[Date Prev][Date Next] [Chronological] [Thread] [Top]

Cant make my ldap work with ssl...

Hello all,
Sorry for posting another SSL/TLS problem. I've tried and tried to solve this problem myself, but I can't find the solution...
I have OpenLDAP 2.1.26-1 in a debian machine.
ldap works fine in normal mode (port 389) but i cann't make it work in ssl/tls mode.
I have created the certificates following the manual
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html (this one and others before)
entering my fqdn in "common name". I have created certs many times, always getting the same results. I have configured all the files, but I always get the same errors...
TLSCACertificateFile /var/lib/ldap-data/cacert.pem
TLSCertificateFile /var/lib/ldap-data/servercrt.pem
TLSCertificateKeyFile /var/lib/ldap-data/serverkey.pem
TLSVerifyClient demand
#TLSVerifyClient never
URI  ldap://xxx.yyy.com ldaps://xxx.yyy.com
BASE dc=yyy,dc=com
TLS_CACERT      /var/lib/ldap-data/cacert.pem
TLS_REQCERT     demand
#TLS_REQCERT     never
.ldaprc in user's home directory
TLS_CERT        /home/users/certs/ldap.client.pem
TLS_KEY         /home/users/certs/ldap.client.key.pem
start slapd with:
/usr/sbin/slapd -d127 -h "ldap:/// ldaps:///"
but when I try
openssl s_client -connect xxx.yyy.com:636 -state -showcerts -CAfile /var/lib/ldap-data/cacert.pem
I get:
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=ES/ST=Madrid/L=Madrid/O=TresPassos/OU=Testing/CN=xxx.yyy.com/emailAddress=bartolo@localhost
verify return:1
depth=0 /C=ES/ST=Madrid/L=Madrid/O=Lambda/OU=Ventisca/CN=xxx.yyy.com/emailAddress=ldap@yyy.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:failed in SSLv3 read server key exchange A
11075:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

and slapd says:
  0360:  01 01 04 05 00 03 81 81  00 1d 10 ca ae f6 7a 44   ..............zD
  0370:  4e d1 ff e9 de 0c fb 4a  0a a2 0d c2 6f 55 ee 22   N......J....oU."
  0380:  df 00 91 c4 58 00 39 95  ad 61 93 5e 09 28 f3 98   ...X.9..a.^.(..
  0390:  f3 de c1 0a 49 3a 4c 5c  48 7c b4 4f a6 e4 a2 4e   ....I:L\H|.O...N
  03a0:  8c a0 69 33 87 f7 b3 b9  e4 39 0f d3 dd fd 28 bc   .i3.....9....(.
  03b0:  63 83 d7 3b 91 28 ff c5  cd d9 f8 cd a0 53 8c 18   c..;.(.......S..
  03c0:  5a c0 3d 27 76 57 08 6c  a5 39 fe bb 01 28 1f 8b   Z.='vW.l.9...(..
  03d0:  89 61 9e 44 dc c2 32 42  67 c9 3e 60 1d c9 a0 81   a.D..2Bg.>`....
  03e0:  df 64 83 ca 2d 50 cf 48  0f                        d..-P.H.
TLS: can't accept.
TLS: No temporary DH parameters were found. (null):0
connection_read(12): TLS accept error error=-1 id=1, closing
connection_closing: readying conn=1 sd=12 for close
connection_close: conn=1 sd=12
daemon: removing 12
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL

And when I try ldapsearch:
ldapsearch -b "ou=people,dc=yyy,dc=com" -LLL -D "cn=admin,dc=yyy,dc=com" -H "ldaps://xxx.yyy.com/" -W -x
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (81)
        additional info: A TLS packet with unexpected length was received.

I cann't find a solution for this error.
It would be great if someone could help me.
Thanks to all.