[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS/SSL Handshake Error



Hello,
 
After creating a self-signed certificate as per the, OpenLDAP Admin Guide, TLS/SSL was enabled. The CN used when creating the certificates was the hostname of the LDAP server - "node01". However, when conducting further TLS/SSL tests there appears to be a handshaking error between the client and server. Additionally, when checking the Server certificates using the " openssl s_client -connect :636 -state -CAfile /var/certs/cacert.pem -cert /var/certs/servercrt.pem -key /var/certs/serverkey.pem" command it indicates that the client private certificate key can't be loaded and expecting a start line (see below). Appreciate any additional info. Config data as follows:
 

CLIENT CONFIG DATA

/etc/ldap.conf

host node01
base dc=S80,dc=com
uri ldaps://node01/
ldap_version 3
port 636
timelimit 120
bind_timelimit 120
bind_policy soft
idle_timelimit 3600
ssl on
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cacertdir /etc/openldap/cacerts
tls_reqcert never
tls_ciphers TLSv1
pam_password md5

/etc/openldap/ldap.conf

URI ldaps://node01:636
HOST node01
BASE dc=S80,dc=com
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never

/etc/openldap/cacerts/cacert.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Virginia, O=XXX, OU=S80, CN=node01/emailAddress=XXX
        Validity
            Not Before: Feb 21 15:10:48 2008 GMT
            Not After : Feb 20 15:10:48 2011 GMT
        Subject: C=US, ST=Virginia, O=XXX, OU=S80, CN=node01/emailAddress=XXX
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:da:b9:b0:ba:ca:95:f1:fc:48:6e:e9:d5:5d:d5:
                    22:aa:9e:38:19:7d:0c:14:65:44:fa:12:69:f6:98:
                    6a:38:43:11:29:20:a8:a2:98:a9:00:ce:40:19:e5:
                    56:46:1b:85:d6:99:91:5f:7b:a9:19:ac:7b:7c:cc:
                    42:13:88:99:99:af:98:52:9b:a4:60:77:ca:e7:ae:
                    41:97:c0:8c:5e:f9:a1:44:c0:6b:29:ec:3f:9b:1e:
                    59:dc:05:f5:b8:a8:ed:71:7c:db:51:26:1f:59:ee:
                    04:fc:b0:24:77:64:2e:be:df:a7:1a:91:34:81:f4:
                    a6:d6:b9:26:64:63:2f:19:95
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                C1:AA:5F:32:3D:7F:80:FA:4A:A1:A2:24:BC:66:AB:CE:C3:5A:A8:E0
            X509v3 Authority Key Identifier:
                keyid:C1:AA:5F:32:3D:7F:80:FA:4A:A1:A2:24:BC:66:AB:CE:C3:5A:A8:E0

    Signature Algorithm: sha1WithRSAEncryption
        37:84:43:62:ed:98:c3:31:85:24:3e:8d:d8:88:9f:4d:8f:00:
        dc:08:21:ee:9d:19:07:21:c0:70:cf:b1:38:94:49:34:de:42:
        93:5e:51:79:95:6b:d6:2d:7f:92:f7:da:49:d0:92:65:81:8f:
        ed:0e:24:0a:0d:17:cd:73:fe:c2:86:9c:40:22:04:af:7b:d6:
        1e:ba:2c:5a:f4:d8:52:ab:8f:94:45:ae:bc:11:07:06:0d:da:
        11:6f:f5:1a:63:ae:05:0a:64:32:b1:f0:5c:eb:21:6b:d1:ff:
        bb:0a:42:a9:a9:23:f3:ab:d4:9f:b4:26:4e:d4:ea:7b:0a:26:
        df:a4
-----BEGIN CERTIFICATE-----
.....XXX

 

-----END CERTIFICATE-----

SERVER CONFIG DATA

Server IP: 192.168.10.1
Hostname: node01
Suffix: dc=S80,dc=com

Certificate Common Name (CN): node01

/etc/openldap/slapd.conf

 TLSCACertificateFile /var/certs/cacert.pem
 TLSCertificateFile /var/certs/servercrt.pem
 TLSCertificateKeyFile /var/certs/serverkey.pem

database           ldbm
suffix                 "dc=S80,dc=com"

SERVER KEY (serverkey.pem)
-----BEGIN CERTIFICATE REQUEST-----
...XXX
-----END CERTIFICATE REQUEST-----

ERRORS OBSERVED (SERVER)
 

[root@node01 certs]# openssl s_client -connect :636 -state -CAfile /var/certs/cacert.pem -cert /var/certs/servercrt.pem -key /var/certs/serverkey.pem
unable to load client certificate private key file
8086:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY

[root@node01 certs]# ldapsearch -d127 -x -H ldaps://node01 uid=uid
ldap_create
ldap_url_parse_ext(ldaps://node01)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP node01:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.10.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
tls_write: want=133, written=133
  0000:  80 83 01 03 01 00 5a 00  00 00 20 00 00 39 00 00   ......Z... ..9.. 
  0010:  38 00 00 35 00 00 16 00  00 13 00 00 0a 07 00 c0   8..5............ 
  0020:  00 00 33 00 00 32 00 00  2f 03 00 80 00 00 66 00   ..3..2../.....f. 
  0030:  00 05 00 00 04 01 00 80  00 00 63 00 00 62 00 00   ..........c..b.. 
  0040:  15 00 00 12 00 00 09 06  00 40 00 00 65 00 00 64   .........@..e..d 
  0050:  00 00 14 00 00 11 00 00  08 00 00 06 04 00 80 00   ................ 
  0060:  00 03 02 00 80 28 9b 68  41 39 df 12 52 12 ab 41   .....(.hA9..R..A 
  0070:  20 11 b0 b9 d0 76 3d 5c  2d f6 3a 00 49 28 07 d4    ....v=\-.:.I(.. 
  0080:  67 8d 26 70 fb                                     g.&p.            
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
  0000:  15 03 01 00 02 02 28                               ......(          
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

 
ERRORS OBSERVED (CLIENT)
 

[root@node03 ~]# openssl s_client -connect node01:636 -showcerts -state -CAfile /etc/openldap/cacerts/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
3531:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562:

 

[root@node03 ~]# ldapsearch -d127 -x -H ldaps://node01 uid=uid
ldap_create
ldap_url_parse_ext(ldaps://node01)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP node01:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.10.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
tls_write: want=133, written=133
  0000:  80 83 01 03 01 00 5a 00  00 00 20 00 00 39 00 00   ......Z... ..9.. 
  0010:  38 00 00 35 00 00 16 00  00 13 00 00 0a 07 00 c0   8..5............ 
  0020:  00 00 33 00 00 32 00 00  2f 03 00 80 00 00 66 00   ..3..2../.....f. 
  0030:  00 05 00 00 04 01 00 80  00 00 63 00 00 62 00 00   ..........c..b.. 
  0040:  15 00 00 12 00 00 09 06  00 40 00 00 65 00 00 64   .........@..e..d 
  0050:  00 00 14 00 00 11 00 00  08 00 00 06 04 00 80 00   ................ 
  0060:  00 03 02 00 80 51 97 63  fc ee 43 25 a8 d2 e4 8c   .....Q.c..C%.... 
  0070:  ef 63 6e e0 97 b7 cd c2  1e 14 97 c9 50 5d 82 6b   .cn.........P].k 
  0080:  3f f5 d0 6f a4                                     ?..o.            
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
  0000:  15 03 01 00 02 02 28                               ......(          
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure