[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: sslv3 alert handshake failure

To: "'Lara Adianto'" <m1r4cle_26@yahoo.com>, <openldap-software@OpenLDAP.org>
Subject: RE: sslv3 alert handshake failure
From: "Howard Chu" <hyc@highlandsun.com>
Date: Mon, 12 Apr 2004 05:47:38 -0700
Importance: Normal
In-reply-to: <20040412115939.93468.qmail@web80806.mail.yahoo.com>

Yes, the question has been posted often. So has the answer.

Port 636 is the default port for ldaps, the nonstandard use of LDAP over SSL.

StartTLS is for use with plain ldap. You cannot use StartTLS with ldaps.

Get rid of the PORT 636 directive in your ldap.conf file; this configuration
cannot work if your server actually has an ldaps listener on port 636.

>From the FAQ-o-Matic - "How do I use TLS/SSL?"
http://www.openldap.org/faq/data/cache/185.html

>>>
1) LDAP + StartTLS should be directed to a NON-SECURE port (ie; -h
'ldap://<hostname><:port>/', where port is usually NOT 636 (SSL))

The initial connection will be "in the clear", so this should probably be
done before binding/authenticating. The StartTLS function will send the "TLS
OID" to the server, which should cause it to do a "context switch", perform
the TLS handshake, and enable TLS if everything succeeds.

2) LDAPS should be directed to an SSL-secured/enabled port (ie; -h
'ldaps://<hostname><:port>/', where port can be anything, but is assumed to
be 636 by default)

The initial connection should be across an already SSL-enabled connection,
though data encryption won't be enabled yet. After the SSL handshake is
performed successfully, both sides will then go into encryption mode.

Attempting to perform a 'start_tls' function (context switch) on an
SSL-enabled connection (port), will cause a failure on both sides.
<<<

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Lara Adianto
> Sent: Monday, April 12, 2004 5:00 AM
> To: openldap-software@OpenLDAP.org
> Subject: sslv3 alert handshake failure
>
>
> Hi guys,
>
> I know that this question has been posted quite often,
> but after trying so many proposed solutions on the
> net, none of them seems to work for me. I've already
> turn on -d -1, but no useful hints.
>
> The problem is as follows:
> [root@localhost test-db]# /usr/bin/ldapsearch -x -s
> base '(objectclass=*)' -H ldap://myserver.com/ -ZZ
> supportedSASLMechanisms -d 256
> request 1 done
> TLS: can't connect.
> ldap_start_tls: Connect error (91)
>         additional info: error:14094410:SSL
> routines:SSL3_READ_BYTES:sslv3 alert handshake failure
> [root@localhost test-db]#
>
> I have followed the openldap SSL/TLS How-To, and I
> have [root@localhost openldap-data]# openssl s_client
> -connect myserver.com:636 -state -CAfile
> /home/user/certs/cacert.pem -cert
> /home/user/certs/ldap.client.pem -key
> /home/user/certs/keys/ldap.client.key.pem
> --> Success result, similar to the to the result given
> in the HowTo <--
>
> but....
> [root@localhost bin]# openssl s_client -connect
> myserver.com:636
> CONNECTED(00000003)
> depth=1 /C=SG/ST=Singapore/L=Singapore/O=Laras
> Com/OU=Laras Unit/CN=laras.com/Email=admin@laras.com
> verify error:num=19:self signed certificate in
> certificate chain
> verify return:0
> 23529:error:14094410:SSL
> routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure:s3_pkt.c:1046:SSL alert number 40
> 23529:error:140790E5:SSL routines:SSL23_WRITE:ssl
> handshake failure:s23_lib.c:226:
> [root@localhost bin]#
>
> My slapd.conf:
> --------------
> include	/usr/local/etc/openldap/schema/core.schema
> include	/usr/local/etc/openldap/schema/cosine.schema
> include
> /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/krb5-kdc.schema
>
> loglevel	256
> pidfile		/usr/local/var/slapd.pid
> argsfile	/usr/local/var/slapd.args
>
> database        bdb
> suffix		"ou=KPrincipals,dc=laras,dc=com"
> rootdn		"cn=Manager,ou=KPrincipals,dc=laras,dc=com"
> rootpw		{SSHA}xxxxxxxxxxxxxxxxxxxxxxxxx
>
> directory	"/var/lib/ldap"
>
> # Indices to maintain
> index	objectClass	eq
> index   cn		pres,eq
> index   uid		pres,eq
>
> #Specify ciphers
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /usr/var/openldap-data/cacert.pem
> TLSCertificateFile
> /usr/var/openldap-data/servercrt.pem
> TLSCertificateKeyFile
> /usr/var/openldap-data/serverkey.pem
>
> TLSVerifyClient demand
>
> access to *
> 	by sockurl="^ldapi:///$" write
> 	by * write
> 	by * auth
> 	by * read
>
> My ldap.conf:
> -------------
> HOST laras.com
> PORT 636
>
> TLS_CACERT /home/user/certs/cacert.pem
> TLS_REQCERT demand
>
> What did I do wrong and what does the error means ?
>
> Thanks,
> -lara-
>
> =====
> --------------------------------------------------------------
> ----------------------
> La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
>
>           - Guy de Maupassant -
> --------------------------------------------------------------
> ----------------------
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Tax Center - File online by April 15th
> http://taxes.yahoo.com/filing.html
>

Follow-Ups:
- RE: sslv3 alert handshake failure
  - From: Lara Adianto <m1r4cle_26@yahoo.com>

References:
- sslv3 alert handshake failure
  - From: Lara Adianto <m1r4cle_26@yahoo.com>

Prev by Date: sslv3 alert handshake failure
Next by Date: Re: [debian-openldap] Re: your mail
Index(es):
- Chronological
- Thread