[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SSL/TLS
- To: openldap-software@OpenLDAP.org
- Subject: SSL/TLS
- From: Greg Martin <gmartin@gmartin.org>
- Date: Fri, 09 Mar 2007 14:04:57 -0500
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070221 Thunderbird/1.5.0.10 Mnenhy/0.7.4.666
I know there are a lot of question on this topic and ask for your patience.
I'm trying to figure out how to discern if slapd is properly configured
for SSL/TLS. Reading through the slapd strace output shows that the
cacert & certfile are being opened & read
slapd v2.3.27
When I look at netstat -an ports 389 & 636 are listening:
tcp 0 0 0.0.0.0:389 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:636 0.0.0.0:*
LISTEN
slapd.conf:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLS_CACertificateFile /var/data/ca/cacert.pem
TLS_CertificateFile /var/data/ca/newcerts/ldap1cert.pem
TLS_CertificateKeyFile /etc/openldap/ldap1keyclear.txt
TLSVerifyClient never
Reading through the strace output shows that the cacert & certfile are
being opened.
ldap.conf
BASE dc=gmartin, dc=org
URI ldap://linux2.gmartin.org
TLS_CACERT /var/data/ca/cacert.pem
ldaprc:
TLS_CACERT /var/data/ca/cacert.pem
When I try ldapsearch or openssl s_client, I receive:
sslv3 alert handshake failure
And using slapd debug I see:
TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:97
I checked the FAQ and I think I've looked at everything there. Not sure
where to look next.
\\Greg