[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL3_READ_BYTES:sslv3 alert handshake failure

To: JOYDEEP <j.bakshi@unlimitedmail.org>
Subject: Re: SSL3_READ_BYTES:sslv3 alert handshake failure
From: Greg Martin <gmartin@gmartin.org>
Date: Tue, 27 Mar 2007 22:25:00 -0400
Cc: openldap-software@openldap.org
In-reply-to: <4608F4C3.6060304@unlimitedmail.org>
References: <45FF8D76.1030904@unlimitedmail.org> <46001B1D.8050900@gmartin.org> <4608F4C3.6060304@unlimitedmail.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070221 Thunderbird/1.5.0.10 Mnenhy/0.7.4.666

JOYDEEP, if you are only trying to encrypt the traffic (and not guarantee who the client is), then you need your slapd.conf to look as it does but drop the 'TLSVERIFYCLIENT demand' line. That is not needed for encryption.

The ldap.conf file only needs to refernce the CACERT, the cipher suite and TLS_REQCERT demand

Here are my slapd.conf & ldap.conf files. (Your file paths will vary) ldap.conf (edited to remove non-TLS directives) TLS_CACERT /var/data/ca/cacert.pem TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLS_REQCERT demand -------------- slapd.conf (edited to remove non-TLS directives) TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLSCACertificateFile /var/data/ca/cacert.pem TLSCertificateFile /var/data/ca/newcerts/ldap1cert.pem TLSCertificateKeyFile /etc/openldap/ldap1keyclear.txt TLSVerifyClient never ------- Also, here is the line from my rc.slapd to start the daemon: /usr/libexec/slapd -u ldap -g ldap -f /etc/openldap/slapd.conf -h "ldap:/// ldaps:///"' This startup command has slapd listening on 389 & 636 for all configured IP addresses. this allows for both ldaps & TLS. If you only need TLS, you can drop " ldaps:///" from the line.

Finally, If you need client verification, I would get TLS working first then add the client cert requirements. But, I think you'll want a different cert for the client. Your config has the client & server using the same cert. They should only share the CACert.

\\Greg

JOYDEEP wrote:

Greg Martin wrote:

Try adding a corres[ponding TLSCipherSuite entry to ldap.conf.

\\Greg

Sorry for the late reply as I was busy in writing an article.
any how I have followed the guidance as suggested

now the ldap.conf has become like
----------------------------------------------
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLS_CACERT /etc/openldap/myca/cacert.pem
TLS_CERT   /etc/openldap/myca/servercert.pem
TLS_KEY    /etc/openldap/myca/serverkey.pem
TLS_REQCERT allow
---------------------------------------------------

the slapd.conf is as before
-----------------------------------------------
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile            /etc/openldap/myca/servercert.pem
TLSCertificateKeyFile        /etc/openldap/myca/serverkey.pem
TLSCACertificateFile         /etc/openldap/myca/cacert.pem
TLSVerifyClient  demand
----------------------------------------------------

but still I have the same problem. like *ldapsearch -x -ZZ* reports

------------------------------------------
ldap_start_tls: Connect error (-11)
        additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
--------------------------------------------

and the log reports
--------------------------------------------------------------------------------
Mar 26 12:32:35 linux slapd[7449]: conn=32 fd=15 ACCEPT from
IP=127.0.0.1:33418 (IP=0.0.0.0:389)
Mar 26 12:32:35 linux slapd[7449]: conn=32 op=0 STARTTLS
Mar 26 12:32:35 linux slapd[7449]: conn=32 op=0 RESULT oid= err=0 text=
Mar 26 12:32:35 linux slapd[7449]: conn=32 fd=15 closed (TLS negotiation
failure)
----------------------------------------------------------------------------------------

*slapd -d 255*  reports
-------------------------------------------
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not return a certificate s3_srvr.c:2471
connection_read(15): TLS accept failure error=-1 id=42, closing
---------------------------

so pleeeaseeee help me to solve it.
thanks a lot for the great support so far...

JOYDEEP wrote:

Dear list,

Now *ldapsearch -x -ZZ* is working; but again I have a problem when
demanding  certificate from host. the error is

========================
ldap_perror
ldap_start_tls: Connect error (-11)
        additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
======================================================================

Here is my slapd.conf section of TLS
-----------------------------------------------
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile            /etc/openldap/myca/servercert.pem
TLSCertificateKeyFile        /etc/openldap/myca/serverkey.pem
TLSCACertificateFile         /etc/openldap/myca/cacert.pem
TLSVerifyClient  demand
----------------------------------------------------

Here is my ldap.conf
------------------------------------------------
TLS_CACERT /etc/openldap/myca/cacert.pem
TLS_CERT   /etc/openldap/myca/servercert.pem
TLS_KEY    /etc/openldap/myca/serverkey.pem
TLS_REQCERT allow
---------------------------------------------------------

please note I have a self signed certificate.

Thanks

Follow-Ups:
- Re: SSL3_READ_BYTES:sslv3 alert handshake failure
  - From: JOYDEEP <j.bakshi@unlimitedmail.org>

References:
- SSL3_READ_BYTES:sslv3 alert handshake failure
  - From: JOYDEEP <j.bakshi@unlimitedmail.org>
- Re: SSL3_READ_BYTES:sslv3 alert handshake failure
  - From: Greg Martin <gmartin@gmartin.org>
- Re: SSL3_READ_BYTES:sslv3 alert handshake failure
  - From: JOYDEEP <j.bakshi@unlimitedmail.org>

Prev by Date: Re: slurpd from a
Next by Date: OpenLDAP SPEC File
Index(es):
- Chronological
- Thread