[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS No Go, but SSL OK



Hi Craig,

Start_tls is handled between the ldap client and server at the ldap protocol
level, not the SSL protocol level. It is a way of upgrading an existing ldap
connection to TLS.

When connecting using ldaps: the SSL connection is set up first, then the
ldap connection. With ldap: and start_tls a plaintext ldap connection is
established first, then a start_tls command is issued to upgrade the
connection to TLS. It is meaningless to make assessments about the
functionality of start_tls using the openssl command because all it does is
establish ssl connections. It cannot send the ldap protocol elements needed
to tell slapd to initiate a tls "upgrade".

Also, SSL v3 is functionally equivalent to TLS v1. 

Hope this helps...

Matthew Hardin
Symas Corporation
Packaged, certified, and supported LDAP software:
http://www.symas.net/download

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org [mailto:owner-openldap-
> software@OpenLDAP.org] On Behalf Of craig jackson
> Sent: Friday, November 14, 2003 12:18 PM
> To: openldap-software@OpenLDAP.org
> Subject: TLS No Go, but SSL OK
> 
> Hi,
> 
> I'm having a little crazy mystery here. I don't understand why SSL works
> but YLS [ed: assume TLS] doesn't. Please help.
> 
> Slapd.conf........
> TLSVerifyClient never
> TLSCACertificateFile /usr/local/etc/openldap/mail.cert
> TLSCertificateFile /usr/local/etc/openldap/mail.cert
> TLSCertificateKeyFile /usr/local/etc/openldap/mail.cert
> 
> Ldap.conf........
> ssl start_tls [tried with and without this; no effect.]
> TLS_REQCERT never
> 
> Sooo, can anyone explain to me why tls handshake fails but ssl handshake
> is successful?
> I'm using Openldap  2.1.22.
> 
> Slapd.conf........
> TLSVerifyClient never
> TLSCACertificateFile /usr/local/etc/openldap/mail.cert
> TLSCertificateFile /usr/local/etc/openldap/mail.cert
> TLSCertificateKeyFile /usr/local/etc/openldap/mail.cert
> 
> Ldap.conf........
> ssl start_tls [tried with and without this; no effect.]
> TLS_REQCERT never
> 
> 636 WORKS!
> # /usr/local/ssl/bin/openssl s_client -connect mail.localsurface.com:636
> -showcerts -state -CAfile mail.cert
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> depth=0
> /C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface.com/ema
> ilAddress=webmaster@localsurface.com
> verify return:1
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> SSL_connect:SSLv3 read finished A
> ---
> Certificate chain
> 0
> s:/C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface.com/e
> mailAddress=webmaster@localsurface.com
> 
> i:/C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface.com/e
> mailAddress=webmaster@localsurface.com
> -----BEGIN CERTIFICATE-----
> MIIDszCCAxygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnjELMAkGA1UEBhMCVVMx
> CzAJBgNVBAgTAkxBMREwDwYDVQQHEwhNZXRhaXJpZTEVMBMGA1UEChMMbG9jYWxz
> dXJmYWNlMQ0wCwYDVQQLEwRtYWlsMR4wHAYDVQQDExVtYWlsLmxvY2Fsc3VyZmFj
> ZS5jb20xKTAnBgkqhkiG9w0BCQEWGndlYm1hc3RlckBsb2NhbHN1cmZhY2UuY29t
> MB4XDTAzMDUxOTE2MjUxNloXDTMwMTAwMzE2MjUxNlowgZ4xCzAJBgNVBAYTAlVT
> MQswCQYDVQQIEwJMQTERMA8GA1UEBxMITWV0YWlyaWUxFTATBgNVBAoTDGxvY2Fs
> c3VyZmFjZTENMAsGA1UECxMEbWFpbDEeMBwGA1UEAxMVbWFpbC5sb2NhbHN1cmZh
> Y2UuY29tMSkwJwYJKoZIhvcNAQkBFhp3ZWJtYXN0ZXJAbG9jYWxzdXJmYWNlLmNv
> bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxli1nu3FRoYSDkIVnwNg72Xl
> cboApDVsC3dLhf9CQjSL9p9k59O7TnE3VFweE/9My4fkem9AEEdGkudqNGVx3gaC
> fjV8QqGh9uiCajpMYhLoUgeyFQ/YxuT/QprhSSFJGPvdeqRE+02v0kZiXk8OLIhA
> FqOTLZVWYM+g4GIJ3ccCAwEAAaOB/jCB+zAdBgNVHQ4EFgQUJ8bxHrky+7iPIpHL
> auLmhtx2AoYwgcsGA1UdIwSBwzCBwIAUJ8bxHrky+7iPIpHLauLmhtx2AoahgaSk
> gaEwgZ4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJMQTERMA8GA1UEBxMITWV0YWly
> aWUxFTATBgNVBAoTDGxvY2Fsc3VyZmFjZTENMAsGA1UECxMEbWFpbDEeMBwGA1UE
> AxMVbWFpbC5sb2NhbHN1cmZhY2UuY29tMSkwJwYJKoZIhvcNAQkBFhp3ZWJtYXN0
> ZXJAbG9jYWxzdXJmYWNlLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
> BAUAA4GBAH99832lAdDknEbyjlQthXrn2gqpXbLEKnnUUlpgFTeC65/+A2U5na5p
> Onzo4q8I20DQvuCWXCevjSfdTrJnOJDDaS/OPD3YJs6sYHNIpQ06e3ErkZDQW0Al
> hBDE2deWkbTC5m9dbe9TmLH8oCyGJqQvpFrgdqdolC83mpgHkOil
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface
> .com/emailAddress=webmaster@localsurface.com
> issuer=/C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface.
> com/emailAddress=webmaster@localsurface.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1113 bytes and written 346 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID:
> 23A5DD1F7CA979E9C5A6F01268F82FB9FB9F1A24D58B03CF31D8B472BD784AAE
>     Session-ID-ctx:
>     Master-Key:
> AB7D4C5396C4BCFA99541EC66F814B8FB5EE189C738C5F6A973AAE25AA616EA2945CBFC109
> 93673360BEE9A09CD99EF5
>     Key-Arg   : None
>     Start Time: 1068693499
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok
> 
> 389 TLS DOESN'T WORK!!!
> # /usr/local/ssl/bin/openssl s_client -connect mail.localsurface.com:389
> -showcerts -state -CAfile mail.cert
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> 26011:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:226:
> 
> I'm going a little crazy here.
> 
> Thanks,
> Craig