[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSL3_READ_BYTES:sslv3 alert handshake failure
Greg Martin wrote:
> JOYDEEP, if you are only trying to encrypt the traffic (and not
> guarantee who the client is), then you need your slapd.conf to look as
> it does but drop the 'TLSVERIFYCLIENT demand' line. That is not
> needed for encryption.
>
Dear Greg,
thanks a lot for the clarification. you have solved the TLS encryption
thing. Regarding the certificate I am confused as I have seen different
GUI application which only has the TLS enable option but no option to
declare the certificate. More over in this case I have to distribute the
user certificate to the users. That's why I have enabled the *disallow
bind_anon* option in slapd.conf.
So I think with *disallow bind_anon* and with TLS encryption the server
and client communication is secured.
Any how I like to here any suggestion about the client side certificate
in case the remote client is using a GUI to access the LDAP addressbook
or LDAP based email.
thanks for your great guidance.
> The ldap.conf file only needs to refernce the CACERT, the cipher suite
> and TLS_REQCERT demand
>
> Here are my slapd.conf & ldap.conf files. (Your file paths will vary)
> ldap.conf (edited to remove non-TLS directives)
> TLS_CACERT /var/data/ca/cacert.pem
> TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
> TLS_REQCERT demand
> --------------
> slapd.conf (edited to remove non-TLS directives)
> TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
> TLSCACertificateFile /var/data/ca/cacert.pem
> TLSCertificateFile /var/data/ca/newcerts/ldap1cert.pem
> TLSCertificateKeyFile /etc/openldap/ldap1keyclear.txt
> TLSVerifyClient never
> -------
> Also, here is the line from my rc.slapd to start the daemon:
> /usr/libexec/slapd -u ldap -g ldap -f /etc/openldap/slapd.conf -h
> "ldap:/// ldaps:///"'
> This startup command has slapd listening on 389 & 636 for all
> configured IP addresses. this allows for both ldaps & TLS. If you
> only need TLS, you can drop " ldaps:///" from the line.
>
> Finally,
> If you need client verification, I would get TLS working first then
> add the client cert requirements. But, I think you'll want a
> different cert for the client. Your config has the client & server
> using the same cert. They should only share the CACert.
>
> \\Greg
>
>
>
>
>
>
> JOYDEEP wrote:
>> Greg Martin wrote:
>>
>>> Try adding a corres[ponding TLSCipherSuite entry to ldap.conf.
>>>
>>> \\Greg
>>>
>>>
>>
>>
>> Sorry for the late reply as I was busy in writing an article.
>> any how I have followed the guidance as suggested
>>
>> now the ldap.conf has become like
>> ----------------------------------------------
>> TLSCipherSuite HIGH:MEDIUM:+SSLv2
>> TLS_CACERT /etc/openldap/myca/cacert.pem
>> TLS_CERT /etc/openldap/myca/servercert.pem
>> TLS_KEY /etc/openldap/myca/serverkey.pem
>> TLS_REQCERT allow
>> ---------------------------------------------------
>>
>> the slapd.conf is as before
>> -----------------------------------------------
>> TLSCipherSuite HIGH:MEDIUM:+SSLv2
>> TLSCertificateFile /etc/openldap/myca/servercert.pem
>> TLSCertificateKeyFile /etc/openldap/myca/serverkey.pem
>> TLSCACertificateFile /etc/openldap/myca/cacert.pem
>> TLSVerifyClient demand
>> ----------------------------------------------------
>>
>> but still I have the same problem. like *ldapsearch -x -ZZ* reports
>>
>> ------------------------------------------
>> ldap_start_tls: Connect error (-11)
>> additional info: error:14094410:SSL
>> routines:SSL3_READ_BYTES:sslv3 alert handshake failure
>> --------------------------------------------
>>
>> and the log reports
>> --------------------------------------------------------------------------------
>>
>> Mar 26 12:32:35 linux slapd[7449]: conn=32 fd=15 ACCEPT from
>> IP=127.0.0.1:33418 (IP=0.0.0.0:389)
>> Mar 26 12:32:35 linux slapd[7449]: conn=32 op=0 STARTTLS
>> Mar 26 12:32:35 linux slapd[7449]: conn=32 op=0 RESULT oid= err=0 text=
>> Mar 26 12:32:35 linux slapd[7449]: conn=32 fd=15 closed (TLS negotiation
>> failure)
>> ----------------------------------------------------------------------------------------
>>
>>
>> *slapd -d 255* reports
>> -------------------------------------------
>> TLS trace: SSL_accept:error in SSLv3 read client certificate B
>> TLS: can't accept.
>> TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
>> not return a certificate s3_srvr.c:2471
>> connection_read(15): TLS accept failure error=-1 id=42, closing
>> ---------------------------
>>
>> so pleeeaseeee help me to solve it.
>> thanks a lot for the great support so far...
>>
>>
>>
>>
>>> JOYDEEP wrote:
>>>
>>>> Dear list,
>>>>
>>>> Now *ldapsearch -x -ZZ* is working; but again I have a problem when
>>>> demanding certificate from host. the error is
>>>>
>>>> ========================
>>>> ldap_perror
>>>> ldap_start_tls: Connect error (-11)
>>>> additional info: error:14094410:SSL
>>>> routines:SSL3_READ_BYTES:sslv3 alert handshake failure
>>>> ======================================================================
>>>>
>>>> Here is my slapd.conf section of TLS
>>>> -----------------------------------------------
>>>> TLSCipherSuite HIGH:MEDIUM:+SSLv2
>>>> TLSCertificateFile /etc/openldap/myca/servercert.pem
>>>> TLSCertificateKeyFile /etc/openldap/myca/serverkey.pem
>>>> TLSCACertificateFile /etc/openldap/myca/cacert.pem
>>>> TLSVerifyClient demand
>>>> ----------------------------------------------------
>>>>
>>>> Here is my ldap.conf
>>>> ------------------------------------------------
>>>> TLS_CACERT /etc/openldap/myca/cacert.pem
>>>> TLS_CERT /etc/openldap/myca/servercert.pem
>>>> TLS_KEY /etc/openldap/myca/serverkey.pem
>>>> TLS_REQCERT allow
>>>> ---------------------------------------------------------
>>>>
>>>> please note I have a self signed certificate.
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>>
>
>