[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL3_READ_BYTES:sslv3 alert handshake failure



Greg Martin wrote:
> JOYDEEP, if you are only trying to encrypt the traffic (and not
> guarantee who the client is), then you need your slapd.conf to look as
> it does but drop the 'TLSVERIFYCLIENT demand' line.  That is not
> needed for encryption.
>

Dear Greg,

thanks a lot for the clarification. you have solved the TLS encryption
thing. Regarding the certificate I am confused as I have seen different
GUI application which only has the TLS enable option but no option to
declare the certificate. More over in this case I have to distribute the
user certificate to the users. That's why I have enabled the *disallow
bind_anon*  option in slapd.conf.
So I think with  *disallow bind_anon* and with TLS encryption the server
and client communication is secured.
Any how I like to here any suggestion about the client side certificate
in case the remote client is using a GUI to access the LDAP addressbook
or LDAP based email.

thanks for your great guidance.

> The ldap.conf file only needs to refernce the CACERT, the cipher suite
> and TLS_REQCERT  demand
>
> Here are my slapd.conf & ldap.conf files.  (Your file paths will vary)
>    ldap.conf (edited to remove non-TLS directives)
> TLS_CACERT /var/data/ca/cacert.pem
> TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
> TLS_REQCERT demand
> --------------
>    slapd.conf (edited to remove non-TLS directives)
> TLSCipherSuite  ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
> TLSCACertificateFile /var/data/ca/cacert.pem
> TLSCertificateFile /var/data/ca/newcerts/ldap1cert.pem
> TLSCertificateKeyFile /etc/openldap/ldap1keyclear.txt
> TLSVerifyClient never
> -------
> Also, here is the line from my rc.slapd to start the daemon:
> /usr/libexec/slapd -u ldap -g ldap -f /etc/openldap/slapd.conf -h
> "ldap:/// ldaps:///"'
> This startup command has slapd listening on 389 & 636 for all
> configured IP addresses.  this allows for both ldaps & TLS.  If you
> only need TLS, you can drop " ldaps:///" from the line.
>
> Finally,
> If you need client verification, I would get TLS working first then
> add the client cert requirements.  But, I think you'll want a
> different cert for the client.  Your config has the client & server
> using the same cert.  They should only share the CACert.
>
> \\Greg
>
>
>
>
>
>
> JOYDEEP wrote:
>> Greg Martin wrote:
>>  
>>> Try adding a corres[ponding TLSCipherSuite entry to ldap.conf.
>>>
>>> \\Greg
>>>
>>>     
>>
>>
>> Sorry for the late reply as I was busy in writing an article.
>> any how I have followed the guidance as suggested
>>
>> now the ldap.conf has become like
>> ----------------------------------------------
>> TLSCipherSuite HIGH:MEDIUM:+SSLv2
>> TLS_CACERT /etc/openldap/myca/cacert.pem
>> TLS_CERT   /etc/openldap/myca/servercert.pem
>> TLS_KEY    /etc/openldap/myca/serverkey.pem
>> TLS_REQCERT allow
>> ---------------------------------------------------
>>
>> the slapd.conf is as before
>> -----------------------------------------------
>> TLSCipherSuite HIGH:MEDIUM:+SSLv2
>> TLSCertificateFile            /etc/openldap/myca/servercert.pem
>> TLSCertificateKeyFile        /etc/openldap/myca/serverkey.pem
>> TLSCACertificateFile         /etc/openldap/myca/cacert.pem
>> TLSVerifyClient  demand
>> ----------------------------------------------------
>>
>> but still I have the same problem. like *ldapsearch -x -ZZ* reports
>>
>> ------------------------------------------
>> ldap_start_tls: Connect error (-11)
>>         additional info: error:14094410:SSL
>> routines:SSL3_READ_BYTES:sslv3 alert handshake failure
>> --------------------------------------------
>>
>> and the log reports
>> --------------------------------------------------------------------------------
>>
>> Mar 26 12:32:35 linux slapd[7449]: conn=32 fd=15 ACCEPT from
>> IP=127.0.0.1:33418 (IP=0.0.0.0:389)
>> Mar 26 12:32:35 linux slapd[7449]: conn=32 op=0 STARTTLS
>> Mar 26 12:32:35 linux slapd[7449]: conn=32 op=0 RESULT oid= err=0 text=
>> Mar 26 12:32:35 linux slapd[7449]: conn=32 fd=15 closed (TLS negotiation
>> failure)
>> ----------------------------------------------------------------------------------------
>>
>>
>> *slapd -d 255*  reports
>> -------------------------------------------
>> TLS trace: SSL_accept:error in SSLv3 read client certificate B
>> TLS: can't accept.
>> TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
>> not return a certificate s3_srvr.c:2471
>> connection_read(15): TLS accept failure error=-1 id=42, closing
>> ---------------------------
>>
>> so pleeeaseeee help me to solve it.
>> thanks a lot for the great support so far...
>>
>>
>>
>>  
>>> JOYDEEP wrote:
>>>    
>>>> Dear list,
>>>>
>>>> Now *ldapsearch -x -ZZ* is working; but again I have a problem when
>>>> demanding  certificate from host. the error is
>>>>
>>>> ========================
>>>> ldap_perror
>>>> ldap_start_tls: Connect error (-11)
>>>>         additional info: error:14094410:SSL
>>>> routines:SSL3_READ_BYTES:sslv3 alert handshake failure
>>>> ======================================================================
>>>>
>>>> Here is my slapd.conf section of TLS
>>>> -----------------------------------------------
>>>> TLSCipherSuite HIGH:MEDIUM:+SSLv2
>>>> TLSCertificateFile            /etc/openldap/myca/servercert.pem
>>>> TLSCertificateKeyFile        /etc/openldap/myca/serverkey.pem
>>>> TLSCACertificateFile         /etc/openldap/myca/cacert.pem
>>>> TLSVerifyClient  demand
>>>> ----------------------------------------------------
>>>>
>>>> Here is my ldap.conf
>>>> ------------------------------------------------
>>>> TLS_CACERT /etc/openldap/myca/cacert.pem
>>>> TLS_CERT   /etc/openldap/myca/servercert.pem
>>>> TLS_KEY    /etc/openldap/myca/serverkey.pem
>>>> TLS_REQCERT allow
>>>> ---------------------------------------------------------
>>>>
>>>> please note I have a self signed certificate.
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>         
>>>     
>>
>>
>>
>>   
>
>