[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSL/TLS problem


I tried  to configure  SSL/TLS (no auth,  just with OpenLDAP  using this
documentation  [1] (without  TLS/SSL everything  works fine).  I'm using
Debian GNU/Linux on x86, my slapd version is 2.2.23 and openssl 0.9.7e.

So i  did the  following command  in order to  generate all  the openssl
needed files (section 4.2 of the previous document) :

# /usr/lib/ssl/misc/CA.sh -newca
# openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
# /usr/lib/ssl/misc/CA.sh -sign
# cp demoCA/cacert.pem /etc/ldap/cfg/ssl/cacert.pem
# mv newcert.pem /etc/ldap/cfg/ssl/servercrt.pem
# mv newreq.pem /etc/ldap/cfg/ssl/serverkey.pem
# chmod 400 /etc/ldap/cfg/ssl/serverkey.pem

I added these line to /etc/ldap/slapd.conf :
TLSCipherSuite          HIGH:MEDIUM:+SSLv2
TLSVerifyClient         demand
TLSCACertificateFile    /etc/ldap/cfg/ssl/cacert.pem
TLSCertificateFile      /etc/ldap/cfg/ssl/servercrt.pem
TLSCertificateKeyFile   /etc/ldap/cfg/ssl/serverkey.pem

And these lines to /etc/ldap/ldap.conf :
TLS_CACERT      /etc/ldap/cfg/ssl/cacert.pem
TLS_REQCERT     demand

Then i did :
# /etc/init.d/slapd restart
# ldapsearch -ZZ -x -w toto -D "cn=admin,dc=scrappy,dc=mystery-inc" \
  -b "ou=personnes,dc=scrappy,dc=mystery-inc" "(ObjectClass=*)"

(this ldapsearch command line worked fine before SSL/TLS)

I got these errors :
ldap_start_tls: Connect error (-11)
        additional info: error:14094410:SSL
        routines:SSL3_READ_BYTES:sslv3 alert handshake failure

I found nothing at all about  this error on search engines, what could i
do in order to solve this embarrassing problem ?

Thanks for your help,

[1] http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.0
Arnaud Fontaine <arnaud@andesi.org> - http://www.andesi.org/ | GPG
Public Key available on pgp.mit.edu | Fingerprint: D792 B8A5 A567 B001
C342 2613 BDF2 A220 5E36 19D3