[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Fwd: Re: TLS secure connection to an LDAP server
Ldapsearch (ldapsearch -d3 -x -H
ldaps://ldap_srv.domain.com:636) to s_server (openssl
s_server -debug -accept 636 -state -cert
/path/to/ldap_srv_cert.pem -key
/path/to/ldap_srv_key.key -CAfile /path/to/ca.pem
) works fine.
But, when I run my ldap server (slapd -d5 -h "ldap:///
ldaps:///") and I try testing s_client connection to
it, I get this error messages:
>From the s_client output:
------------------------
SSL_connect:SSLv2/v3 write client hello A
...
...
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
2151:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:470:
>From the slapd debug output:
---------------------------
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client
hello B
TLS trace: SSL_accept:error in SSLv3 read client
hello B
TLS: can't accept.
TLS: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:882
connection_read(8): TLS accept error error=-1 id=0,
closing
connection_closing: readying conn=0 sd=8 for close
connection_close: conn=0 sd=8
Ldapsearch to slapd:
-------------------
When I run "ldapsearch -d3 -x -H
ldaps://ldap_srv.domain.com:636" I get:
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
.....
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in SSLv2/v3 read server
hello A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure
====================================================
I didn't set any TLSCipherSuite into the slapd.conf
file. I also didn't set any value to the tls_ciphers
into the /etc/ldap.conf file.
I would appriciate any suggestion.
Thanks for you all.
--- fatima riadi <ftmriadi@yahoo.fr> wrote:
> Hi all,
>
> --- "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
> > Have you gotten s_client to work with s_server?
> If
> > not,
> > there is no reason to expect OpenLDAP Software to
> > work.
>
> I've gotten s_client to work with s_server.
>
> Here is a sample of my s_server debug output:
>
> Using default temp DH parameters
> ACCEPT
> SSL_accept:before/accept initialization
> ....
> SSL_accept:SSLv3 read client hello A
> ....
> SSL_accept:SSLv3 write server hello A
> ....
> SSL_accept:SSLv3 write key exchange A
> ....
> SSL_accept:SSLv3 write server done A
> SSL_accept:SSLv3 flush data
> ....
> SSL_accept:SSLv3 write finished A
> SSL_accept:SSLv3 flush data
> ....
>
>
======================================================
> And this is a part of my s_client output:
>
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server key exchange A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> SSL_connect:SSLv3 read finished A
> ---
> Certificate chain
> ...
> ...
> ...
> -----END CERTIFICATE-----
> ---
> Server certificate
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2043 bytes and written 276
> bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID: xxxxxxxxxxxxxxxxxx
> Session-ID-ctx:
> Master-Key: xxxxxxxxxxxxxxx
> Key-Arg : None
> Krb5 Principal: None
> Start Time: 1111619531
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
> ====================================================
> However, s_client's connection to my ldap server
> still
> failes.
>
> What may I do to solve this problem please?
>
> Thanks
>
>
>
>
>
>
>
__________________________________________________________________
> Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace
> de stockage pour vos mails !
> Créez votre Yahoo! Mail sur
> http://fr.mail.yahoo.com/
>
__________________________________________________________________
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/