[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS again


The problem was in the reversed host lookup. My ldap.example.com was first an alias to another server, so the reversed hostlookup was not pointing to the FQDN of the certificate. With an own entry in the dns for ldap.example.com it works fine.


Linus Lund wrote:

Hi all,

Im trying to get my SSL/TLS things to work with ldap, e.g. I'd like ldapsearch -H ldaps://ldap.example.com to return entries. This command works if I execute it on the same machine as the ldap server resides. But not on an other client!

First of all, my configuration:
slapd.conf contains
TLSCACertificateFile /usr/local/etc/openldap/cert/ca-certificate.pem
TLSCertificateFile /usr/local/etc/openldap/cert/certificate.pem
TLSCertificateKeyFile /usr/local/etc/openldap/cert/ldap.key
TLSVerifyClient never

ldap.conf (on both machines)
TLS_CACERT /usr/local/etc/openldap/cert2/ca-certificate.pem

First I try to search on the "server-computer". This works fine, both with -H ldaps://ldapserver and -ZZ. I also try to run openssl s_client -connect ldap.example.com:636, this returns ok.

Then I move to the other computer.
Running openssl s_client -connect ldap.example.com:636 returns
10097:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

adding -ssl2 to the openssl command lines returns
Verify return code: 0 (ok)

Running ldapserach -H ldaps://ldap.example.com returns
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=0

TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.

I've alse tried to run openssl s_server with the same certs as the ldapserver uses on the "servercomputer", then I try to connect with both ldapsearch and openssl s_client, both works fine!

What could make things go wrong here? I'm using exactly the same configuration, ca-files on both machines. I have the same openssl version on both machines. I have OpenLDAP 2.2.26 on both machines.

Any help would be much appreciated!