Hello all,
Sorry for posting another SSL/TLS problem. I've tried and tried to solve this problem myself, but I can't find the solution... I have OpenLDAP 2.1.26-1 in a debian
machine.
ldap works fine in normal mode (port 389) but i cann't make it work in ssl/tls mode. I have created the certificates following the manual http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html (this one and others before) entering my fqdn in "common name". I have created certs many times, always getting the same results. I have configured all the files, but I always get the same errors... slapd.conf:
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /var/lib/ldap-data/cacert.pem TLSCertificateFile /var/lib/ldap-data/servercrt.pem TLSCertificateKeyFile /var/lib/ldap-data/serverkey.pem TLSVerifyClient demand #TLSVerifyClient never ldap.conf:
URI ldap://xxx.yyy.com ldaps://xxx.yyy.com BASE dc=yyy,dc=com TLS_CACERT /var/lib/ldap-data/cacert.pem TLS_REQCERT demand #TLS_REQCERT never .ldaprc in user's home directory
TLS_REQCERT demand TLS_CERT /home/users/certs/ldap.client.pem TLS_KEY /home/users/certs/ldap.client.key.pem but when I try
openssl s_client -connect xxx.yyy.com:636 -state -showcerts -CAfile /var/lib/ldap-data/cacert.pem I
get:
CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=ES/ST=Madrid/L=Madrid/O=TresPassos/OU=Testing/CN=xxx.yyy.com/emailAddress=bartolo@localhost verify return:1 depth=0 /C=ES/ST=Madrid/L=Madrid/O=Lambda/OU=Ventisca/CN=xxx.yyy.com/emailAddress=ldap@yyy.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:failed in SSLv3 read server key exchange A 11075:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: and slapd says: 0360: 01 01 04 05 00 03 81 81 00 1d 10 ca ae f6 7a
44 ..............zD
0370: 4e d1 ff e9 de 0c fb 4a 0a a2 0d c2 6f 55 ee 22 N......J....oU." 0380: df 00 91 c4 58 00 39 95 ad 61 93 5e 09 28 f3 98 ...X.9..a.^.(.. 0390: f3 de c1 0a 49 3a 4c 5c 48 7c b4 4f a6 e4 a2 4e ....I:L\H|.O...N 03a0: 8c a0 69 33 87 f7 b3 b9 e4 39 0f d3 dd fd 28 bc .i3.....9....(. 03b0: 63 83 d7 3b 91 28 ff c5 cd d9 f8 cd a0 53 8c 18 c..;.(.......S.. 03c0: 5a c0 3d 27 76 57 08 6c a5 39 fe bb 01 28 1f 8b Z.='vW.l.9...(.. 03d0: 89 61 9e 44 dc c2 32 42 67 c9 3e 60 1d c9 a0 81 a.D..2Bg.>`.... 03e0: df 64 83 ca 2d 50 cf 48 0f d..-P.H. TLS: can't accept. TLS: No temporary DH parameters were found. (null):0 connection_read(12): TLS accept error error=-1 id=1, closing connection_closing: readying conn=1 sd=12 for close connection_close: conn=1 sd=12 daemon: removing 12 daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL And when I try ldapsearch: ldapsearch -b "ou=people,dc=yyy,dc=com" -LLL -D "cn=admin,dc=yyy,dc=com" -H "ldaps://xxx.yyy.com/" -W -x Enter LDAP Password: ldap_bind: Can't contact LDAP server (81) additional info: A TLS packet with unexpected length was received. I cann't find a solution for this error. It would be great if someone could help me. Thanks to all. |