[Date Prev][Date Next] [Chronological] [Thread] [Top]

sslv3 alert handshake failure



Hi guys,

I know that this question has been posted quite often,
but after trying so many proposed solutions on the
net, none of them seems to work for me. I've already
turn on -d -1, but no useful hints.

The problem is as follows:
[root@localhost test-db]# /usr/bin/ldapsearch -x -s
base '(objectclass=*)' -H ldap://myserver.com/ -ZZ
supportedSASLMechanisms -d 256
request 1 done
TLS: can't connect.
ldap_start_tls: Connect error (91)
        additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[root@localhost test-db]#

I have followed the openldap SSL/TLS How-To, and I
have [root@localhost openldap-data]# openssl s_client
-connect myserver.com:636 -state -CAfile
/home/user/certs/cacert.pem -cert
/home/user/certs/ldap.client.pem -key
/home/user/certs/keys/ldap.client.key.pem
--> Success result, similar to the to the result given
in the HowTo <--

but....
[root@localhost bin]# openssl s_client -connect
myserver.com:636
CONNECTED(00000003)
depth=1 /C=SG/ST=Singapore/L=Singapore/O=Laras
Com/OU=Laras Unit/CN=laras.com/Email=admin@laras.com
verify error:num=19:self signed certificate in
certificate chain
verify return:0
23529:error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1046:SSL alert number 40
23529:error:140790E5:SSL routines:SSL23_WRITE:ssl
handshake failure:s23_lib.c:226:
[root@localhost bin]#

My slapd.conf:
--------------
include	/usr/local/etc/openldap/schema/core.schema
include	/usr/local/etc/openldap/schema/cosine.schema
include
/usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/krb5-kdc.schema

loglevel	256
pidfile		/usr/local/var/slapd.pid
argsfile	/usr/local/var/slapd.args

database        bdb
suffix		"ou=KPrincipals,dc=laras,dc=com"
rootdn		"cn=Manager,ou=KPrincipals,dc=laras,dc=com"
rootpw		{SSHA}xxxxxxxxxxxxxxxxxxxxxxxxx

directory	"/var/lib/ldap"

# Indices to maintain
index	objectClass	eq
index   cn		pres,eq
index   uid		pres,eq

#Specify ciphers
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/var/openldap-data/cacert.pem
TLSCertificateFile
/usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile
/usr/var/openldap-data/serverkey.pem

TLSVerifyClient demand

access to *
	by sockurl="^ldapi:///$" write
	by * write
	by * auth
	by * read	

My ldap.conf:
-------------
HOST laras.com
PORT 636

TLS_CACERT /home/user/certs/cacert.pem
TLS_REQCERT demand

What did I do wrong and what does the error means ?

Thanks,
-lara-

=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html