[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP client and SSL handshake
On Wed, 2012-03-21 at 10:27 -0600, Rich Megginson wrote:
> On 03/21/2012 10:09 AM, Jon Dufresne wrote:
> > Now that it is pointed out, this seems incorrect. Should this be changed
> > to mode 644?
> Yes.
Thanks!
With that fixed I am now closer to connecting. As originally thought the
SSL handshake is failing.
Doing the same ldapsearch I now receive the following output:
$ ldapsearch -d7 -x -H ldaps://HOST:636 -D "BASE_DN" -W
ldap_url_parse_ext(ldaps://HOST:636)
ldap_create
ldap_url_parse_ext(ldaps://HOST:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP HOST:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying HOST_IP:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: loaded CA certificate file /etc/openldap/cacerts/addtrust-ca.crt.
tls_write: want=70, written=70
0000: 16 03 01 00 41 01 00 00 3d 03 01 4f 6a 16 7c 2b ....A...=..Oj.|+
0010: 10 6a 06 5b f3 d0 05 28 48 34 82 53 f8 3a 88 7b .j.[...(H4.S.:.{
0020: 42 0e 39 d0 7c 2f cb 32 91 33 2b 00 00 16 00 ff B.9.|/.2.3+.....
0030: 00 35 00 04 00 05 00 2f 00 0a 00 09 00 64 00 62 .5...../.....d.b
0040: 00 03 00 06 01 00 ......
tls_read: want=5, got=5
0000: 15 03 00 00 02 .....
tls_read: want=2, got=2
0000: 02 0a ..
TLS: error: connect - force handshake failure: errno 21 - moznss error -12229
TLS: can't connect: TLS error -12229:SSL peer was not expecting a handshake message it received..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
As noted before, I can reproduce the handshake failure with OpenSSL's
s_client.
$ openssl s_client -connect HOST:636
...
Failure
While adding the -no_tls1 flag will:
$ openssl s_client -connect HOST:636 -no_tls1
...
Success
My first thought was to pass along the no TLS option to OpenLDAP. Is
this possible? Or should I be taking a different approach?
Thanks,
Jon