[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS again



This was not the whole truth though.. My setup:

Server on ldap.server.com (solaris 10)
Client on ldap.client1.com (solaris 10, same machine as server, different zone)
Client on ldap.client2.com (solaris 9, different machine)
Ldap software is OpenLDAP 2.2.26, SSL-software is OpenSSL 0.9.7g


ldap.server.com is a virtual interface in the global zone, domainname same as the DN in the certificate

ldap.conf is exactly the same on both machines:
TLS_REQCERT never
TLS_CACERT /path/to/ca-certificate.pem

Running ldapsearch -Z -d 7 on ldap.client1.com yields no errors

Running ldapsearch -Z -d 7 on ldap.client2.com yields
LS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
tls_write: want=198, written=198
<skipped>
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=0

TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)

Running openssl s_client -connect ldap.server.com:636 on ldap.client1.com yields
4687:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:
and on ldap.client2.com
10826:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529:


using the flag -ssl2 returns
Verify return code: 0 (ok)
on both machines

Running a openssl s_server with same certificates as the ldap server, and then using ldapsearch from both clients yiels no (TLS) errors.

I don't know what to try next, could anyone point me in some direction?


Linus Lund wrote:

Hi!

The problem was in the reversed host lookup. My ldap.example.com was first an alias to another server, so the reversed hostlookup was not pointing to the FQDN of the certificate. With an own entry in the dns for ldap.example.com it works fine.

//L

Linus Lund wrote:

Hi all,

Im trying to get my SSL/TLS things to work with ldap, e.g. I'd like ldapsearch -H ldaps://ldap.example.com to return entries. This command works if I execute it on the same machine as the ldap server resides. But not on an other client!

First of all, my configuration:
slapd.conf contains
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+TLSv1:+SSLv3
TLSCACertificateFile /usr/local/etc/openldap/cert/ca-certificate.pem
TLSCertificateFile /usr/local/etc/openldap/cert/certificate.pem
TLSCertificateKeyFile /usr/local/etc/openldap/cert/ldap.key
TLSVerifyClient never

ldap.conf (on both machines)
TLS_REQCERT never
TLS_CACERT /usr/local/etc/openldap/cert2/ca-certificate.pem

First I try to search on the "server-computer". This works fine, both with -H ldaps://ldapserver and -ZZ. I also try to run openssl s_client -connect ldap.example.com:636, this returns ok.

Then I move to the other computer.
Running openssl s_client -connect ldap.example.com:636 returns
10097:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:


adding -ssl2 to the openssl command lines returns
Verify return code: 0 (ok)

Running ldapserach -H ldaps://ldap.example.com returns
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=0

TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.

I've alse tried to run openssl s_server with the same certs as the ldapserver uses on the "servercomputer", then I try to connect with both ldapsearch and openssl s_client, both works fine!

What could make things go wrong here? I'm using exactly the same configuration, ca-files on both machines. I have the same openssl version on both machines. I have OpenLDAP 2.2.26 on both machines.

Any help would be much appreciated!