Re: SSL/TLS again

[Linus Lund <linus@island.liu.se>]

This was not the whole truth though.. My setup:

Server on ldap.server.com (solaris 10)
Client on ldap.client1.com (solaris 10, same machine as server, 
different zone)
Client on ldap.client2.com (solaris 9, different machine)
Ldap software is OpenLDAP 2.2.26, SSL-software is OpenSSL 0.9.7g

ldap.server.com is a virtual interface in the global zone, domainname 
same as the DN in the certificate

ldap.conf is exactly the same on both machines:
TLS_REQCERT never
TLS_CACERT /path/to/ca-certificate.pem

Running ldapsearch -Z -d 7 on ldap.client1.com yields no errors

Running ldapsearch -Z -d 7 on ldap.client2.com yields
LS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
tls_write: want=198, written=198
<skipped>
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=0

TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)

Running openssl s_client -connect ldap.server.com:636 on 
ldap.client1.com yields
4687:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:226:
and on ldap.client2.com
10826:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
failure:s3_pkt.c:529:

using the flag -ssl2 returns
Verify return code: 0 (ok)
on both machines

Running a openssl s_server with same certificates as the ldap server, 
and then using ldapsearch from both clients yiels no (TLS) errors.

I don't know what to try next, could anyone point me in some direction?


Linus Lund wrote:

> Hi!
>
> The problem was in the reversed host lookup. My ldap.example.com was 
> first an alias to another server, so the reversed hostlookup was not 
> pointing to the FQDN of the certificate. With an own entry in the dns 
> for ldap.example.com it works fine.
>
> //L
>
> Linus Lund wrote:
>
> > Hi all,
> >
> > Im trying to get my SSL/TLS things to work with ldap, e.g. I'd like 
> > ldapsearch -H ldaps://ldap.example.com to return entries. This 
> > command works if I execute it on the same machine as the ldap server 
> > resides. But not on an other client!
> >
> > First of all, my configuration:
> > slapd.conf contains
> > TLSCipherSuite HIGH:MEDIUM:+SSLv2:+TLSv1:+SSLv3
> > TLSCACertificateFile /usr/local/etc/openldap/cert/ca-certificate.pem
> > TLSCertificateFile /usr/local/etc/openldap/cert/certificate.pem
> > TLSCertificateKeyFile /usr/local/etc/openldap/cert/ldap.key
> > TLSVerifyClient never
> >
> > ldap.conf (on both machines)
> > TLS_REQCERT never
> > TLS_CACERT /usr/local/etc/openldap/cert2/ca-certificate.pem
> >
> > First I try to search on the "server-computer". This works fine, both 
> > with -H ldaps://ldapserver and -ZZ. I also try to run openssl 
> > s_client -connect ldap.example.com:636, this returns ok.
> >
> > Then I move to the other computer.
> > Running openssl s_client -connect ldap.example.com:636 returns
> > 10097:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
> > failure:s23_lib.c:226:
> >
> > adding -ssl2 to the openssl command lines returns
> > Verify return code: 0 (ok)
> >
> > Running ldapserach -H ldaps://ldap.example.com returns
> > TLS trace: SSL_connect:SSLv3 flush data
> > tls_read: want=5, got=0
> >
> > TLS trace: SSL_connect:failed in SSLv3 read finished A
> > TLS: can't connect.
> >
> > I've alse tried to run openssl s_server with the same certs as the 
> > ldapserver uses on the "servercomputer", then I try to connect with 
> > both ldapsearch and openssl s_client, both works fine!
> >
> > What could make things go wrong here? I'm using exactly the same 
> > configuration, ca-files on both machines. I have the same openssl 
> > version on both machines. I have OpenLDAP 2.2.26 on both machines.
> >
> > Any help would be much appreciated!