[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS server side auth problem
I still haven't made any progress on this. No one
replied to my post below, is this because:
- no one knows
- my post is not appropriate in some way
- I'm a berk for not spotting something obvious :)
I can't move forward with our LDAP rollout until this
is resolved - does any one have any suggestions?
Pete.
--- peter pan <lanwanhr@yahoo.com> wrote:
> I'm planning to use our replicated LDAP directory
> for
> user authentication purposes soon. Because of this
> I
> want to ensure all slurpd's communication with the
> slave LDAP servers are encrypted.
>
> I'm having a problem with getting TLS communications
> working. I have followed the instrcutions using
>
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
> but cannot get ldapsearch -ZZ to work without a
> client
> certificate (which I don't want to use).
>
> If I put the serverkey and servercert in the .ldaprc
> file (I know this is for the client certs but as a
> test..) then ldapsearch -ZZ -x -h <FQDN> works. If
> I
> take them out of .ldaprc it fails:
>
> [root@test root]# ldapsearch -ZZ -x -H
> ldap://test.mydomain.com
> ldap_start_tls: Connect error
> additional info: error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake
> failure
>
> slapd shows:
>
> TLS trace: SSL3 alert write:fatal:handshake failure
> TLS trace: SSL_accept:error in SSLv3 read client
> hello
> B
> TLS trace: SSL_accept:error in SSLv3 read client
> hello
> B
> TLS: can't accept.
> TLS: error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> s3_srvr.c:772
> connection_read(16): TLS accept error error=-1 id=8,
> closing
>
>
>
>
> The openssh client_s test also fails:
>
> [root@test root]# openssl s_client -connect
> 192.168.0.1:ldap -showcerts -state -CAfile
> /etc/openldap/cacert.pem
>
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> 9521:error:140790E5:SSL routines:SSL23_WRITE:ssl
> handshake failure:s23_lib.c:226:
>
> Maybe because I'm connecting to the normal ldap port
> (not sure if the openssh is valid for ldap port
> maybe
> only TLS with start_tls?)
>
> If I repeat the openssh s_client test on ldaps:
>
> [root@test root]# openssl s_client -connect
> 192.168.0.1:ldaps -showcerts -state -CAfile
> /etc/openldap/cacert.pem
>
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL3 alert read:fatal:handshake failure
> SSL_connect:error in SSLv2/v3 read server hello A
> 9758:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake
> failure:s23_clnt.c:455:
>
> Slightly different. Using the FQDN instead of IP
> makes
> no difference.
>
> If I put the certs in .ldaprc the openssh test works
> with IP:ldaps but not IP:ldap (I assume this is
> normal).
>
> I'm using openldap 2.0.27 on RedHat 7.2 (using the
> 2.0.27-2.7.3 rpm).
>
> Don't understand why specifying a client cert (the
> same as the server's as this is all the same box)
> works. Theres no TLSVerifyClient in my slapd.conf
> or
> anything).
>
> Any help appreciated.
>
> Pete
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site
> design software
> http://sitebuilder.yahoo.com
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com