[Date Prev][Date Next] [Chronological] [Thread] [Top]

s_client working against 636 but not 389



[root@ldap01 cacerts]# netstat -panv | grep slap
...
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN      3220/slapd         
tcp        0      0 0.0.0.0:636                 0.0.0.0:*                   LISTEN      3220/slapd       


[root@ldap01 cacerts]# grep TL /etc/openldap/slapd.conf
# The next three lines allow use of TLS for encrypting connections using a
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCACertificateFile /etc/pki/tls/certs/cacert.pem
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateFile /etc/openldap/cacerts/ldap01.infra.ops.hcs.cert.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile  /etc/openldap/cacerts/ldap01.infra.ops.hcs.key.pem


***COMMENT:  This command seems a little slow, but it succeeds ***

[root@ldap01 cacerts]# openssl s_client -CAfile /etc/pki/tls/certs/cacert.pem  -connect 10.60.1.57:636
CONNECTED(00000003)
depth=1 /C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs
verify return:1
depth=0 /C=US/ST=MA/L=Waltham/O=NWN Corporation/OU=hcs/CN=ldap01.infra.ops.hcs/emailAddress=support@nwnit.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=MA/L=Waltham/O=NWN Corporation/OU=hcs/CN=ldap01.infra.ops.hcs/emailAddress=support@nwnit.com
   i:/C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs
 1 s:/C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs
   i:/C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDATCCAmqgAwIBAgIJANZXaZL0G6eAMA0GCSqGSIb3DQEBBQUAMHIxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJNQTEYMBYGA1UEChMPTldOIENvcnBvcmF0aW9uMQww
CgYDVQQLEwNoY3MxEzARBgNVBAMTCmNhLm9wcy5oY3MxGTAXBgkqhkiG9w0BCQEW
CmNhQG9wcy5oY3MwHhcNMTEwODMxMDkwOTEyWhcNMTIwODMwMDkwOTEyWjCBlTEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRAwDgYDVQQHEwdXYWx0aGFtMRgwFgYD
VQQKEw9OV04gQ29ycG9yYXRpb24xDDAKBgNVBAsTA2hjczEdMBsGA1UEAxMUbGRh
cDAxLmluZnJhLm9wcy5oY3MxIDAeBgkqhkiG9w0BCQEWEXN1cHBvcnRAbnduaXQu
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDV/XlgAuwbisnokbCXUvXz
M5SXTeG6D697Sgh7ggcvdwVprKlfFWCLu3RcSkBbJ69bTDgRQS6qlplUm9kB44XB
Ej+8w+YVvTGxZWYIxyr3u2SKYFrIVj4DpeCZyYrgFds9JK9YGh6cDj57PGXbw9aK
ApE1SKPNx2SCkMy9WSzLOwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB
DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUdO79
lD14LPMt0cviy00Bi/zoVz8wHwYDVR0jBBgwFoAURUA5pElJg/XvOcDIdWZ6W+EN
54IwDQYJKoZIhvcNAQEFBQADgYEANOSnNbRW+US5xf4fQrz0M765wuOKjvuWK4yG
K5GcWPv8zAM9bEf0Ju9A9RiMzxwDfQndRQ84fTELXKQeHFYa0ELse8G4ZdxRyEtN
GzigGoPQYqtofW3N2mIRb85RntHoIBwfrhnogsY2UXssIWc/8CGgwp4OjtYhiXMU
JtHLAms=
-----END CERTIFICATE-----
subject=/C=US/ST=MA/L=Waltham/O=NWN Corporation/OU=hcs/CN=ldap01.infra.ops.hcs/emailAddress=support@nwnit.com
issuer=/C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs
---
No client certificate CA names sent
---
SSL handshake has read 1775 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 1F3B030DD062E3EFC3E143DF978A622DD8B0E2167331EAC45C307C8997F59BC3
    Session-ID-ctx:
    Master-Key: 834A1CF62289DB6C4367109B9EF2172796A4AF403F4FE040C4EDDC48ED722437E96717A860038A70323DFFD1EDE3562D
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1315065479
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


*** COMMENT:  This obviosly doesn't ***

[root@ldap01 cacerts]# openssl s_client -CAfile /etc/pki/tls/certs/cacert.pem  -connect 10.60.1.57:389
CONNECTED(00000003)
4392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
[root@ldap01 cacerts]#


The only thing I could think of is a timeout  difference  between ssl  and tls, iun which case I'll be fine wheh I figure out why it's slow, but I'd like to validate that before moving on to the slowness problem.  ANyone have ideas?