[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS No Go, but SSL OK

To: openldap-software@OpenLDAP.org
Subject: TLS No Go, but SSL OK
From: craig jackson <cjackson@localsurface.com>
Date: Fri, 14 Nov 2003 14:17:53 -0600
Organization: localsurface
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031014 Thunderbird/0.3

Hi,

I'm having a little crazy mystery here. I don't understand why SSL works but YLS doesn't. Please help.

Slapd.conf........
TLSVerifyClient never
TLSCACertificateFile /usr/local/etc/openldap/mail.cert
TLSCertificateFile /usr/local/etc/openldap/mail.cert
TLSCertificateKeyFile /usr/local/etc/openldap/mail.cert

Ldap.conf........
ssl start_tls [tried with and without this; no effect.]
TLS_REQCERT never

Sooo, can anyone explain to me why tls handshake fails but ssl handshake is successful? I'm using Openldap 2.1.22.

Slapd.conf........
TLSVerifyClient never
TLSCACertificateFile /usr/local/etc/openldap/mail.cert
TLSCertificateFile /usr/local/etc/openldap/mail.cert
TLSCertificateKeyFile /usr/local/etc/openldap/mail.cert

Ldap.conf........
ssl start_tls [tried with and without this; no effect.]
TLS_REQCERT never

636 WORKS! # /usr/local/ssl/bin/openssl s_client -connect mail.localsurface.com:636 -showcerts -state -CAfile mail.cert CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface.com/emailAddress=webmaster@localsurface.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface.com/emailAddress=webmaster@localsurface.com

i:/C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface.com/emailAddress=webmaster@localsurface.com -----BEGIN CERTIFICATE----- MIIDszCCAxygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnjELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAkxBMREwDwYDVQQHEwhNZXRhaXJpZTEVMBMGA1UEChMMbG9jYWxz dXJmYWNlMQ0wCwYDVQQLEwRtYWlsMR4wHAYDVQQDExVtYWlsLmxvY2Fsc3VyZmFj ZS5jb20xKTAnBgkqhkiG9w0BCQEWGndlYm1hc3RlckBsb2NhbHN1cmZhY2UuY29t MB4XDTAzMDUxOTE2MjUxNloXDTMwMTAwMzE2MjUxNlowgZ4xCzAJBgNVBAYTAlVT MQswCQYDVQQIEwJMQTERMA8GA1UEBxMITWV0YWlyaWUxFTATBgNVBAoTDGxvY2Fs c3VyZmFjZTENMAsGA1UECxMEbWFpbDEeMBwGA1UEAxMVbWFpbC5sb2NhbHN1cmZh Y2UuY29tMSkwJwYJKoZIhvcNAQkBFhp3ZWJtYXN0ZXJAbG9jYWxzdXJmYWNlLmNv bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxli1nu3FRoYSDkIVnwNg72Xl cboApDVsC3dLhf9CQjSL9p9k59O7TnE3VFweE/9My4fkem9AEEdGkudqNGVx3gaC fjV8QqGh9uiCajpMYhLoUgeyFQ/YxuT/QprhSSFJGPvdeqRE+02v0kZiXk8OLIhA FqOTLZVWYM+g4GIJ3ccCAwEAAaOB/jCB+zAdBgNVHQ4EFgQUJ8bxHrky+7iPIpHL auLmhtx2AoYwgcsGA1UdIwSBwzCBwIAUJ8bxHrky+7iPIpHLauLmhtx2AoahgaSk gaEwgZ4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJMQTERMA8GA1UEBxMITWV0YWly aWUxFTATBgNVBAoTDGxvY2Fsc3VyZmFjZTENMAsGA1UECxMEbWFpbDEeMBwGA1UE AxMVbWFpbC5sb2NhbHN1cmZhY2UuY29tMSkwJwYJKoZIhvcNAQkBFhp3ZWJtYXN0 ZXJAbG9jYWxzdXJmYWNlLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB BAUAA4GBAH99832lAdDknEbyjlQthXrn2gqpXbLEKnnUUlpgFTeC65/+A2U5na5p Onzo4q8I20DQvuCWXCevjSfdTrJnOJDDaS/OPD3YJs6sYHNIpQ06e3ErkZDQW0Al hBDE2deWkbTC5m9dbe9TmLH8oCyGJqQvpFrgdqdolC83mpgHkOil -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface.com/emailAddress=webmaster@localsurface.com issuer=/C=US/ST=LA/L=Metairie/O=localsurface/OU=mail/CN=mail.localsurface.com/emailAddress=webmaster@localsurface.com --- No client certificate CA names sent --- SSL handshake has read 1113 bytes and written 346 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 23A5DD1F7CA979E9C5A6F01268F82FB9FB9F1A24D58B03CF31D8B472BD784AAE Session-ID-ctx: Master-Key: AB7D4C5396C4BCFA99541EC66F814B8FB5EE189C738C5F6A973AAE25AA616EA2945CBFC10993673360BEE9A09CD99EF5 Key-Arg : None Start Time: 1068693499 Timeout : 300 (sec) Verify return code: 0 (ok

389 TLS DOESN'T WORK!!! # /usr/local/ssl/bin/openssl s_client -connect mail.localsurface.com:389 -showcerts -state -CAfile mail.cert CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A 26011:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

I'm going a little crazy here.

Thanks,
Craig

Follow-Ups:
- DN question?
  - From: Raj Balasubramanian <r0x61j@comcast.net>
- RE: TLS No Go, but SSL OK
  - From: "Matthew Hardin" <mhardin@symas.com>

Prev by Date: Re: slapd crashes on bind
Next by Date: DN question?
Index(es):
- Chronological
- Thread