[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Strange error during TLS handshake

To: Fabian Steiner <lists@fabis-site.net>
Subject: Re: Strange error during TLS handshake
From: Howard Chu <hyc@symas.com>
Date: Thu, 23 Aug 2007 11:28:15 -0700
Cc: openldap-software@openldap.org
In-reply-to: <200708231831.54933.lists@fabis-site.net>
References: <200708231831.54933.lists@fabis-site.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a8pre) Gecko/2007082216 SeaMonkey/2.0a1pre

Since you seem to be noting a problem on the server, it would make the most sense to actually supply the debug trace from the server. You might also provide the versions of OpenSSL and OpenLDAP that are in use.

Fabian Steiner wrote:

Heute 17:09:11 Hello!

For some time now we are using OpenLDAP in order to provide a stable network-wide authentication service. Of course, we also enabled TLS-Support so that any connection is encrypted. However, we encounter some problems which are definitely subject of SSL as they also occur when we try to test our setup using "openssl s_client" and "openssl s_server". Most of the time TLS/SSL works perfect, but it may happen that we get the following error when we restart slapd:

$ ldapsearch -x -ZZ -d1 [...] TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim Marquartstein/CN=lsh-marquartstein.de, issuer: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim Marquartstein/CN=lsh-marquartstein.de TLS certificate verification: depth: 0, err: 0, subject: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim Marquartstein/CN=uranos.lsh-marquartstein.de, issuer: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim Marquartstein/CN=lsh-marquartstein.de TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure [...]

If this is the case we can't get it to work anymore and the whole server has to be switched off in order to make it work again. What might cause this problem? OS is Ubuntu Linux 6.06.1 Dapper Server-Edition.
Looking forward to your answer!
Thanks,
Fabian
P.S. We are using self-signed certificates of our own CA.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

Follow-Ups:
- Re: Strange error during TLS handshake
  - From: Fabian Steiner <lists@fabis-site.net>

References:
- Strange error during TLS handshake
  - From: Fabian Steiner <lists@fabis-site.net>

Prev by Date: Re: slapo-dynlist search member=value search?
Next by Date: Re: successful ldapsearch -- need to turn it into a working slapd configuration for an LDAP proxy
Index(es):
- Chronological
- Thread