[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS secure connection to an LDAP server

To: "fatima riadi" <ftmriadi@yahoo.fr>
Subject: Re: TLS secure connection to an LDAP server
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Wed, 23 Mar 2005 16:00:43 +0100 (CET)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <20050323122634.23187.qmail@web26404.mail.ukl.yahoo.com>
References: <20050323122634.23187.qmail@web26404.mail.ukl.yahoo.com>
User-agent: SquirrelMail/1.4.3a-1

I suggest you carefully follow the indications of
<http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html>; in detail,
make sure you use the right cipher, and that you use client and server
certificate verification appropriately (e.g. if you ask the server to
berufy the client's certificate, make sure the client has one, and if you
ask the client to verify the server's certificate, make sure the client
can see the server's CA's public key)

p.

> Hi there,
>
> I am trying to secure connections to my ldap server by
> using TLS.
> I created a certificate for my server. The certicate
> verification was OK (openssl verify -CAfile
> /path/to/ca.pem /path/to/my_ldap_srv_certificate).
> On my slapd.conf file I set TLSCACertificateFile,
> TLSCertificate and TLSCertificateKeyFile paths.
> I ran my server on the two default ports 389 (ldap)
> and 636 (ldaps) using this command: 'slapd -d127 -h
> "ldap:/// ldaps:///'.
> Once checking the SSL conection (by running the
> command: 'openssl s_client -connect localhost:636
> -showcerts -state -CAfile /path/to/ca.pem'), I get the
> following output:
>
>   CONNECTED(00000003)
>   SSL_connect:before/connect initialization
>   SSL_connect:SSLv2/v3 write client hello A
>   SSL3 alert read:fatal:handshake failure
>   SSL_connect:error in SSLv2/v3 read server hello A
>   2338:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:470:
>
> My server's debug output shows:
>
>   TLS trace: SSL3 alert write:fatal:handshake failure
>   TLS trace: SSL_accept:error in SSLv3 read client
> hello B
>   TLS trace: SSL_accept:error in SSLv3 read client
> hello B
>   TLS: can't accept.
>   TLS: error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> s3_srvr.c:882
>   connection_read(8): TLS accept error error=-1 id=0,
> closing
>   connection_closing: readying conn=0 sd=8 for close
>   connection_close: conn=0 sd=8
>   daemon: removing 8
>   daemon: select: listen=6 active_threads=0 tvp=NULL
>   daemon: select: listen=7 active_threads=0 tvp=NULL
>   daemon: activity on 1 descriptors
>   daemon: select: listen=6 active_threads=0 tvp=NULL
>   daemon: select: listen=7 active_threads=0 tvp=NULL
>
>
> I can't guess what could be the error. Do you please
> have any suggestion?
>
> I am using OpenSSH_3.5p1 with OpenLDAP 2.1.22 on a Red
> Hat box.
>
> Thank you in advance!
>
>
>
>
>
>
> __________________________________________________________________
> Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos
> mails !
> Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/
>


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- TLS secure connection to an LDAP server
  - From: fatima riadi <ftmriadi@yahoo.fr>

Prev by Date: Re: Distributed Directory Tree -
Next by Date: ldap_result returns 0 before exceeding timeout
Index(es):
- Chronological
- Thread