[Date Prev][Date Next] [Chronological] [Thread] [Top]
(ITS#3828) SSL Connection closed immediatly after "ClientHello"

To: openldap-its@OpenLDAP.org
Subject: (ITS#3828) SSL Connection closed immediatly after "ClientHello"
From: Heinzmann@cc-dresden.de
Date: Fri, 1 Jul 2005 14:31:41 GMT
Full_Name: Robert Heinzmann
Version: slapd 2.2.6 (SUSE openldap2-2.2.6-37.38)
OS: SuSE Linux Enterprise Server 9
URL: 
Submission from: (NULL) (212.202.119.51)


Hello, 

I think we found a bug in Openssl TLS / SSL handling.

We have set up a replicated openLDAP environment with 3 servers. All three
servers are configured in /etc/ldap.conf as servers for nss_ldap. LDAP with SSL
was running very well in our replicated openLDAP environment. Then we performed
some tests (shutting down some of the ldap server). As long as not all three
servers were down, everything was working fine (id LDAPUSER returned info).
After shutting down all three servers and starting them again, we are not able
to communicate with SSL anymore. 

On the Servers LDAP is running: 
12825 ?        Ss     0:00 /usr/lib/openldap/slapd -h ldap:/// ldaps:/// -u ldap
-g ldap

slapd.conf on Server:
# moduleload    back_perl.la
TLSCACertificateFile    /etc/ssl/certs/CA_Chain.pem
TLSCertificateFile      /volume/ldap/cert/ldapmaster.cert.pem
TLSCertificateKeyFile   /volume/ldap/cert/ldapmaster.key.pem
# Sample security restrictions

If we run "openssl s_client" to the server, the connection is cloded right after
sending ClientHello and we get handshake failure.

srvlxr203:/ # openssl s_client -connect ldapmaster.domain.com:636 -showcerts
-CAfile /etc/ssl/certs/CA_Chain.pem -msg -state -ssl3
CONNECTED(00000003)
SSL_connect:before/connect initialization
>>> SSL 3.0 Handshake [length 005f], ClientHello
    01 00 00 5b 03 00 42 c5 50 ca a0 27 37 24 d6 f7
    a3 73 db f6 33 be 41 ee 17 a2 9c ff ea a2 93 8b
    d2 b2 00 00 00 00 00 00 34 00 39 00 38 00 35 00
    16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00
    04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00
    64 00 60 00 14 00 11 00 08 00 06 00 03 01 00
SSL_connect:SSLv3 write client hello A
<<< SSL 3.0 Alert [length 0002], fatal handshake_failure
    02 28
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read server hello A
11765:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1052:SSL alert number 40
11765:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:529:


If we check the server certificates erverything is ok: 

ldap@ldapmaster:/volume/ldap/cert> cat ldapmaster.cert.pem | openssl verify
-CAfile /etc/ssl/certs/CA_Chain.pem
stdin: OK

If I test the connection with openssl s_server/client everything is ok too:

ldapmaster:~ # openssl s_server -cert /volume/ldap/cert/ldapmaster.cert.pem 
-key /volume/ldap/cert/ldapmaster.key.pem -state -msg -accept 11111
Using default temp DH parameters
ACCEPT

client:~# openssl s_client -connect ldapmaster.hs-merseburg.de:11111 -CAfile
/etc/ssl/certs/CA_Chain.pem -debug -ssl3New, TLSv1/SSLv3, Cipher is
DHE-RSA-AES256-SHA
Server public key is 2048 bit
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: A3A619C73460D2EB0C77A5E072ADA8BEA1A9DAF2E9AE86EAC9E6E6B6003E249C
    Session-ID-ctx:
    Master-Key: 082300C282F06603172A28F9B059646FDA55749C6A76367DDD72D0489FD2BFBCFAAD3669F720A3D91AA1BA1F9B7212C9
    Key-Arg   : None
    Start Time: 1120228232
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
HELLO
write to 005778C0 [005816B0] (74 bytes => 74 (0x4A))
0000 - 17 03 00 00 20 9a 02 f7-b6 7f 00 c3 ef 83 07 cf   .... ...........
0010 - f7 8f 75 aa a1 b4 fa 31-6a ec e0 05 bb 3a 87 d8   ..u....1j....:..
0020 - cd 4e 7c 1e 9b 17 03 00-00 20 0c 49 f3 91 cf fb   .N|...... .I....
0030 - 9d c1 4c 4a 22 8e 8c a4-fa 3b 56 5c 79 40 0c 5e   ..LJ"....;V\y@.^
0040 - 48 7f ca fb 5a 1e 37 56-fe 37                     H...Z.7V.7


and on the server side:

SSL_accept:SSLv3 write change cipher spec A
>>> SSL 3.0 Handshake [length 0028], Finished
    14 00 00 24 9d d5 7b b1 09 88 05 78 b5 81 fb 4d
    26 ef 52 5e 05 bd 9f b2 23 a1 49 db 4c 2d 7c 89
    ac df bf 61 ef fd 47 ce
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMABAIAOQQgo6YZxzRg0usMd6Xgcq2ovqGp2vLprobqyebmtgA+JJwE
MAgjAMKC8GYDFyoo+bBZZG/aVXScanY2fd1y0Eif0r+8+q02afcgo9kaobofm3IS
yaEGAgRCxVOJogQCAgEspAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:RC4-SHA:RC4-MD5:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-RC4-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
CIPHER is DHE-RSA-AES256-SHA
HELLO


So this seems to be problem with openSSL SSL Handling.
Prev by Date: Re: (ITS#3817) slapadd (glue?) dumps core under ridiculous situations
Next by Date: Re: (ITS#3819) Strange slapd.conf diagnostic after authz-regexp
Index(es):
- Chronological
- Thread