Thanks for the suggestions everyone, I’ve corrected an issue with the generation of the self-signed CA , I was using the wrong ‘cert’ For OpenSSL this gets put into: /etc/pki/CA/cacert.pem I have used the “Common Name” in the cert-generation as:
server.my-domain.com I have it in /etc/hosts as: 127.0.0.1 server.my-domain.com I am using ‘localhost’ first in this investigation-stage, and will be used for our unit-tests The port 636 does not appear to be firewalled I get a little farther now with these changes, 8 bytes are sent/received: see below
TLS: can't connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure. ----------------------------------------------------ldap server /usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -h ldaps://server.my-domain.com:636 -d -1 . . 5e0f6aa1 daemon: activity on: 5e0f6aa1 daemon: epoll: listen=7 active_threads=0 tvp=NULL 5e0f6b65 daemon: activity on 1 descriptor 5e0f6b65 daemon: activity on: 5e0f6b65 slap_listener_activate(7): 5e0f6b65 daemon: epoll: listen=7 busy 5e0f6b65 >>> slap_listener(ldaps://server.my-domain.com:636) 5e0f6b65 daemon: accept() = 11 5e0f6b65 daemon: listen=7, new connection on 11 5e0f6b65 daemon: added 11r (active) listener=(nil) 5e0f6b65 conn=1001 fd=11 ACCEPT from IP=127.0.0.1:51880 (IP=127.0.0.1:636) 5e0f6b65 daemon: activity on 1 descriptor 5e0f6b65 daemon: activity on: 5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL 5e0f6b65 daemon: activity on 1 descriptor 5e0f6b65 daemon: activity on: 11r 5e0f6b65 daemon: read active on 11 5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL 5e0f6b65 connection_get(11) 5e0f6b65 connection_get(11): got connid=1001 5e0f6b65 connection_read(11): checking for input on id=1001 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 16 03 01 01 1c 01 00 01 18 03 03 ...........
tls_read: want=278, got=278 0000: c7 eb 10 c3 5a af 18 e7 9b 3b ad 08 e6 cc b2 7d ....Z....;.....}
0010: ee a7 7d 0f c4 fe 01 49 8a 5b d3 94 c5 25 08 1d ..}....I.[...%..
0020: 00 00 ac c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 ....0.,.(.$.....
0030: a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 ........k.j.i.h.
0040: 39 00 38 00 37 00 36 00 88 00 87 00 86 00 85 c0 9.8.7.6.........
0050: 32 c0 2e c0 2a c0 26 c0 0f c0 05 00 9d 00 3d 00 2...*.&.......=.
0060: 35 00 84 c0 2f c0 2b c0 27 c0 23 c0 13 c0 09 00 5.../.+.'.#.....
0070: a4 00 a2 00 a0 00 9e 00 67 00 40 00 3f 00 3e 00 ........g.@.?.>.
0080: 33 00 32 00 31 00 30 00 9a 00 99 00 98 00 97 00 3.2.1.0.........
0090: 45 00 44 00 43 00 42 c0 31 c0 2d c0 29 c0 25 c0 E.D.C.B.1.-.).%.
00a0: 0e c0 04 00 9c 00 3c 00 2f 00 96 00 41 c0 12 c0 ......<./...A...
00b0: 08 00 16 00 13 00 10 00 0d c0 0d c0 03 00 0a 00 ................
00c0: 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 ff 01 ................
00d0: 00 00 43 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 ..C.............
00e0: 08 00 17 00 19 00 18 00 16 00 23 00 00 00 0d 00 ..........#.....
00f0: 20 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 04 ...............
0100: 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 ................
0110: 03 00 0f 00 01 01 ......
tls_write: want=7, written=7 0000: 15 03 03 00 02 02 28 ......(
TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in error TLS trace: SSL_accept:error in error TLS: can't accept: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher. 5e0f6b65 connection_read(11): TLS accept failure error=-1 id=1001, closing 5e0f6b65 connection_closing: readying conn=1001 sd=11 for close 5e0f6b65 connection_close: conn=1001 sd=11 5e0f6b65 daemon: removing 11 5e0f6b65 conn=1001 fd=11 closed (TLS negotiation failure) 5e0f6b65 daemon: activity on 1 descriptor 5e0f6b65 daemon: activity on: 5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL ^C5e0f6e38 daemon: shutdown requested and initiated. 5e0f6e38 daemon: removing 7r 5e0f6e38 daemon: closing 7 5e0f6e38 slapd shutdown: waiting for 0 operations/tasks to finish 5e0f6e38 slapd shutdown: initiated 5e0f6e38 slapd destroy: freeing system resources. 5e0f6e38 slapd stopped. ---------------------------------------------------- client [root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts -H ldaps://server.my-domain.com:636 -d -1 ldap_url_parse_ext(ldaps://server.my-domain.com:636) ldap_create ldap_url_parse_ext(ldaps://server.my-domain.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP server.my-domain.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization tls_write: want=289, written=289 0000: 16 03 01 01 1c 01 00 01 18 03 03 8b 5c ad c3 76 ............\..v
0010: a2 eb 75 4f df e3 f3 7b 5c 55 73 5e 2c 43 62 de ..uO...{\Us^,Cb.
0020: 98 5f 5d b8 3b c0 82 32 46 86 cd 00 00 ac c0 30 ._].;..2F......0
0030: c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 .,.(.$..........
0040: 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7
0050: 00 36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a .6.........2...*
0060: c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f .&.......=.5.../
0070: c0 2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 .+.'.#..........
0080: 00 9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1
0090: 00 30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 .0.........E.D.C
00a0: 00 42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c .B.1.-.).%......
00b0: 00 3c 00 2f 00 96 00 41 c0 12 c0 08 00 16 00 13 .<./...A........
00c0: 00 10 00 0d c0 0d c0 03 00 0a 00 07 c0 11 c0 07 ................
00d0: c0 0c c0 02 00 05 00 04 00 ff 01 00 00 43 00 0b .............C..
00e0: 00 04 03 00 01 02 00 0a 00 0a 00 08 00 17 00 19 ................
00f0: 00 18 00 16 00 23 00 00 00 0d 00 20 00 1e 06 01 .....#..... ....
0100: 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 ................
0110: 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 ................
0120: 01 .
TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=7 0000: 15 03 03 00 02 02 28 ......(
TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in SSLv2/v3 read server hello A TLS: can't connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) From: openldap-technical <openldap-technical-bounces@openldap.org>
On Behalf Of Christopher Paul I On 1/2/20 8:36 AM, Dunne, Kenneth wrote:
[...]
Hey Ken, is port 636 open on the host-based firewall if it's running? any other firewalls blocking 636? CP |