[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Cant make my ldap work with ssl...



Thanks for answering. I'm quite lost now so all the ideas are really
welcome.
I have added  ":RSA" to the TLSCipherSuite, but it did nothing... A couple
of days ago, I added as a test a lot of ciphersuits whithout results.
Now with ":RSA" I get the same messages:

ldapsearch:
ldap_bind: Can't contact LDAP server (81)
        additional info: A TLS packet with unexpected length was received.

slapd:
...
TLS: can't accept.
TLS: No temporary DH parameters were found. (null):0
connection_read(12): TLS accept error error=-1 id=0, closing

openssl s_client -connect xxx.yyy.com:636 -state -showcerts -CAfile
/var/lib/ldap-data/cacert.pem
says:
...
SSL_connect:SSLv3 read server certificate A
SSL_connect:failed in SSLv3 read server key exchange A
685:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:

Seems as if it could read the "server certificate" but not what it calls the
"server key exchange"...
But I have no idea if this is a problem with certs, if I have another error
configurating files, or even if I have a dependency or installing problem in
my system...

As I said before, all the ideas are welcome...
Thanks!


> > Hello all,
> > Sorry for posting another SSL/TLS problem. I've tried and tried to solve
> > this problem myself, but I can't find the solution...
> >
> > I have OpenLDAP 2.1.26-1 in a debian machine.
> > ldap works fine in normal mode (port 389) but i cann't make it work in
> > ssl/tls mode.
> > I have created the certificates following the manual
> > http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html (this one and
> > others before)
> > entering my fqdn in "common name". I have created certs many times,
> > always getting the same results. I have configured all the files, but I
> > always get the same errors...
> >
> > slapd.conf:
> > TLSCipherSuite HIGH:MEDIUM:+SSLv2
> > TLSCACertificateFile /var/lib/ldap-data/cacert.pem
> > TLSCertificateFile /var/lib/ldap-data/servercrt.pem
> > TLSCertificateKeyFile /var/lib/ldap-data/serverkey.pem
> > TLSVerifyClient demand
> > #TLSVerifyClient never
>
> Just a guess but try appending ":RSA" to the TLSCipherSuite line.
>
> Dave
> --
> Dave Lewney
> Principal Systems Programmer, IT Services
> University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273
271956
>