We are facing an issue in one of our openldap environments, while enabling secure queries via ldaps:// our integration environment keeps returning the following error to out ldapsearch command:
SSL3_READ_BYTES:sslv3 alert bad record mac
while the same command pointing to our production environment connects correctly and returns matching entries.
Both run under the following versions:
Red Hat Enterprise Linux Server release 6.2 (Santiago)
OpenLDAP: slapd 2.4.23
OpenSSL 1.0.0-fips
Each one has its own certificate, signed by the same CA.
In our integration environment, we have configured the following lines in our /etc/openldap/slapd.d/cn\=config.ldif :
olcTLSCACertificateFile: /etc/openldap/certs/root_CA.pem
olcTLSCertificateFile: /etc/openldap/certs/openldapint.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/openldapint.key
And in the same file, production environment:
olcTLSCACertificateFile: /etc/openldap/certs/root_CA.pem
olcTLSCertificateFile: /etc/openldap/certs/openldapPRO.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/openldap.key
And we can check this problem doing the following:
# openssl s_client -connect localhost:636 -showcerts -CApath /etc/openldap/certs/root_CA.pem
CONNECTED(00000003)
depth=1 L = (...), OU = (...), CN = (...)
verify error:num=19:self signed certificate in certificate chain
verify return:0
139866277001032:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1193:SSL alert number 20
139866277001032:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
Any ideas on what's wrong, and how to configure our secure LDAPS:// for OpenLDAP?
Thanks!
---
Oriol Rosa
Security Technical Consultant
SIA Spain, S.A.