[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSL handshake failure

Thanks, Howard. Would you know how I can find a suitable package that uses openssl?

I also tried moving the CA certificate chain file to the /etc/openldap/cacerts/ folder, splitting the file into 3 separate certificates, and running c_rehash to generate the hashed links. After modifying ldap.conf to use the cacerts folder instead of the ca file:

TLS: file cso_root_ca.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: loaded CA certificate file /etc/openldap/cacerts/5de054ac.0 from CA certificate directory /etc/openldap/cacerts.
TLS: loaded CA certificate file /etc/openldap/cacerts/241dd1a5.0 from CA certificate directory /etc/openldap/cacerts.
TLS: loaded CA certificate file /etc/openldap/cacerts/95df54c4.0 from CA certificate directory /etc/openldap/cacerts.
TLS: file cso_functional_ca.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: file cso_issuing_ca.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping.
TLS: error: connect - force handshake failure: errno 0 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: TLS error -5938:Encountered end of file

So I guess I'm stuck until I compile from scratch using openssl, or find a package that doesn't use Mozilla NSS.

Thanks

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Sent: February 23, 2012 1:04 PM
To: Bryce Powell
Cc: openldap-technical@openldap.org
Subject: Re: SSL handshake failure

Bryce Powell wrote:
> Hi,
> I can't get slapd to respond successfully to TLS or SSL connections using an
> RSA 2048-bit PEM certificate:

You're using Mozilla NSS, so the fact that OpenSSL tools accept your cert 
doesn't help you.

While a lot of good work has gone into the Mozilla NSS support, I would still 
say the MozNSS design is braindead and is not well suited for anything besides 
the Netscape/Mozilla browser codebase and should be avoided. Rebuild OpenLDAP 
using OpenSSL and I suspect these problems will disappear.

> $ ldapsearch -x -ZZ -d1 -H ldap://FQDNhostname
> TLS: loaded CA certificate file /etc/openldap/cacerts/FQDNhostname.cacert.pem.
> TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory
> TLS: error: connect - force handshake failure: errno 21 - moznss error -5938
> TLS: can't connect: TLS error -5938:Encountered end of file.
> ldap_err2string
> ldap_start_tls: Connect error (-11)
> additional info: TLS error -5938:Encountered end of file
> $ openssl s_client -connect FQDNhostname:636 -CAfile
> /etc/openldap/cacerts/FQDNhostname.cacert.pem
> CONNECTED(00000003)
> 140457427965768:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:184:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 113 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
> The following packages are installed on CentOS 6.2:
> openldap-servers-2.4.23-20.el6.x86_64
> openldap-2.4.23-20.el6.x86_64
> openldap-clients-2.4.23-20.el6.x86_64
> openssl-1.0.0-20.el6_2.1.x86_64
> openssl-devel-1.0.0-20.el6_2.1.x86_64
> gnutls-2.8.5-4.el6.x86_64
> gnutls-devel-2.8.5-4.el6.x86_64
> nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
> The /etc/openldap/ldap.conf file contains:
> TLS_CACERT /etc/openldap/cacerts/FQDNhostname.cacert.pem
> , which contains a chain of three certificates (root CA,
> intermediate/functional, and issuing).
> The /etc/openldap/slapd.conf file contains:
> TLSCipherSuite HIGH:+SSLv3
> TLSCertificateFile /etc/openldap/FQDNhostname.cert.pem
> TLSCertificateKeyFile /etc/openldap/FQDNhostname.key.pem
> The server is acting as a proxy to an Active Directory, and therefore I only
> have one LDAP database defined. My intention is to use LDAPS for communication
> between the client and LDAP proxy servers:
> database ldap
> suffix "dc=abc,dc=local"
> rebind-as-user
> uri "ldap://IPaddress1/ ldap://IPaddress2/ ldap://IPaddress3/ ldap://IPaddress4/";
> chase-referrals yes
> noundeffilter yes
> use-temporary-conn yes
> The certificate and private key are located in /etc/openldap/, with the
> following permissions :
> -r--r-----. 1 ldap ldap 2076 Feb 21 15:30 FQDNhostname.cert.pem
> -r--r-----. 1 ldap ldap 1675 Feb 21 15:35 FQDNhostname.sdi.key.pem
> The CN of the certificate matches the FQDN host name of the LDAP server.
> The private key is not password protected.
> Everything checks out OK by testing the certificate using openssl:
> $ openssl verify -purpose sslserver -CAfile
> /etc/openldap/cacerts/FQDNhostname.cacert.pem /etc/openldap/FQDNhostname.cert.pem
> /etc/openldap/FQDNhostname.cert.pem: OK
> OpenSSL client/server connections work fine too:
> openssl s_server -cert /etc/openldap/FQDNhostname.cert.pem -key
> /etc/openldap/FQDNhostname.key.pem -cipher 'HIGH:+SSLv3
> openssl s_client -connect FQDNhostname:4433 -CAfile
> /etc/openldap/cacerts/FQDNhostname.cacert.pem
> *Bryce Powell*


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/