[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Probleme : LDAP + SSL/TLS

To: "SECRET Defense" <dj_soldate@hotmail.com>
Subject: Re: Probleme : LDAP + SSL/TLS
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 23 Apr 2004 12:54:22 -0700
Cc: openldap-software@OpenLDAP.org, klein.g@ifrance.com
In-reply-to: <BAY13-F7A5JNuk3rYdL00007ce4@hotmail.com>
References: <BAY13-F7A5JNuk3rYdL00007ce4@hotmail.com>

I suggest you first get OpenSSL to work by itself (e.g.,
s_client -> s_server), using OpenSSL resources for
help as needed.  Once you have that, you should rather
straight forward to get it working in OpenLDAP
(assuming you certificates are proper... s_client does
not perform a number of checks). 

Kurt


At 08:20 AM 4/23/2004, SECRET Defense wrote:
>Hello !
>
>I try to use SSL/TLS with LDAP... but it doesn't work (since.. 3 weeks.. O_o)
>
>So, You are my last chance ...
>This is the versions, commands and errors I make and  receive.
>
>Has someone an idea??
>I did and did again and again my certificate, read and followed a lot of docs.. but I always have the same errors..
>Plz help me...
>
>Big Thanks in advance
>Gabrielle
>
>PS:  Sorry for my english. I'm french.
>
>
>
>
>1) Versions
>-------------
>openldap        : openldap 2.1.23
>openssl         : openssl 0.9.7d
>
>
>2) Flags for compilation
>--------------------------
>
>$>export CPPFLAGS="-I/usr/local/BerkeleyDB4.1/include -I/usr/local/openssl/include" LDFLAGS="-L/usr/local/BerkeleyDB4.1/lib -L/usr/local/openssl/lib"
>$>./configure --with-tls --with-cyrus-sasl
>
>
>3) Compilation time
>--------------------
>
>checking for openssl/ssl.h ... yes
>checking for ssl.h ... yes
>checking for SSLeay_add_ssl_algorithms in -lssl... no
>checking for SSL_library_init in -lssl... yes
>
>
>4) My docs
>-----------
>
>I followed the OPENLDAP -TLS/SSL howto
>this one : http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
>and a lot of others ...
>
>
>5) Tests with openssl
>----------------------
>
>$>openssl s_client -connect 10.0.70.47:636 -showcerts -state -CAfile /etc/openldap/cacert.pem
>
>SSL_connect:before/connect initialization
>SSL_connect:SSLv2/v3 write client hello A
>SSL3 alert read:fatal:handshake failure
>SSL_connect:error in SSLv2/v3 read server hello A
>459:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:470:
>
>
>
>
>$>openssl s_client -connect 10.0.70.47:636 -showcerts -state -CAfile /etc/openldap/cacert.pem -ssl2
>
>SSL_connect:error in SSLv2 read server hello B
>462:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140:
>462:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:935:
>462:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=X509
>462:error:1407E00B:SSL routines:SSL2_SET_CERTIFICATE:X509 lib:s2_clnt.c:1049:
>
>
>
>
>$>openssl s_client -connect 10.0.70.47:636 -showcerts -state -CAfile /etc/openldap/cacert.pem -ssl3
>
>SSL_connect:SSLv3 write client hello A
>SSL3 alert read:fatal:handshake failure
>SSL_connect:failed in SSLv3 read server hello A
>463:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40
>463:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529:
>
>
>6) Debugs of the server after each commands
>------------------------------------------------
>
>($>openssl s_client -connect 10.0.70.47:636 -showcerts -state -CAfile /etc/openldap/cacert.pem -ssl2)
>
>TLS trace: SSL_accept:failed in SSLv2 read client master key A
>TLS: can't accept.
>TLS: error:1406B0C9:SSL routines:GET_CLIENT_MASTER_KEY:peer error certificate s2_pkt.c:675
>connection_read(13): TLS accept error error=-1 id=0, closing
>
>
>
>($>openssl s_client -connect 10.0.70.47:636 -showcerts -state -CAfile /etc/openldap/cacert.pem -ssl3)
>
>TLS trace: SSL3 alert write:fatal:handshake failure
>TLS trace: SSL_accept:error in SSLv3 read client hello C
>TLS trace: SSL_accept:error in SSLv3 read client hello C
>TLS: can't accept.
>TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:887
>connection_read(13): TLS accept error error=-1 id=1, closing
>
>
>($>openssl s_client -connect 10.0.70.47:636 -showcerts -state -CAfile /etc/openldap/cacert.pem)
>
>TLS trace: SSL3 alert write:fatal:handshake failure
>TLS trace: SSL_accept:error in SSLv3 read client hello B
>TLS trace: SSL_accept:error in SSLv3 read client hello B
>TLS: can't accept.
>TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:887
>connection_read(13): TLS accept error error=-1 id=3, closing
>connection_closing: readying conn=3 sd=13 for close

References:
- Probleme : LDAP + SSL/TLS
  - From: "SECRET Defense" <dj_soldate@hotmail.com>

Prev by Date: Re: TLS resource unavailable
Next by Date: Re: TLS resource unavailable
Index(es):
- Chronological
- Thread