[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS

To: openldap-software@openldap.org
Subject: Re: SSL/TLS
From: Greg Martin <gmartin@gmartin.org>
Date: Sat, 10 Mar 2007 00:54:42 -0500
In-reply-to: <45F2388E.9000305@gmartin.org>
References: <45F1AFD9.1000604@gmartin.org> <45F2388E.9000305@gmartin.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070221 Thunderbird/1.5.0.10 Mnenhy/0.7.4.666

I have to add one more thing. It appears that with the proper certs specified in slapd.conf, no -h ldaps:/// is needed to make TLS available over port 389. My command line is now: /usr/libexec/slapd -u ldap -g ldap -f /etc/openldap/slapd.conf

and TLS is available. I don't think the man page or faq makes this clear. I've added a note to the faq

\\Greg

Greg Martin wrote:

Sorry for the long post, but I resolved most of this. It was all configuration detail. There were two things happening:
I was using:
TLS_CACertificateFile
TLS_CertificateFile
TLS_CertificateKeyFile
(Note the extra underscore)
not:
TLSCACertificateFile
TLSCertificateFile
TLSCertificateKeyFile
I guess I got ldap.conf & slapd.conf directives confused. When I ran slapd in -d 255 I found that mistake.
Second:
I had the following in slapd.conf & ldap.conf
TLSCipherSuite DHE-RSA-AES256-SHA
(which I cut & pasted from 'openssl cipers')
replaced it with TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP It's still not clear to me what the syntax should be. Trying to translate the openssl -v ciphers into what's mention in the manpage doesn't help me much. But I can be dense.

So a couple questions that don't need answers: - would there be value in making the slapd.conf & ldap.conf TLS directives align? - Should slaptest report the bad TLS directives?

And one more. In the man page for slapd, there is this explanation for the -h option -h URLlist slapd will by default serve ldap:/// (LDAP over TCP on all interfaces on default LDAP port). That is, it will bind using INADDR_ANY and port 389. The -h option may be used to specify LDAP (and other scheme) URLs to serve. For example, if slapd is given -h "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///", it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,

The last part seems inexact. It says -h ldaps:/// will cause slapd to listen on port 636 for LDAP over TLS. should that say something like:

"will cause slapd to listen for LDAP over SSL on port 636 and for start_tls on port 389?"

I've dropped all this in my blog at: http://linux2.gmartin.org:82/tiki/tiki-view_blog_post.php?blogId=2&postId=107

BTW, I still can't get phpldapadmin to connect using tls, but that's for another day.
\\Greg
Greg Martin wrote:
I know there are a lot of question on this topic and ask for your patience.

I'm trying to figure out how to discern if slapd is properly configured for SSL/TLS. Reading through the slapd strace output shows that the cacert & certfile are being opened & read
slapd v2.3.27
When I look at netstat -an ports 389 & 636 are listening: tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
slapd.conf:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLS_CACertificateFile /var/data/ca/cacert.pem
TLS_CertificateFile /var/data/ca/newcerts/ldap1cert.pem
TLS_CertificateKeyFile /etc/openldap/ldap1keyclear.txt
TLSVerifyClient never
Reading through the strace output shows that the cacert & certfile are being opened.
ldap.conf
BASE    dc=gmartin, dc=org
URI    ldap://linux2.gmartin.org
TLS_CACERT /var/data/ca/cacert.pem
ldaprc:
TLS_CACERT /var/data/ca/cacert.pem
When I try ldapsearch or openssl s_client, I receive:
sslv3 alert handshake failure
And using slapd debug I see: TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:97

I checked the FAQ and I think I've looked at everything there. Not sure where to look next.
\\Greg

References:
- SSL/TLS
  - From: Greg Martin <gmartin@gmartin.org>
- Re: SSL/TLS
  - From: Greg Martin <gmartin@gmartin.org>

Prev by Date: Re: SSL/TLS
Next by Date: Re: LDAP/BDB log purging
Index(es):
- Chronological
- Thread