[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
s_client working against 636 but not 389
- To: openldap-technical@openldap.org
- Subject: s_client working against 636 but not 389
- From: Nate Marks <npmarks@gmail.com>
- Date: Sat, 3 Sep 2011 12:00:51 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=dStbAcBkvjOirF7lSzjwKP0Iu/xHLwjU+xbBMZdws74=; b=Rq6agMK22XYILLVbP4PMRSuhDPXjjnM6PbMaIl04mUj30yzU57XYen0sSKNqdF+oas XGwBzl+vqpx/ZULXFO2ktorG6wBA9BhOumhiVC/WS9VoMakmx7prRpDH1DNWzrRgyd/+ 2MFoPQLvk4z99ig2VUVjjYsou1ibwhvSNxvng=
[root@ldap01 cacerts]# netstat -panv | grep slap
...
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 3220/slapd
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 3220/slapd
[root@ldap01 cacerts]# grep TL /etc/openldap/slapd.conf
# The next three lines allow use of TLS for encrypting connections using a
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCACertificateFile /etc/pki/tls/certs/cacert.pem
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateFile /etc/openldap/cacerts/ldap01.infra.ops.hcs.cert.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/openldap/cacerts/ldap01.infra.ops.hcs.key.pem
***COMMENT: This command seems a little slow, but it succeeds ***
[root@ldap01 cacerts]# openssl s_client -CAfile /etc/pki/tls/certs/cacert.pem -connect 10.60.1.57:636
CONNECTED(00000003)
depth=1 /C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs
verify return:1
depth=0 /C=US/ST=MA/L=Waltham/O=NWN Corporation/OU=hcs/CN=ldap01.infra.ops.hcs/emailAddress=support@nwnit.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=MA/L=Waltham/O=NWN Corporation/OU=hcs/CN=ldap01.infra.ops.hcs/emailAddress=support@nwnit.com
i:/C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs
1 s:/C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs
i:/C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDATCCAmqgAwIBAgIJANZXaZL0G6eAMA0GCSqGSIb3DQEBBQUAMHIxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJNQTEYMBYGA1UEChMPTldOIENvcnBvcmF0aW9uMQww
CgYDVQQLEwNoY3MxEzARBgNVBAMTCmNhLm9wcy5oY3MxGTAXBgkqhkiG9w0BCQEW
CmNhQG9wcy5oY3MwHhcNMTEwODMxMDkwOTEyWhcNMTIwODMwMDkwOTEyWjCBlTEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRAwDgYDVQQHEwdXYWx0aGFtMRgwFgYD
VQQKEw9OV04gQ29ycG9yYXRpb24xDDAKBgNVBAsTA2hjczEdMBsGA1UEAxMUbGRh
cDAxLmluZnJhLm9wcy5oY3MxIDAeBgkqhkiG9w0BCQEWEXN1cHBvcnRAbnduaXQu
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDV/XlgAuwbisnokbCXUvXz
M5SXTeG6D697Sgh7ggcvdwVprKlfFWCLu3RcSkBbJ69bTDgRQS6qlplUm9kB44XB
Ej+8w+YVvTGxZWYIxyr3u2SKYFrIVj4DpeCZyYrgFds9JK9YGh6cDj57PGXbw9aK
ApE1SKPNx2SCkMy9WSzLOwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB
DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUdO79
lD14LPMt0cviy00Bi/zoVz8wHwYDVR0jBBgwFoAURUA5pElJg/XvOcDIdWZ6W+EN
54IwDQYJKoZIhvcNAQEFBQADgYEANOSnNbRW+US5xf4fQrz0M765wuOKjvuWK4yG
K5GcWPv8zAM9bEf0Ju9A9RiMzxwDfQndRQ84fTELXKQeHFYa0ELse8G4ZdxRyEtN
GzigGoPQYqtofW3N2mIRb85RntHoIBwfrhnogsY2UXssIWc/8CGgwp4OjtYhiXMU
JtHLAms=
-----END CERTIFICATE-----
subject=/C=US/ST=MA/L=Waltham/O=NWN Corporation/OU=hcs/CN=ldap01.infra.ops.hcs/emailAddress=support@nwnit.com
issuer=/C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs
---
No client certificate CA names sent
---
SSL handshake has read 1775 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 1F3B030DD062E3EFC3E143DF978A622DD8B0E2167331EAC45C307C8997F59BC3
Session-ID-ctx:
Master-Key: 834A1CF62289DB6C4367109B9EF2172796A4AF403F4FE040C4EDDC48ED722437E96717A860038A70323DFFD1EDE3562D
Key-Arg : None
Krb5 Principal: None
Start Time: 1315065479
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
*** COMMENT: This obviosly doesn't ***
[root@ldap01 cacerts]# openssl s_client -CAfile /etc/pki/tls/certs/cacert.pem -connect 10.60.1.57:389
CONNECTED(00000003)
4392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
[root@ldap01 cacerts]#
The only thing I could think of is a timeout difference between ssl and tls, iun which case I'll be fine wheh I figure out why it's slow, but I'd like to validate that before moving on to the slowness problem. ANyone have ideas?