Re: RHEL 5 will not do TLS/SSL authentication

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Monday 01 September 2008 08:08:03 Dat Duong wrote:
> Hi,
>
>
> I can't find anywhere on how to fix my RHEL 5 to use TLS/SSL
> authentication.

Well, it works for me, without any "fixing", just correct configuration.

> I will work when I comment out the ssl startTLS and SSL. On
> my Solaris 10, I can do ldapsearch with the -ZZ option

The -Z option in the native Solaris ldap utilities isn't for start_tls as with 
the OpenLDAP utilities. You need to specify *which* ldapsearch you are using.

I don't think the Solaris 10 ldapclient (the equivalent of nss_ldap) supports 
start_tls ...


> Here is what I did with the debug on for ldapsearch. Please help me solve
> this problem...THANKS!!
>
> TLS trace: SSL_connect:SSLv3 read server certificate A
> TLS trace: SSL_connect:SSLv3 read server certificate request A
> TLS trace: SSL_connect:SSLv3 read server done A
> TLS trace: SSL_connect:SSLv3 write client certificate A
> TLS trace: SSL_connect:SSLv3 write client key exchange A
> TLS trace: SSL_connect:SSLv3 write change cipher spec A
> TLS trace: SSL_connect:SSLv3 write finished A
> TLS trace: SSL_connect:SSLv3 flush data
> TLS trace: SSL3 alert read:fatal:handshake failure
> TLS trace: SSL_connect:failed in SSLv3 read finished A
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (-11)
>     additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
> alert handshake failure

But, you didn't provide *any* details on your client configuration. 
Specifically, tls_cacertfile from /etc/ldap.conf, and TLS_CACERT from 
/etc/openldap/ldap.conf .


Regards,
Buchan