[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: TLS No Go, but SSL OK
Hi Craig,
Start_tls is handled between the ldap client and server at the ldap protocol
level, not the SSL protocol level. It is a way of upgrading an existing ldap
connection to TLS.
When connecting using ldaps: the SSL connection is set up first, then the
ldap connection. With ldap: and start_tls a plaintext ldap connection is
established first, then a start_tls command is issued to upgrade the
connection to TLS. It is meaningless to make assessments about the
functionality of start_tls using the openssl command because all it does is
establish ssl connections. It cannot send the ldap protocol elements needed
to tell slapd to initiate a tls "upgrade".
Also, SSL v3 is functionally equivalent to TLS v1.
Hope this helps...
Matthew Hardin
Symas Corporation
Packaged, certified, and supported LDAP software:
http://www.symas.net/download
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org [mailto:owner-openldap-
> software@OpenLDAP.org] On Behalf Of craig jackson
> Sent: Friday, November 14, 2003 12:18 PM
> To: openldap-software@OpenLDAP.org
> Subject: TLS No Go, but SSL OK
>
> Hi,
>
> I'm having a little crazy mystery here. I don't understand why SSL works
> but YLS [ed: assume TLS] doesn't. Please help.
>
> Slapd.conf........
> TLSVerifyClient never
> TLSCACertificateFile /usr/local/etc/openldap/mail.cert
> TLSCertificateFile /usr/local/etc/openldap/mail.cert
> TLSCertificateKeyFile /usr/local/etc/openldap/mail.cert
>
> Ldap.conf........
> ssl start_tls [tried with and without this; no effect.]
> TLS_REQCERT never
>
> Sooo, can anyone explain to me why tls handshake fails but ssl handshake
> is successful?
> I'm using Openldap 2.1.22.
>
> Slapd.conf........
> TLSVerifyClient never
> TLSCACertificateFile /usr/local/etc/openldap/mail.cert
> TLSCertificateFile /usr/local/etc/openldap/mail.cert
> TLSCertificateKeyFile /usr/local/etc/openldap/mail.cert
>
> Ldap.conf........
> ssl start_tls [tried with and without this; no effect.]
> TLS_REQCERT never
>
> 636 WORKS!
> # /usr/local/ssl/bin/openssl s_client -connect mail.localsurface.com:636
> -showcerts -state -CAfile mail.cert
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> depth=0
> /C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface.com/ema
> ilAddress=webmaster@localsurface.com
> verify return:1
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> SSL_connect:SSLv3 read finished A
> ---
> Certificate chain
> 0
> s:/C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface.com/e
> mailAddress=webmaster@localsurface.com
>
> i:/C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface.com/e
> mailAddress=webmaster@localsurface.com
> -----BEGIN CERTIFICATE-----
> MIIDszCCAxygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnjELMAkGA1UEBhMCVVMx
> CzAJBgNVBAgTAkxBMREwDwYDVQQHEwhNZXRhaXJpZTEVMBMGA1UEChMMbG9jYWxz
> dXJmYWNlMQ0wCwYDVQQLEwRtYWlsMR4wHAYDVQQDExVtYWlsLmxvY2Fsc3VyZmFj
> ZS5jb20xKTAnBgkqhkiG9w0BCQEWGndlYm1hc3RlckBsb2NhbHN1cmZhY2UuY29t
> MB4XDTAzMDUxOTE2MjUxNloXDTMwMTAwMzE2MjUxNlowgZ4xCzAJBgNVBAYTAlVT
> MQswCQYDVQQIEwJMQTERMA8GA1UEBxMITWV0YWlyaWUxFTATBgNVBAoTDGxvY2Fs
> c3VyZmFjZTENMAsGA1UECxMEbWFpbDEeMBwGA1UEAxMVbWFpbC5sb2NhbHN1cmZh
> Y2UuY29tMSkwJwYJKoZIhvcNAQkBFhp3ZWJtYXN0ZXJAbG9jYWxzdXJmYWNlLmNv
> bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxli1nu3FRoYSDkIVnwNg72Xl
> cboApDVsC3dLhf9CQjSL9p9k59O7TnE3VFweE/9My4fkem9AEEdGkudqNGVx3gaC
> fjV8QqGh9uiCajpMYhLoUgeyFQ/YxuT/QprhSSFJGPvdeqRE+02v0kZiXk8OLIhA
> FqOTLZVWYM+g4GIJ3ccCAwEAAaOB/jCB+zAdBgNVHQ4EFgQUJ8bxHrky+7iPIpHL
> auLmhtx2AoYwgcsGA1UdIwSBwzCBwIAUJ8bxHrky+7iPIpHLauLmhtx2AoahgaSk
> gaEwgZ4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJMQTERMA8GA1UEBxMITWV0YWly
> aWUxFTATBgNVBAoTDGxvY2Fsc3VyZmFjZTENMAsGA1UECxMEbWFpbDEeMBwGA1UE
> AxMVbWFpbC5sb2NhbHN1cmZhY2UuY29tMSkwJwYJKoZIhvcNAQkBFhp3ZWJtYXN0
> ZXJAbG9jYWxzdXJmYWNlLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
> BAUAA4GBAH99832lAdDknEbyjlQthXrn2gqpXbLEKnnUUlpgFTeC65/+A2U5na5p
> Onzo4q8I20DQvuCWXCevjSfdTrJnOJDDaS/OPD3YJs6sYHNIpQ06e3ErkZDQW0Al
> hBDE2deWkbTC5m9dbe9TmLH8oCyGJqQvpFrgdqdolC83mpgHkOil
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface
> .com/emailAddress=webmaster@localsurface.com
> issuer=/C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface.
> com/emailAddress=webmaster@localsurface.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1113 bytes and written 346 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
> 23A5DD1F7CA979E9C5A6F01268F82FB9FB9F1A24D58B03CF31D8B472BD784AAE
> Session-ID-ctx:
> Master-Key:
> AB7D4C5396C4BCFA99541EC66F814B8FB5EE189C738C5F6A973AAE25AA616EA2945CBFC109
> 93673360BEE9A09CD99EF5
> Key-Arg : None
> Start Time: 1068693499
> Timeout : 300 (sec)
> Verify return code: 0 (ok
>
> 389 TLS DOESN'T WORK!!!
> # /usr/local/ssl/bin/openssl s_client -connect mail.localsurface.com:389
> -showcerts -state -CAfile mail.cert
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> 26011:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:226:
>
> I'm going a little crazy here.
>
> Thanks,
> Craig