[Date Prev][Date Next] [Chronological] [Thread] [Top]

Probleme : LDAP + SSL/TLS



Hello !

I try to use SSL/TLS with LDAP... but it doesn't work (since.. 3 weeks.. O_o)

So, You are my last chance ...
This is the versions, commands and errors I make and  receive.

Has someone an idea??
I did and did again and again my certificate, read and followed a lot of docs.. but I always have the same errors..
Plz help me...


Big Thanks in advance
Gabrielle

PS:  Sorry for my english. I'm french.




1) Versions ------------- openldap : openldap 2.1.23 openssl : openssl 0.9.7d


2) Flags for compilation --------------------------

$>export CPPFLAGS="-I/usr/local/BerkeleyDB4.1/include -I/usr/local/openssl/include" LDFLAGS="-L/usr/local/BerkeleyDB4.1/lib -L/usr/local/openssl/lib"
$>./configure --with-tls --with-cyrus-sasl



3) Compilation time --------------------

checking for openssl/ssl.h ... yes
checking for ssl.h ... yes
checking for SSLeay_add_ssl_algorithms in -lssl... no
checking for SSL_library_init in -lssl... yes


4) My docs -----------

I followed the OPENLDAP -TLS/SSL howto
this one : http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
and a lot of others ...


5) Tests with openssl ----------------------

$>openssl s_client -connect 10.0.70.47:636 -showcerts -state -CAfile /etc/openldap/cacert.pem

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
459:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:470:





$>openssl s_client -connect 10.0.70.47:636 -showcerts -state -CAfile /etc/openldap/cacert.pem -ssl2


SSL_connect:error in SSLv2 read server hello B
462:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140:
462:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:935:
462:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=X509
462:error:1407E00B:SSL routines:SSL2_SET_CERTIFICATE:X509 lib:s2_clnt.c:1049:





$>openssl s_client -connect 10.0.70.47:636 -showcerts -state -CAfile /etc/openldap/cacert.pem -ssl3


SSL_connect:SSLv3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read server hello A
463:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40
463:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529:



6) Debugs of the server after each commands ------------------------------------------------

($>openssl s_client -connect 10.0.70.47:636 -showcerts -state -CAfile /etc/openldap/cacert.pem -ssl2)

TLS trace: SSL_accept:failed in SSLv2 read client master key A
TLS: can't accept.
TLS: error:1406B0C9:SSL routines:GET_CLIENT_MASTER_KEY:peer error certificate s2_pkt.c:675
connection_read(13): TLS accept error error=-1 id=0, closing




($>openssl s_client -connect 10.0.70.47:636 -showcerts -state -CAfile /etc/openldap/cacert.pem -ssl3)

TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client hello C
TLS trace: SSL_accept:error in SSLv3 read client hello C
TLS: can't accept.
TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:887
connection_read(13): TLS accept error error=-1 id=1, closing



($>openssl s_client -connect 10.0.70.47:636 -showcerts -state -CAfile /etc/openldap/cacert.pem)


TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS: can't accept.
TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:887
connection_read(13): TLS accept error error=-1 id=3, closing
connection_closing: readying conn=3 sd=13 for close


_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr