[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Strange error during TLS handshake
Heute 17:09:11
Hello!
For some time now we are using OpenLDAP in order to provide a stable
network-wide authentication service. Of course, we also enabled TLS-Support
so that any connection is encrypted. However, we encounter some problems
which are definitely subject of SSL as they also occur when we try to test
our setup using "openssl s_client" and "openssl s_server".
Most of the time TLS/SSL works perfect, but it may happen that we get the
following error when we restart slapd:
$ ldapsearch -x -ZZ -d1
[...]
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0,
subject: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim
Marquartstein/CN=lsh-marquartstein.de,
issuer: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim
Marquartstein/CN=lsh-marquartstein.de
TLS certificate verification: depth: 0, err: 0,
subject: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim
Marquartstein/CN=uranos.lsh-marquartstein.de,
issuer: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim
Marquartstein/CN=lsh-marquartstein.de
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert
handshake failure
[...]
If this is the case we can't get it to work anymore and the whole server has
to be switched off in order to make it work again. What might cause this
problem? OS is Ubuntu Linux 6.06.1 Dapper Server-Edition.
Looking forward to your answer!
Thanks,
Fabian
P.S. We are using self-signed certificates of our own CA.