[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP client and SSL handshake



On 03/21/2012 01:06 PM, Jon Dufresne wrote:
On Wed, 2012-03-21 at 10:27 -0600, Rich Megginson wrote:
On 03/21/2012 10:09 AM, Jon Dufresne wrote:
Now that it is pointed out, this seems incorrect. Should this be changed
to mode 644?
Yes.
Thanks!

With that fixed I am now closer to connecting. As originally thought the
SSL handshake is failing.

Doing the same ldapsearch I now receive the following output:

$ ldapsearch -d7 -x -H ldaps://HOST:636 -D "BASE_DN" -W
ldap_url_parse_ext(ldaps://HOST:636)
ldap_create
ldap_url_parse_ext(ldaps://HOST:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP HOST:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying HOST_IP:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: loaded CA certificate file /etc/openldap/cacerts/addtrust-ca.crt.
tls_write: want=70, written=70
   0000:  16 03 01 00 41 01 00 00  3d 03 01 4f 6a 16 7c 2b   ....A...=..Oj.|+
   0010:  10 6a 06 5b f3 d0 05 28  48 34 82 53 f8 3a 88 7b   .j.[...(H4.S.:.{
   0020:  42 0e 39 d0 7c 2f cb 32  91 33 2b 00 00 16 00 ff   B.9.|/.2.3+.....
   0030:  00 35 00 04 00 05 00 2f  00 0a 00 09 00 64 00 62   .5...../.....d.b
   0040:  00 03 00 06 01 00                                  ......
tls_read: want=5, got=5
   0000:  15 03 00 00 02                                     .....
tls_read: want=2, got=2
   0000:  02 0a                                              ..
TLS: error: connect - force handshake failure: errno 21 - moznss error -12229
TLS: can't connect: TLS error -12229:SSL peer was not expecting a handshake message it received..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


As noted before, I can reproduce the handshake failure with OpenSSL's
s_client.

$ openssl s_client -connect HOST:636
...
Failure

While adding the -no_tls1 flag will:

$ openssl s_client -connect HOST:636 -no_tls1
...
Success

My first thought was to pass along the no TLS option to OpenLDAP. Is
this possible? Or should I be taking a different approach?
Although it is not in the ldap.conf man page, it is in the ldap_set_config man page - the option is TLS_PROTOCOL_MIN

Try this:
LDAPTLS_PROTOCOL_MIN=769 ldapsearch -d7 -x -H ldaps://HOST:636 -D "BASE_DN" -W

Thanks,
Jon