[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS

To: greg.martin18@verizon.net
Subject: Re: SSL/TLS
From: Greg Martin <gmartin@gmartin.org>
Date: Fri, 09 Mar 2007 23:48:14 -0500
Cc: openldap-software@openldap.org
In-reply-to: <45F1AFD9.1000604@gmartin.org>
References: <45F1AFD9.1000604@gmartin.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070221 Thunderbird/1.5.0.10 Mnenhy/0.7.4.666

Sorry for the long post, but I resolved most of this. It was all configuration detail. There were two things happening:

I was using:
TLS_CACertificateFile
TLS_CertificateFile
TLS_CertificateKeyFile
(Note the extra underscore)

not:
TLSCACertificateFile
TLSCertificateFile
TLSCertificateKeyFile

I guess I got ldap.conf & slapd.conf directives confused. When I ran slapd in -d 255 I found that mistake.

Second:
I had the following in slapd.conf & ldap.conf
TLSCipherSuite DHE-RSA-AES256-SHA
(which I cut & pasted from 'openssl cipers')

replaced it with TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP It's still not clear to me what the syntax should be. Trying to translate the openssl -v ciphers into what's mention in the manpage doesn't help me much. But I can be dense.

So a couple questions that don't need answers: - would there be value in making the slapd.conf & ldap.conf TLS directives align? - Should slaptest report the bad TLS directives?

And one more. In the man page for slapd, there is this explanation for the -h option -h URLlist slapd will by default serve ldap:/// (LDAP over TCP on all interfaces on default LDAP port). That is, it will bind using INADDR_ANY and port 389. The -h option may be used to specify LDAP (and other scheme) URLs to serve. For example, if slapd is given -h "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///", it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,

The last part seems inexact. It says -h ldaps:/// will cause slapd to listen on port 636 for LDAP over TLS. should that say something like:

"will cause slapd to listen for LDAP over SSL on port 636 and for start_tls on port 389?"

I've dropped all this in my blog at: http://linux2.gmartin.org:82/tiki/tiki-view_blog_post.php?blogId=2&postId=107

BTW, I still can't get phpldapadmin to connect using tls, but that's for another day.

\\Greg

Greg Martin wrote:

I know there are a lot of question on this topic and ask for your patience.

I'm trying to figure out how to discern if slapd is properly configured for SSL/TLS. Reading through the slapd strace output shows that the cacert & certfile are being opened & read
slapd v2.3.27
When I look at netstat -an ports 389 & 636 are listening: tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
slapd.conf:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLS_CACertificateFile /var/data/ca/cacert.pem
TLS_CertificateFile /var/data/ca/newcerts/ldap1cert.pem
TLS_CertificateKeyFile /etc/openldap/ldap1keyclear.txt
TLSVerifyClient never
Reading through the strace output shows that the cacert & certfile are being opened.
ldap.conf
BASE    dc=gmartin, dc=org
URI    ldap://linux2.gmartin.org
TLS_CACERT /var/data/ca/cacert.pem
ldaprc:
TLS_CACERT /var/data/ca/cacert.pem
When I try ldapsearch or openssl s_client, I receive:
sslv3 alert handshake failure
And using slapd debug I see: TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:97

I checked the FAQ and I think I've looked at everything there. Not sure where to look next.
\\Greg

Follow-Ups:
- Re: SSL/TLS
  - From: Greg Martin <gmartin@gmartin.org>

References:
- SSL/TLS
  - From: Greg Martin <gmartin@gmartin.org>

Prev by Date: Re: *****SPAM***** openLDAP replication and trigger a script or exec binary
Next by Date: Re: SSL/TLS
Index(es):
- Chronological
- Thread