[Date Prev][Date Next] [Chronological] [Thread] [Top]

Fwd: Re: TLS secure connection to an LDAP server



Ldapsearch (ldapsearch -d3 -x -H
ldaps://ldap_srv.domain.com:636) to s_server (openssl
s_server -debug -accept 636 -state -cert
/path/to/ldap_srv_cert.pem -key
/path/to/ldap_srv_key.key -CAfile /path/to/ca.pem
) works fine.
But, when I run my ldap server (slapd -d5 -h "ldap:///
ldaps:///") and I try testing s_client connection to
it, I get this error messages:

>From the s_client output:
------------------------
  SSL_connect:SSLv2/v3 write client hello A
  ...
  ...
  SSL3 alert read:fatal:handshake failure
  SSL_connect:error in SSLv2/v3 read server hello A
  2151:error:14077410:SSL  
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
 failure:s23_clnt.c:470:

>From the slapd debug output:
---------------------------
  TLS trace: SSL_accept:before/accept initialization
  TLS trace: SSL3 alert write:fatal:handshake failure
  TLS trace: SSL_accept:error in SSLv3 read client
hello B
  TLS trace: SSL_accept:error in SSLv3 read client
hello B
  TLS: can't accept.
  TLS: error:1408A0C1:SSL  
routines:SSL3_GET_CLIENT_HELLO:no shared cipher  
s3_srvr.c:882
  connection_read(8): TLS accept error error=-1 id=0, 
 closing
  connection_closing: readying conn=0 sd=8 for close
  connection_close: conn=0 sd=8

Ldapsearch to slapd:
-------------------
When I run "ldapsearch -d3 -x -H
ldaps://ldap_srv.domain.com:636" I get:

  TLS trace: SSL_connect:SSLv2/v3 write client hello A
  tls_read: want=7, got=7
    .....
  TLS trace: SSL3 alert read:fatal:handshake failure
  TLS trace: SSL_connect:error in SSLv2/v3 read server
  hello A 
  TLS: can't connect.
  ldap_perror
  ldap_bind: Can't contact LDAP server (81)
          additional info: error:14077410:SSL  
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
 failure
====================================================

I didn't set any TLSCipherSuite into the slapd.conf
file. I also didn't set any value to the tls_ciphers
into the /etc/ldap.conf file.

I would appriciate any suggestion.
Thanks for you all.

--- fatima riadi <ftmriadi@yahoo.fr> wrote:
> Hi all,
> 
> --- "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
> > Have you gotten s_client to work with s_server? 
> If
> > not,
> > there is no reason to expect OpenLDAP Software to
> > work.
> 
> I've gotten s_client to work with s_server.
> 
> Here is a sample of my s_server debug output:
> 
>   Using default temp DH parameters
>   ACCEPT
>   SSL_accept:before/accept initialization
>   ....
>   SSL_accept:SSLv3 read client hello A
>   ....
>   SSL_accept:SSLv3 write server hello A
>   ....
>   SSL_accept:SSLv3 write key exchange A
>   ....
>   SSL_accept:SSLv3 write server done A
>   SSL_accept:SSLv3 flush data
>   ....
>   SSL_accept:SSLv3 write finished A
>   SSL_accept:SSLv3 flush data
>   ....
> 
>
======================================================
> And this is a part of my s_client output:
> 
>   SSL_connect:SSLv3 read server certificate A
>   SSL_connect:SSLv3 read server key exchange A
>   SSL_connect:SSLv3 read server done A
>   SSL_connect:SSLv3 write client key exchange A
>   SSL_connect:SSLv3 write change cipher spec A
>   SSL_connect:SSLv3 write finished A
>   SSL_connect:SSLv3 flush data
>   SSL_connect:SSLv3 read finished A
>   ---
>   Certificate chain
>   ...
>   ...
>   ...
>   -----END CERTIFICATE-----
>   ---
>   Server certificate
>   ---
>   No client certificate CA names sent
>   ---
>   SSL handshake has read 2043 bytes and written 276 
> bytes
>   ---
>   New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>   Server public key is 1024 bit
>   SSL-Session:
>       Protocol  : TLSv1
>       Cipher    : DHE-RSA-AES256-SHA
>       Session-ID: xxxxxxxxxxxxxxxxxx  
>       Session-ID-ctx:
>       Master-Key: xxxxxxxxxxxxxxx
>       Key-Arg   : None
>       Krb5 Principal: None
>       Start Time: 1111619531
>       Timeout   : 300 (sec)
>       Verify return code: 0 (ok)
>   ---
> ====================================================
> However, s_client's connection to my ldap server
> still
> failes.
> 
> What may I do to solve this problem please?
> 
> Thanks
> 
> 
> 	
> 
> 	
> 		
>
__________________________________________________________________
> Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace
> de stockage pour vos mails ! 
> Créez votre Yahoo! Mail sur
> http://fr.mail.yahoo.com/
> 


	

	
		
__________________________________________________________________
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! 
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/