[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS with HPUX problem

To: Michael Ströder <michael@stroeder.com>
Subject: Re: TLS with HPUX problem
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Wed, 28 May 2008 11:01:06 -0600
Cc: openldap-software@openldap.org, Adam Leach <adam.m.leach@gmail.com>
In-reply-to: <483D7379.6040100@stroeder.com>
References: <19291fe0805271355h17e61e71md148b272280cfef3@mail.gmail.com> <483D7379.6040100@stroeder.com>
User-agent: Alpine 1.10 (BSO 962 2008-03-14)

On Wed, 28 May 2008, Michael Ströder wrote:

Adam Leach wrote:
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:580
Looks like your client trys to negotiate the SSLv23 protocol variant and your server does not accept this. You might have a look at the client's configuration to enforce SSLv3 or TLSv1. You should avoid using SSLv2 for security reasons anyway.

"SSLv23" is OpenSSL's name for the version negotiation code, handling the choice between SSLv2, SSLv3, and TLSv1. Support for specific versions can be disabled using the SSL_{,CTX_}set_options() functions...which OpenLDAP doesn't call. With that ruled out, it looks from the OpenSSL code that the "unknown protocol" error would only be generated when the client sent something that didn't look like either the SSLv2 format or the SSLv3/TLS format, such as if it sent normal LDAP on the ldaps port.


Philip Guenther

Follow-Ups:
- Re: TLS with HPUX problem
  - From: "Adam Leach" <adam.m.leach@gmail.com>

References:
- TLS with HPUX problem
  - From: "Adam Leach" <adam.m.leach@gmail.com>
- Re: TLS with HPUX problem
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Limit slapd memory usage on Windows?
Next by Date: Re: Limit slapd memory usage on Windows?
Index(es):
- Chronological
- Thread