Re: TLS very strange behaviour

[Rich Megginson <rich.megginson@gmail.com>]

On 10/11/2011 02:38 AM, Olivier Guillard wrote:
> Thanks Rich, see below :
>
> > -12272 is SSL_ERROR_BAD_MAC_ALERT and -12273 is SSL_ERROR_BAD_MAC_READ
> > I've seen this when the client and server do not have the same SSL
> > certificate signature algorithm support.  Is everything running on RHEL6
> > and/or Fedora 14 and later?
> [root@ldap2 ~]# cat /etc/issue
> Red Hat Enterprise Linux Server release 6.1 (Santiago)
> Kernel \r on an \m
>
> [root@ldap2 ~]#  rpm -qa | grep -i openldap
> openldap-2.4.23-15.el6_1.3.x86_64
> openldap-servers-2.4.23-15.el6_1.3.x86_64
> openldap-debuginfo-2.4.23-15.el6_1.1.x86_64
> openldap-clients-2.4.23-15.el6_1.3.x86_64
>
> [root@ldap1 ~]# cat /etc/issue
> Red Hat Enterprise Linux Server release 6.1 (Santiago)
> Kernel \r on an \m
>
> [root@ldap1 ~]# rpm -qa | grep -i openldap
> openldap-debuginfo-2.4.23-15.el6_1.1.x86_64
> openldap-clients-2.4.23-15.el6_1.3.x86_64
> openldap-2.4.23-15.el6_1.3.x86_64
> openldap-servers-2.4.23-15.el6_1.3.x86_64
>
> [root@ldap2 cacerts]#  rpm -qa | grep openssl
> openssl-1.0.0-10.el6_1.4.x86_64
>
> [root@ldap1 ldap1]# rpm -qa | grep openssl
> openssl-1.0.0-10.el6_1.4.x86_64
>
> Not sure if that made a difference but I "yum-updated"
> on last friday and openldap servers version passed :
>
> from
>       openldap-servers-2.4.23-15.el6_1.1.x86_64
> to
>       openldap-servers-2.4.23-15.el6_1.3.x86_64
Was it working before you yum updated?
> ---
> Olivier
>
> On Mon, Oct 10, 2011 at 9:54 PM, Rich Megginson
> <rich.megginson@gmail.com>  wrote:
>
> > > here is what I get :
> > >
> > > ldap1 # /usr/sbin/slapd -f slapd.conf -h ldap:/// -u ldap -d Sync
> > > ...
> > > TLS: error: accept - force handshake failure: errno 11 - moznss error
> > > -12273
> > > TLS: can't accept: TLS error -12273:Unknown code ___P 15.
> > > TLS: error: connect - force handshake failure: errno 0 - moznss error
> > > -12272
> > > TLS: can't connect: TLS error -12272:Unknown code ___P 16.
> > > slap_client_connect: URI=ldap://ldap2.example.fr Warning,
> > > ldap_start_tls failed (-11)
> > > slap_client_connect: URI=ldap://ldap2.example.fr
> > > ldap_sasl_interactive_bind_s failed (-6)
> > > do_syncrepl: rid=121 rc -6 retrying
> > >
> > > ldap2 # /usr/sbin/slapd -f slapd.conf -h ldap:/// -u ldap -d Sync
> > > ...
> > > TLS: error: connect - force handshake failure: errno 0 - moznss error
> > > -12272
> > > TLS: can't connect: TLS error -12272:Unknown code ___P 16.
> > > slap_client_connect: URI=ldap://ldap1.eaxample.fr:389 Warning,
> > > ldap_start_tls failed (-11)
> > > slap_client_connect: URI=ldap://ldap1.example.fr:389
> > > ldap_sasl_interactive_bind_s failed (-6)
> > > do_syncrepl: rid=211 rc -6 retrying
> > > TLS: error: accept - force handshake failure: errno 11 - moznss error
> > > -12273
> > > TLS: can't accept: TLS error -12273:Unknown code ___P 15.
> > >
> > > Any idea ?