OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/7395
Full headers

From: bjfanzh@cn.ibm.com
Subject: SECURITY: ssl problem
Compose comment
Download message
State:
0 replies:
0 followups:

Major security issue: yes  no

Notes:

Notification:


Date: Thu, 20 Sep 2012 10:29:04 +0000
From: bjfanzh@cn.ibm.com
To: openldap-its@OpenLDAP.org
Subject: SECURITY: ssl problem 
Full_Name: zhang fan 
Version: 2.3.43
OS: RHEL5
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (202.108.130.138)


Hi 
  Now I was configuring openldap with SSL support . But one problem
came
out and now I asked for your help .Thank you very much.
  My ldap server can work well before setting SSL . 
  the ssl related option in slapd.conf is
 TLSCipherSuite ALL
 TLSCACertificateFile /etc/pki/tls/certs/slapd.pem
 TLSCertificateFile /etc/pki/tls/certs/slapd.pem
 TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
 TLSVerifyClient never
 
 and I use openssl to test connection . 
[root@zosmf07 ~]# openssl s_client -connect zosmf07.cn.ibm.com:636 -showcerts -s
                                                tate -CAfile
/etc/pki/tls/certs/slapd.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
7587:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake fa
                                                ilure:s23_clnt.c:583:

the server debug log look like this 
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS: can't accept.
TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:1009

But when I issue openssl s_server to start the 636 port  ,the ssl
handshake can get success.
[root@zosmf07 ~]# openssl s_server -accept 636 -cert
/etc/pki/tls/certs/slapd.pem -key /etc/pki/tls/certs/slapd.pem -state
Using default temp DH parameters
ACCEPT
SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
SSL_accept:SSLv3 read client key exchange A
SSL_accept:SSLv3 read finished A
SSL_accept:SSLv3 write change cipher spec A
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMBBAIAOQQgwtPmka9K2vuA3Eg6Vu8ZBGOIGiq2RVQBAR7/U//dIf4E
MDXZOmotMZFmCsIV+5448cYBMN5zTGe6FJeVHxdu9KuEe0BYnZ69LW/GbLmNyemk
4KEGAgRQWUytogQCAgEspAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
CIPHER is DHE-RSA-AES256-SHA
Secure Renegotiation IS supported

Thank you very much for your help .This problem botherred me for two weeks .I
tried many method but can't deal it .Thank you.



Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org