[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSL/TLS

To: openldap-software@OpenLDAP.org
Subject: SSL/TLS
From: Greg Martin <gmartin@gmartin.org>
Date: Fri, 09 Mar 2007 14:04:57 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070221 Thunderbird/1.5.0.10 Mnenhy/0.7.4.666

I know there are a lot of question on this topic and ask for your patience.

I'm trying to figure out how to discern if slapd is properly configured for SSL/TLS. Reading through the slapd strace output shows that the cacert & certfile are being opened & read

slapd v2.3.27

When I look at netstat -an ports 389 & 636 are listening: tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN


slapd.conf:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLS_CACertificateFile /var/data/ca/cacert.pem
TLS_CertificateFile /var/data/ca/newcerts/ldap1cert.pem
TLS_CertificateKeyFile /etc/openldap/ldap1keyclear.txt
TLSVerifyClient never

Reading through the strace output shows that the cacert & certfile are being opened.

ldap.conf
BASE    dc=gmartin, dc=org
URI    ldap://linux2.gmartin.org
TLS_CACERT /var/data/ca/cacert.pem

ldaprc:
TLS_CACERT /var/data/ca/cacert.pem

When I try ldapsearch or openssl s_client, I receive:
sslv3 alert handshake failure

And using slapd debug I see: TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:97

I checked the FAQ and I think I've looked at everything there. Not sure where to look next.

\\Greg

Follow-Ups:
- Re: SSL/TLS
  - From: Greg Martin <gmartin@gmartin.org>

Prev by Date: *****SPAM***** openLDAP replication and trigger a script or exec binary
Next by Date: Re: slapd stopping with no error message
Index(es):
- Chronological
- Thread