Interesting TLS problem.

[James Bourne <jbourne@MtRoyal.AB.CA>]

Good Day all,
I've an interesting TLS problem, not sure why this is happening.

Openldap version 2.0.10, openssl 0.9.6a, Linux 2.2.19.

Starting slapd as root (without -u ldap -g ldap) everything works fine,
connections are over TLS, no complaints, and yes, with the proper indexes
and over 8k users it's still fast.

Normal startup is using the -u ldap -g ldap flags to run slapd as a non root
user.  Problem is, when these flags are used I receive the error:
	TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:772

on the server end (/usr/sbin/slapd -d 7 -h "ldap:/// ldaps:/// -u ldap -g ldap).

Client end I see:
ldap_start_tls: Success
        additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Enter LDAP Password:
ldap_bind: Can't contact LDAP server
        additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure


So, it's permissions problems right?

No, /etc/openldap and /var/lib/ldap (and contents of both) are owned,
completely, by user ldap and group ldap.  Required files are readable
... (strace -f produces no permissions errors either when run as the ldap
... user), and /var/run (for .pid and .args) is mode 1777 so the ldap user
can write there...

TLSCipherSuite might be my only problem, it's set to contain all the ciphers
openssl will do (thought that might be it, but it's not solved it)...  Of
course, that would result in no difference when run as root or ldap...

Any ideas here would be helpful, for now we have to run it as root to get it
to work.

Thanks in advance,
James Bourne


-- 
James Bourne, Supervisor Data Centre Operations
Mount Royal College, Calgary, AB, CA
www.mtroyal.ab.ca