[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with tls connections

To: Norman Gies <newsletter@normangies.com>
Subject: Re: Problem with tls connections
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Sun, 7 Sep 2008 12:56:33 -0700
Cc: openldap-software@openldap.org
In-reply-to: <48C0B91A.5040000@normangies.com>
References: <48C0B91A.5040000@normangies.com>
User-agent: Alpine 1.10 (BSO 962 2008-03-14)

On Fri, 5 Sep 2008, Norman Gies wrote:
> i have a problem with tls connections to my openldap server.
> 
> The openldap server is running on debian. I created all certificates 
> with openssl. If I use ldapsearch on the server (SASL//EXTERNAL mech/) 
> everything works fine, but if i try to connect with jxplorer, 
> ldapbrowser (softera), eclipse (apache directoy), or with the examples 
> from jldap, i always got the same error: 
> javax.net.ssl.SSLHandshakeException: Remote host closed connection 
> during handshake

I'm guessing this is the usual LDAP-with-StartTLS-on-port-389 vs 
LDAP-with-SSL-on-connect-on-port-636 confusion.

Does jxplorer support the LDAP StartTLS operation, or does it only support 
negotiating TLS/SSL at connect time?  If both, are you sure you're 
configuring it to use the right one?  The slapd log you quoted shows a 
connection on port 389, the normal LDAP port.  If a client tries to 
negotiate SSL at connection-time on that port, the LDAP server will hang 
up on it, as the SSL handshake packets don't look like LDAP requests.

If the client only supports SSL-on-connect, then you need to have it 
connect on port 636 (and you have to tell slapd to serve ldaps there too).

Philip Guenther

References:
- Problem with tls connections
  - From: Norman Gies <newsletter@normangies.com>

Prev by Date: Re: virtual view strategies: replying differently to different clients
Next by Date: Re: virtual view strategies: replying differently to different clients
Index(es):
- Chronological
- Thread