[Date Prev][Date Next] [Chronological] [Thread] [Top]

Strange error during TLS handshake



Heute 17:09:11
   
Hello!

For some time now we are using OpenLDAP in order to provide a stable 
network-wide authentication service. Of course, we also enabled TLS-Support 
so that any connection is encrypted. However, we encounter some problems 
which are definitely subject of SSL as they also occur when we try to test 
our setup using "openssl s_client" and "openssl s_server".
Most of the time TLS/SSL works perfect, but it may happen that we get the 
following error when we restart slapd:

$ ldapsearch -x -ZZ -d1
[...] 
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, 
subject: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim 
Marquartstein/CN=lsh-marquartstein.de, 
issuer: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim 
Marquartstein/CN=lsh-marquartstein.de
TLS certificate verification: depth: 0, err: 0, 
subject: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim 
Marquartstein/CN=uranos.lsh-marquartstein.de, 
issuer: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim 
Marquartstein/CN=lsh-marquartstein.de
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
        additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 
alert 
handshake failure
[...]

If this is the case we can't get it to work anymore and the whole server has 
to be switched off in order to make it work again. What might cause this 
problem? OS is Ubuntu Linux 6.06.1 Dapper Server-Edition.

Looking forward to your answer!

Thanks,
Fabian

P.S. We are using self-signed certificates of our own CA.