[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: sslv3 alert handshake failure
Thanks for the explanation Howard.
After looking more carefully at the debugging messages
of slapd, the failure was because slapd can't find the
client's certificate.
So I created .ldaprc, specifying the client cert, and
voila...SASL/EXTERNAL works...
-lara-
--- Howard Chu <hyc@highlandsun.com> wrote:
> Yes, the question has been posted often. So has the
> answer.
>
> Port 636 is the default port for ldaps, the
> nonstandard use of LDAP over SSL.
>
> StartTLS is for use with plain ldap. You cannot use
> StartTLS with ldaps.
>
> Get rid of the PORT 636 directive in your ldap.conf
> file; this configuration
> cannot work if your server actually has an ldaps
> listener on port 636.
>
> From the FAQ-o-Matic - "How do I use TLS/SSL?"
> http://www.openldap.org/faq/data/cache/185.html
>
> >>>
> 1) LDAP + StartTLS should be directed to a
> NON-SECURE port (ie; -h
> 'ldap://<hostname><:port>/', where port is usually
> NOT 636 (SSL))
>
> The initial connection will be "in the clear", so
> this should probably be
> done before binding/authenticating. The StartTLS
> function will send the "TLS
> OID" to the server, which should cause it to do a
> "context switch", perform
> the TLS handshake, and enable TLS if everything
> succeeds.
>
> 2) LDAPS should be directed to an
> SSL-secured/enabled port (ie; -h
> 'ldaps://<hostname><:port>/', where port can be
> anything, but is assumed to
> be 636 by default)
>
> The initial connection should be across an already
> SSL-enabled connection,
> though data encryption won't be enabled yet. After
> the SSL handshake is
> performed successfully, both sides will then go into
> encryption mode.
>
> Attempting to perform a 'start_tls' function
> (context switch) on an
> SSL-enabled connection (port), will cause a failure
> on both sides.
> <<<
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director,
> Highland Sun
> http://www.symas.com
> http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On
> Behalf Of Lara Adianto
> > Sent: Monday, April 12, 2004 5:00 AM
> > To: openldap-software@OpenLDAP.org
> > Subject: sslv3 alert handshake failure
> >
> >
> > Hi guys,
> >
> > I know that this question has been posted quite
> often,
> > but after trying so many proposed solutions on the
> > net, none of them seems to work for me. I've
> already
> > turn on -d -1, but no useful hints.
> >
> > The problem is as follows:
> > [root@localhost test-db]# /usr/bin/ldapsearch -x
> -s
> > base '(objectclass=*)' -H ldap://myserver.com/ -ZZ
> > supportedSASLMechanisms -d 256
> > request 1 done
> > TLS: can't connect.
> > ldap_start_tls: Connect error (91)
> > additional info: error:14094410:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure
> > [root@localhost test-db]#
> >
> > I have followed the openldap SSL/TLS How-To, and I
> > have [root@localhost openldap-data]# openssl
> s_client
> > -connect myserver.com:636 -state -CAfile
> > /home/user/certs/cacert.pem -cert
> > /home/user/certs/ldap.client.pem -key
> > /home/user/certs/keys/ldap.client.key.pem
> > --> Success result, similar to the to the result
> given
> > in the HowTo <--
> >
> > but....
> > [root@localhost bin]# openssl s_client -connect
> > myserver.com:636
> > CONNECTED(00000003)
> > depth=1 /C=SG/ST=Singapore/L=Singapore/O=Laras
> > Com/OU=Laras
> Unit/CN=laras.com/Email=admin@laras.com
> > verify error:num=19:self signed certificate in
> > certificate chain
> > verify return:0
> > 23529:error:14094410:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert handshake
> > failure:s3_pkt.c:1046:SSL alert number 40
> > 23529:error:140790E5:SSL routines:SSL23_WRITE:ssl
> > handshake failure:s23_lib.c:226:
> > [root@localhost bin]#
> >
> > My slapd.conf:
> > --------------
> > include /usr/local/etc/openldap/schema/core.schema
> > include
> /usr/local/etc/openldap/schema/cosine.schema
> > include
> >
> /usr/local/etc/openldap/schema/inetorgperson.schema
> > include /usr/local/etc/openldap/schema/nis.schema
> > include
> /usr/local/etc/openldap/schema/krb5-kdc.schema
> >
> > loglevel 256
> > pidfile /usr/local/var/slapd.pid
> > argsfile /usr/local/var/slapd.args
> >
> > database bdb
> > suffix "ou=KPrincipals,dc=laras,dc=com"
> > rootdn
> "cn=Manager,ou=KPrincipals,dc=laras,dc=com"
> > rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxx
> >
> > directory "/var/lib/ldap"
> >
> > # Indices to maintain
> > index objectClass eq
> > index cn pres,eq
> > index uid pres,eq
> >
> > #Specify ciphers
> > TLSCipherSuite HIGH:MEDIUM:+SSLv2
> > TLSCACertificateFile
> /usr/var/openldap-data/cacert.pem
> > TLSCertificateFile
> > /usr/var/openldap-data/servercrt.pem
> > TLSCertificateKeyFile
> > /usr/var/openldap-data/serverkey.pem
> >
> > TLSVerifyClient demand
> >
> > access to *
> > by sockurl="^ldapi:///$" write
> > by * write
> > by * auth
> > by * read
> >
> > My ldap.conf:
> > -------------
> > HOST laras.com
> > PORT 636
> >
> > TLS_CACERT /home/user/certs/cacert.pem
> > TLS_REQCERT demand
> >
> > What did I do wrong and what does the error means
> ?
> >
> > Thanks,
> > -lara-
> >
> > =====
> >
>
--------------------------------------------------------------
> > ----------------------
> > La vie, voyez-vous, ca n'est jamais si bon ni si
> mauvais qu'on croit
> >
> > - Guy de Maupassant -
> >
>
--------------------------------------------------------------
> > ----------------------
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Tax Center - File online by April 15th
> > http://taxes.yahoo.com/filing.html
> >
>
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway
http://promotions.yahoo.com/design_giveaway/