[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS server side auth problem



I'm planning to use our replicated LDAP directory for
user authentication purposes soon.  Because of this I
want to ensure all slurpd's communication with the
slave LDAP servers are encrypted.

I'm having a problem with getting TLS communications
working.  I have followed the instrcutions using
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
but cannot get ldapsearch -ZZ to work without a client
certificate (which I don't want to use).

If I put the serverkey and servercert in the .ldaprc
file (I know this is for the client certs but as a
test..) then ldapsearch -ZZ -x -h <FQDN> works.  If I
take them out of .ldaprc it fails:

[root@test root]# ldapsearch -ZZ -x -H
ldap://test.mydomain.com
ldap_start_tls: Connect error
        additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure

slapd shows:

TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client hello
B
TLS trace: SSL_accept:error in SSLv3 read client hello
B
TLS: can't accept.
TLS: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:772
connection_read(16): TLS accept error error=-1 id=8,
closing




The openssh client_s test also fails:

[root@test root]# openssl s_client -connect
192.168.0.1:ldap -showcerts -state -CAfile
/etc/openldap/cacert.pem       

CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
9521:error:140790E5:SSL routines:SSL23_WRITE:ssl
handshake failure:s23_lib.c:226:

Maybe because I'm connecting to the normal ldap port
(not sure if the openssh is valid for ldap port maybe
only TLS with start_tls?)

If I repeat the openssh s_client test on ldaps:

[root@test root]# openssl s_client -connect
192.168.0.1:ldaps -showcerts -state -CAfile
/etc/openldap/cacert.pem

CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
9758:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:455:

Slightly different. Using the FQDN instead of IP makes
no difference.

If I put the certs in .ldaprc the openssh test works
with IP:ldaps but not IP:ldap (I assume this is
normal).

I'm using openldap 2.0.27 on RedHat 7.2 (using the
2.0.27-2.7.3 rpm).

Don't understand why specifying a client cert (the
same as the server's as this is all the same box)
works.  Theres no TLSVerifyClient in my slapd.conf or
anything).

Any help appreciated.

Pete


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com