[Date Prev][Date Next] [Chronological] [Thread] [Top]

handshake failure / SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr

To: openldap-technical@openldap.org
Subject: handshake failure / SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr
From: Götz Reinicke - IT-Koordinator <goetz.reinicke@filmakademie.de>
Date: Thu, 01 Apr 2010 17:11:43 +0200
Organization: Filmakademie Baden-Württemberg GmbH
User-agent: Thunderbird 2.0.0.24 (Macintosh/20100228)

Hi,

this drives my crazy for about two days:

I do have two virtual Red Hat El 5.4 servers in a test environment. One
should be an openldap master, the second should be a openldap slave.

openssl-0.9.8e-12.el5_4.1, openldap-2.3.43-3.el5 (RH EL original rpms)

I followed some instructions to set up TLS: Set up a CA, generate/sign
certificates and keys, install tham on the servers and configure
openldap, restart.

My problem is: tls works on the master (which also is my CA for the
test), but not on the slave.

I've "openssl verify"ed and "openssl x509 -text"ed the certs -
everything seams o.k.

I've checked ip addresses, name resolving, locations, pathes,
permissions, fileversions - anything I can think of.

I've regenerated the key and cert for the slave following an other
documentation (at least with the same steps), but alway do get the same
error:

from the ldap server debug:

TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS: can't accept.
TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:975
connection_read(13): TLS accept failure error=-1 id=0, closing

from the ldap client debug:

TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
	additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

May be I missed a step or still skiped something ...

A thousand kowtows for any helping hint...!!

Best regards,

	Götz
-- 
Götz Reinicke
IT-Koordinator

Tel. +49 7141 969 420
Fax  +49 7141 969 55 420
E-Mail goetz.reinicke@filmakademie.de

Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner

Geschäftsführer:
Prof. Thomas Schadt

Prev by Date: Re: Using "overlay dynlist" with Ubuntu Karmic 9.10 LDAP server using slapd.d (not slapd.conf) ?
Next by Date: Re: Partial replication
Index(es):
- Chronological
- Thread