[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: sslv3 alert handshake failure



Thanks for the explanation Howard. 
After looking more carefully at the debugging messages
of slapd, the failure was because slapd can't find the
client's certificate.
So I created .ldaprc, specifying the client cert, and
voila...SASL/EXTERNAL works...

-lara-

--- Howard Chu <hyc@highlandsun.com> wrote:
> Yes, the question has been posted often. So has the
> answer.
> 
> Port 636 is the default port for ldaps, the
> nonstandard use of LDAP over SSL.
> 
> StartTLS is for use with plain ldap. You cannot use
> StartTLS with ldaps.
> 
> Get rid of the PORT 636 directive in your ldap.conf
> file; this configuration
> cannot work if your server actually has an ldaps
> listener on port 636.
> 
> From the FAQ-o-Matic - "How do I use TLS/SSL?"
> http://www.openldap.org/faq/data/cache/185.html
> 
> >>>
> 1) LDAP + StartTLS should be directed to a
> NON-SECURE port (ie; -h
> 'ldap://<hostname><:port>/', where port is usually
> NOT 636 (SSL))
> 
> The initial connection will be "in the clear", so
> this should probably be
> done before binding/authenticating. The StartTLS
> function will send the "TLS
> OID" to the server, which should cause it to do a
> "context switch", perform
> the TLS handshake, and enable TLS if everything
> succeeds.
> 
> 2) LDAPS should be directed to an
> SSL-secured/enabled port (ie; -h
> 'ldaps://<hostname><:port>/', where port can be
> anything, but is assumed to
> be 636 by default)
> 
> The initial connection should be across an already
> SSL-enabled connection,
> though data encryption won't be enabled yet. After
> the SSL handshake is
> performed successfully, both sides will then go into
> encryption mode.
> 
> Attempting to perform a 'start_tls' function
> (context switch) on an
> SSL-enabled connection (port), will cause a failure
> on both sides.
> <<<
> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director,
> Highland Sun
>   http://www.symas.com              
> http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
> 
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On
> Behalf Of Lara Adianto
> > Sent: Monday, April 12, 2004 5:00 AM
> > To: openldap-software@OpenLDAP.org
> > Subject: sslv3 alert handshake failure
> >
> >
> > Hi guys,
> >
> > I know that this question has been posted quite
> often,
> > but after trying so many proposed solutions on the
> > net, none of them seems to work for me. I've
> already
> > turn on -d -1, but no useful hints.
> >
> > The problem is as follows:
> > [root@localhost test-db]# /usr/bin/ldapsearch -x
> -s
> > base '(objectclass=*)' -H ldap://myserver.com/ -ZZ
> > supportedSASLMechanisms -d 256
> > request 1 done
> > TLS: can't connect.
> > ldap_start_tls: Connect error (91)
> >         additional info: error:14094410:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure
> > [root@localhost test-db]#
> >
> > I have followed the openldap SSL/TLS How-To, and I
> > have [root@localhost openldap-data]# openssl
> s_client
> > -connect myserver.com:636 -state -CAfile
> > /home/user/certs/cacert.pem -cert
> > /home/user/certs/ldap.client.pem -key
> > /home/user/certs/keys/ldap.client.key.pem
> > --> Success result, similar to the to the result
> given
> > in the HowTo <--
> >
> > but....
> > [root@localhost bin]# openssl s_client -connect
> > myserver.com:636
> > CONNECTED(00000003)
> > depth=1 /C=SG/ST=Singapore/L=Singapore/O=Laras
> > Com/OU=Laras
> Unit/CN=laras.com/Email=admin@laras.com
> > verify error:num=19:self signed certificate in
> > certificate chain
> > verify return:0
> > 23529:error:14094410:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert handshake
> > failure:s3_pkt.c:1046:SSL alert number 40
> > 23529:error:140790E5:SSL routines:SSL23_WRITE:ssl
> > handshake failure:s23_lib.c:226:
> > [root@localhost bin]#
> >
> > My slapd.conf:
> > --------------
> > include	/usr/local/etc/openldap/schema/core.schema
> > include
> /usr/local/etc/openldap/schema/cosine.schema
> > include
> >
> /usr/local/etc/openldap/schema/inetorgperson.schema
> > include /usr/local/etc/openldap/schema/nis.schema
> > include
> /usr/local/etc/openldap/schema/krb5-kdc.schema
> >
> > loglevel	256
> > pidfile		/usr/local/var/slapd.pid
> > argsfile	/usr/local/var/slapd.args
> >
> > database        bdb
> > suffix		"ou=KPrincipals,dc=laras,dc=com"
> > rootdn	
> "cn=Manager,ou=KPrincipals,dc=laras,dc=com"
> > rootpw		{SSHA}xxxxxxxxxxxxxxxxxxxxxxxxx
> >
> > directory	"/var/lib/ldap"
> >
> > # Indices to maintain
> > index	objectClass	eq
> > index   cn		pres,eq
> > index   uid		pres,eq
> >
> > #Specify ciphers
> > TLSCipherSuite HIGH:MEDIUM:+SSLv2
> > TLSCACertificateFile
> /usr/var/openldap-data/cacert.pem
> > TLSCertificateFile
> > /usr/var/openldap-data/servercrt.pem
> > TLSCertificateKeyFile
> > /usr/var/openldap-data/serverkey.pem
> >
> > TLSVerifyClient demand
> >
> > access to *
> > 	by sockurl="^ldapi:///$" write
> > 	by * write
> > 	by * auth
> > 	by * read
> >
> > My ldap.conf:
> > -------------
> > HOST laras.com
> > PORT 636
> >
> > TLS_CACERT /home/user/certs/cacert.pem
> > TLS_REQCERT demand
> >
> > What did I do wrong and what does the error means
> ?
> >
> > Thanks,
> > -lara-
> >
> > =====
> >
>
--------------------------------------------------------------
> > ----------------------
> > La vie, voyez-vous, ca n'est jamais si bon ni si
> mauvais qu'on croit
> >
> >           - Guy de Maupassant -
> >
>
--------------------------------------------------------------
> > ----------------------
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Tax Center - File online by April 15th
> > http://taxes.yahoo.com/filing.html
> >
> 


=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------


	
		
__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/