[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS error: fatal: protocol version

To: gmatt@nerc.ac.uk
Subject: Re: TLS error: fatal: protocol version
From: Howard Chu <hyc@symas.com>
Date: Mon, 01 Nov 2004 07:01:52 -0800
Cc: OpenLDAP software list <openldap-software@OpenLDAP.org>
In-reply-to: <1099304494.23889.31.camel@lea.nerc-wallingford.ac.uk>
References: <1098953701.11784.33.camel@lea.nerc-wallingford.ac.uk> <881C31C5C6D7E9D3002496D5@cadabra-dsl.stanford.edu> <1099041039.24901.35.camel@lea.nerc-wallingford.ac.uk> <5186746B3C7548CCC9549A4C@[10.0.0.1]> <1099304494.23889.31.camel@lea.nerc-wallingford.ac.uk>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041101

Greg Matthews wrote:

On Fri, 2004-10-29 at 18:35, Quanah Gibson-Mount wrote:
Okay, well, you might want to upgrade off of 0.9.7c since it has security issues. What is the ldapsearch command you are running when you get this error? I read through your original post, and I don't see that bit of information included...

guess my mail wasnt clear enough. This error occurs when using tls_checkpeer in the libnss-ldap config file (this would be /etc/ldap.conf on a redhat box but this is debian). ie when validating the server certificate against the CA cert when doing nss lookups. When using -ZZ in an ldapsearch, no such error occurs even with the exact same config in my .ldaprc file pointing at the exact same cert. This suggests to me that my certs are ok (they've worked for a year or more in production!). However, as the logs are from the openldap server, this an openldap error message and I was hoping someone would know what it meant.

If you intend for a particular CA cert to be used systemwide then it should be configured in OpenLDAP's ldap.conf file, not in your personal .ldaprc. If the CA cert has not been made available to your nssldap library then that could be part of the problem.

btw, I'm aware of the security risk with openssl 0.9.7c but I am not immediately concerned. But perhaps the error is due to different versions of a negotiated protocol?

That's also possible. Since you say that ldapsearch works, what is the likelihood that your nssldap module is actually linked against a different set of libraries from your OpenLDAP commandline tools?

my workaround to the above problem is to turn of tls_checkpeer which is default behaviour in many distros anyway. Am thinking not many are using this option and perhaps it is broken.

No, it works fine in the Symas builds at least. Further discussion of nss/pam_ldap config keywords probably belongs elsewhere, but I'll note that in the Symas builds we discourage all use of the SSL/TLS options in the nss/pam config file. Instead we set those options systemwide in the ldap.conf. Anyone running with tls_checkpeer disabled for such a sensitive security service may as well just turn TLS off and ask to be hacked.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: TLS error: fatal: protocol version
  - From: Greg Matthews <gmatt@nerc.ac.uk>

References:
- Re: TLS error: fatal: protocol version
  - From: Greg Matthews <gmatt@nerc.ac.uk>

Prev by Date: Re: TLS error: fatal: protocol version
Next by Date: Re: TLS error: fatal: protocol version
Index(es):
- Chronological
- Thread