[Date Prev][Date Next] [Chronological] [Thread] [Top]

[SSl/TLS + LDAP] Wrong version number, no shared cipher



hello !

First of all, I have an debian woody with openssl0.9.7 , openldap 2.1.23, berkeleyDB4.1.25

I would like to use the SSL/TLS support with ldap.
then I have (re)installed openssl0.9.7 (with the "shared" option)
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl no-kbr5 shared => ok
make depend => ok
make =>ok
make test =>ok
make install=ok



after I create the certificate (http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.0) no problem , except for : # /usr/share/ssl/misc/CA.sh -sign

configuration file routines : N_CONF_get_string : no value : conf_lib.c :328: group=CA_default name = unique_subject

I can create my certificate, I verify them :
( http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#verify )
they are ok...

after, I try to use openssl s_server and openssl s_client __with no option__
# openssl s_server -accept 1982 -cert /usr/local/openldap/var/openldap-data/servercert.pem -key /usr/local/openldap/var/openldap-data/serverkey.pem -debug -bugs
it's works !
Protocol : TLSv1


other test __ with ssl2 option__
# openssl s_server -accept 1982 -cert /usr/local/openldap/var/openldap-data/servercert.pem -key /usr/local/openldap/var/openldap-data/serverkey.pem -debug -bugs -ssl2
it's works !
Protocol : SSLv2


other test :__ with ssl3 option__
# openssl s_server -accept 1982 -cert /usr/local/openldap/var/openldap-data/servercert.pem -key /usr/local/openldap/var/openldap-data/serverkey.pem -debug -bugs -ssl3
It DOESN'T work ! :'( (since now.. more than 3 weeks)
the server says :
"SSL routines : SSL3_GET_RECORD : wrong version number:s3_pkt.c:297"
when I do :
"# openssl s_client -connect svrldap.tzm.fr:1982 -CAfile /usr/local/openldap/var/openldap-data/cacert.pem -showcerts -state



other test : __with tls1 option__
# openssl s_server -accept 1982 -cert /usr/local/openldap/var/openldap-data/servercert.pem -key /usr/local/openldap/var/openldap-data/serverkey.pem -debug -bugs -tls1
It DOESN'T work ! :'(
the server says :
"SSL routines : SSL3_GET_RECORD : wrong version number:s3_pkt.c:297"
when I do :
"# openssl s_client -connect svrldap.tzm.fr:1982 -CAfile /usr/local/openldap/var/openldap-data/cacert.pem -showcerts -state




So , i dont understand...
Why can't I use the tls1 option and the ssl3 option??
Default (no option in the s_server command) is the TLSv1, why when I ask tls1 only, it doesnt work???????????????????????



I tried something else : I start my ldap serveur on the 2 ports (389 and 636) test 1 : ldapsearch -x -b"dc=tzm_fr" -H 'ldap://svrldap.tzm.fr:389' => ok


test 2 : ldapsearch -x -b"dc=tzm_fr" -H 'ldap://svrldap.tzm.fr:389' -Z DOESNT work ! client : ldap_start_tls : connet error: handshake failure ldap_bind : can't contact LDAP server : handshake failure

server : SSL routines  : SSL3_GET_CLIENT_HELLO: no shared cipher


test 3 : ldapsearch -x -b"dc=tzm_fr" -H 'ldap://svrldap.tzm.fr:389' -ZZ DOESNT work ! client : ldap_start_tls : connet error: handshake failure server : SSL routines : SSL3_GET_CLIENT_HELLO: no shared cipher

test 4 :
ldapsearch -x -b"dc=tzm_fr" -H 'ldaps://svrldap.tzm.fr:636'
DOESNT work !
client : ldap_start_tls : connet error: handshake failure
server : SSL routines  : SSL3_GET_CLIENT_HELLO: no shared cipher




What can it be???????? what does it mean?? I have this in my slapd.conf TLSCiphersuite : HIGH:MEDIUM:+SSLv2 TLSCertificateFile path/to/servercert.pem TLSCACertificateFIle : path/to/Cacert.pem TLSCertificateKeyFile : path/to/key.pem

I try A lot of Cipher suite, but always the same error... :/


Have U an idea?? coz I'm lost!!!!!!


Did someone manage to use TLS/SSL with openldap2.1.23????????

plz help me , coz SSL/TLS - LDAP is a very big part of my internship..

thanks in advance
Gabrielle

PS : sorry for my english :)

_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr