[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS problem

To: Arnaud Fontaine <arnaud@andesi.org>
Subject: Re: SSL/TLS problem
From: Pierre-Francois LAURAND <francois.laurand@univ-tours.fr>
Date: Tue, 24 May 2005 11:46:17 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <874qctv49y.fsf@velma.mini-dweeb.org>
Organization: Universite de Tours - UFR Sciences - IUP de Blois
References: <874qctv49y.fsf@velma.mini-dweeb.org>
User-agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8b) Gecko/20050412

Arnaud Fontaine wrote:

Hello,
I tried to configure SSL/TLS (no auth, just with OpenLDAP using this documentation [1] (without TLS/SSL everything works fine). I'm using Debian GNU/Linux on x86, my slapd version is 2.2.23 and openssl 0.9.7e.

So i did the following command in order to generate all the openssl needed files (section 4.2 of the previous document) :

# /usr/lib/ssl/misc/CA.sh -newca # openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem # /usr/lib/ssl/misc/CA.sh -sign # cp demoCA/cacert.pem /etc/ldap/cfg/ssl/cacert.pem # mv newcert.pem /etc/ldap/cfg/ssl/servercrt.pem # mv newreq.pem /etc/ldap/cfg/ssl/serverkey.pem # chmod 400 /etc/ldap/cfg/ssl/serverkey.pem

I added these line to /etc/ldap/slapd.conf : TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSVerifyClient demand TLSCACertificateFile /etc/ldap/cfg/ssl/cacert.pem TLSCertificateFile /etc/ldap/cfg/ssl/servercrt.pem TLSCertificateKeyFile /etc/ldap/cfg/ssl/serverkey.pem

And these lines to /etc/ldap/ldap.conf : TLS_CACERT /etc/ldap/cfg/ssl/cacert.pem TLS_REQCERT demand

Then i did : # /etc/init.d/slapd restart # ldapsearch -ZZ -x -w toto -D "cn=admin,dc=scrappy,dc=mystery-inc" \ -b "ou=personnes,dc=scrappy,dc=mystery-inc" "(ObjectClass=*)"
(this ldapsearch command line worked fine before SSL/TLS)
I got these errors : ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

I found nothing at all about this error on search engines, what could i do in order to solve this embarrassing problem ?
Thanks for your help,
[1] http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.0

As explained in
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.3,
you have to create client certificates, and, from
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#5.2.3,
you should try adding in your ~/.ldaprc :

TLS_CERT /full/path/of/your/client.cert.pem
TLS_KEY /full/path/of/your/client.key.pem


--
Pierre-François LAURAND

References:
- SSL/TLS problem
  - From: Arnaud Fontaine <arnaud@andesi.org>

Prev by Date: Re: slapd stopped listening to network
Next by Date: Re: slapd stopped listening to network
Index(es):
- Chronological
- Thread