[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL handshake failure

Bryce Powell wrote:

Hi,
I can’t get slapd to respond successfully to TLS or SSL connections using an
RSA 2048-bit PEM certificate:
You're using Mozilla NSS, so the fact that OpenSSL tools accept your cert doesn't help you.
While a lot of good work has gone into the Mozilla NSS support, I would still say the MozNSS design is braindead and is not well suited for anything besides the Netscape/Mozilla browser codebase and should be avoided. Rebuild OpenLDAP using OpenSSL and I suspect these problems will disappear. 


$ ldapsearch -x -ZZ -d1 -H ldap://FQDNhostname
TLS: loaded CA certificate file /etc/openldap/cacerts/FQDNhostname.cacert.pem.
TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory
TLS: error: connect - force handshake failure: errno 21 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: TLS error -5938:Encountered end of file
$ openssl s_client -connect FQDNhostname:636 -CAfile
/etc/openldap/cacerts/FQDNhostname.cacert.pem
CONNECTED(00000003)
140457427965768:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 113 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
The following packages are installed on CentOS 6.2:
openldap-servers-2.4.23-20.el6.x86_64
openldap-2.4.23-20.el6.x86_64
openldap-clients-2.4.23-20.el6.x86_64
openssl-1.0.0-20.el6_2.1.x86_64
openssl-devel-1.0.0-20.el6_2.1.x86_64
gnutls-2.8.5-4.el6.x86_64
gnutls-devel-2.8.5-4.el6.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
The /etc/openldap/ldap.conf file contains:
TLS_CACERT /etc/openldap/cacerts/FQDNhostname.cacert.pem
, which contains a chain of three certificates (root CA,
intermediate/functional, and issuing).
The /etc/openldap/slapd.conf file contains:
TLSCipherSuite HIGH:+SSLv3
TLSCertificateFile /etc/openldap/FQDNhostname.cert.pem
TLSCertificateKeyFile /etc/openldap/FQDNhostname.key.pem
The server is acting as a proxy to an Active Directory, and therefore I only
have one LDAP database defined. My intention is to use LDAPS for communication
between the client and LDAP proxy servers:
database ldap
suffix "dc=abc,dc=local"
rebind-as-user
uri "ldap://IPaddress1/ ldap://IPaddress2/ ldap://IPaddress3/ ldap://IPaddress4/";
chase-referrals yes
noundeffilter yes
use-temporary-conn yes
The certificate and private key are located in /etc/openldap/, with the
following permissions :
-r--r-----. 1 ldap ldap 2076 Feb 21 15:30 FQDNhostname.cert.pem
-r--r-----. 1 ldap ldap 1675 Feb 21 15:35 FQDNhostname.sdi.key.pem
The CN of the certificate matches the FQDN host name of the LDAP server.
The private key is not password protected.
Everything checks out OK by testing the certificate using openssl:
$ openssl verify -purpose sslserver -CAfile
/etc/openldap/cacerts/FQDNhostname.cacert.pem /etc/openldap/FQDNhostname.cert.pem
/etc/openldap/FQDNhostname.cert.pem: OK
OpenSSL client/server connections work fine too:
openssl s_server -cert /etc/openldap/FQDNhostname.cert.pem -key
/etc/openldap/FQDNhostname.key.pem -cipher 'HIGH:+SSLv3
openssl s_client -connect FQDNhostname:4433 -CAfile
/etc/openldap/cacerts/FQDNhostname.cacert.pem
*Bryce Powell*



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/