[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS problem



Arnaud Fontaine wrote:
Hello,

I tried to configure SSL/TLS (no auth, just with OpenLDAP using this documentation [1] (without TLS/SSL everything works fine). I'm using Debian GNU/Linux on x86, my slapd version is 2.2.23 and openssl 0.9.7e.

So i did the following command in order to generate all the openssl needed files (section 4.2 of the previous document) :

# /usr/lib/ssl/misc/CA.sh -newca # openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem # /usr/lib/ssl/misc/CA.sh -sign # cp demoCA/cacert.pem /etc/ldap/cfg/ssl/cacert.pem # mv newcert.pem /etc/ldap/cfg/ssl/servercrt.pem # mv newreq.pem /etc/ldap/cfg/ssl/serverkey.pem # chmod 400 /etc/ldap/cfg/ssl/serverkey.pem

I added these line to /etc/ldap/slapd.conf : TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSVerifyClient demand TLSCACertificateFile /etc/ldap/cfg/ssl/cacert.pem TLSCertificateFile /etc/ldap/cfg/ssl/servercrt.pem TLSCertificateKeyFile /etc/ldap/cfg/ssl/serverkey.pem

And these lines to /etc/ldap/ldap.conf : TLS_CACERT /etc/ldap/cfg/ssl/cacert.pem TLS_REQCERT demand

Then i did : # /etc/init.d/slapd restart # ldapsearch -ZZ -x -w toto -D "cn=admin,dc=scrappy,dc=mystery-inc" \ -b "ou=personnes,dc=scrappy,dc=mystery-inc" "(ObjectClass=*)"

(this ldapsearch command line worked fine before SSL/TLS)

I got these errors : ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

I found nothing at all about this error on search engines, what could i do in order to solve this embarrassing problem ?

Thanks for your help,

[1] http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.0


As explained in
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.3,
you have to create client certificates, and, from
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#5.2.3,
you should try adding in your ~/.ldaprc :

TLS_CERT /full/path/of/your/client.cert.pem
TLS_KEY /full/path/of/your/client.key.pem


-- Pierre-François LAURAND