[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSL/TLS again
This was not the whole truth though.. My setup:
Server on ldap.server.com (solaris 10)
Client on ldap.client1.com (solaris 10, same machine as server,
different zone)
Client on ldap.client2.com (solaris 9, different machine)
Ldap software is OpenLDAP 2.2.26, SSL-software is OpenSSL 0.9.7g
ldap.server.com is a virtual interface in the global zone, domainname
same as the DN in the certificate
ldap.conf is exactly the same on both machines:
TLS_REQCERT never
TLS_CACERT /path/to/ca-certificate.pem
Running ldapsearch -Z -d 7 on ldap.client1.com yields no errors
Running ldapsearch -Z -d 7 on ldap.client2.com yields
LS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
tls_write: want=198, written=198
<skipped>
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=0
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
Running openssl s_client -connect ldap.server.com:636 on
ldap.client1.com yields
4687:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:
and on ldap.client2.com
10826:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:529:
using the flag -ssl2 returns
Verify return code: 0 (ok)
on both machines
Running a openssl s_server with same certificates as the ldap server,
and then using ldapsearch from both clients yiels no (TLS) errors.
I don't know what to try next, could anyone point me in some direction?
Linus Lund wrote:
Hi!
The problem was in the reversed host lookup. My ldap.example.com was
first an alias to another server, so the reversed hostlookup was not
pointing to the FQDN of the certificate. With an own entry in the dns
for ldap.example.com it works fine.
//L
Linus Lund wrote:
Hi all,
Im trying to get my SSL/TLS things to work with ldap, e.g. I'd like
ldapsearch -H ldaps://ldap.example.com to return entries. This
command works if I execute it on the same machine as the ldap server
resides. But not on an other client!
First of all, my configuration:
slapd.conf contains
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+TLSv1:+SSLv3
TLSCACertificateFile /usr/local/etc/openldap/cert/ca-certificate.pem
TLSCertificateFile /usr/local/etc/openldap/cert/certificate.pem
TLSCertificateKeyFile /usr/local/etc/openldap/cert/ldap.key
TLSVerifyClient never
ldap.conf (on both machines)
TLS_REQCERT never
TLS_CACERT /usr/local/etc/openldap/cert2/ca-certificate.pem
First I try to search on the "server-computer". This works fine, both
with -H ldaps://ldapserver and -ZZ. I also try to run openssl
s_client -connect ldap.example.com:636, this returns ok.
Then I move to the other computer.
Running openssl s_client -connect ldap.example.com:636 returns
10097:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:
adding -ssl2 to the openssl command lines returns
Verify return code: 0 (ok)
Running ldapserach -H ldaps://ldap.example.com returns
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=0
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
I've alse tried to run openssl s_server with the same certs as the
ldapserver uses on the "servercomputer", then I try to connect with
both ldapsearch and openssl s_client, both works fine!
What could make things go wrong here? I'm using exactly the same
configuration, ca-files on both machines. I have the same openssl
version on both machines. I have OpenLDAP 2.2.26 on both machines.
Any help would be much appreciated!