Re: TLS trace: SSL_accept:error in SSLv2/v3 read client hello A

[Dieter Kluenter <dieter@dkluenter.de>]

Am Wed, 15 Dec 2010 22:27:23 +0000 (UTC)
schrieb Martin Jungowski <martin@rhm.de>:

> Hi everybody,
> 
> I'm trying to run OpenLDAP 2.2.13 on a CentOS 4.8 box with TLS/SSL 
> enabled. Certificate should be ok (fqdn set as common name!),
> self-signed since I can't copy a cacert file to all clients that will
> one day have to connect to the server (among others a few iPhones).
> 
> "openssl x509 -in slapd.pem -noout -text" returns the correct
> contents of the certificate, "openssl s_client -connect localhost:636
> -showcerts" works too (although it does hang at the end right after
> "---" which I guess is normal.. haven't left it running for 300
> seconds yet). However, whenever trying to connect to my LDAP server
> through port 636 I get the above error message. The full message when
> performing "ldapsearch -x -h localhost:636 -b dc=home" (no difference
> if I replace localhost with the fqdn):
> 
> > daemon: activity on 1 descriptors
> > daemon: new connection on 10
> > daemon: added 10r
> > daemon: activity on:
> > daemon: select: listen=6 active_threads=0 tvp=NULL
> > daemon: select: listen=7 active_threads=0 tvp=NULL
> > daemon: activity on 1 descriptors
> > daemon: activity on: 10r
> > daemon: read activity on 10
> > connection_get(10): got connid=7
> > connection_read(10): checking for input on id=7
> > TLS trace: SSL_accept:before/accept initialization
> > TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
> > TLS: can't accept.
> > TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown 
> protocol s23_srvr.c:580

probably a protocol mismatch in slapd.conf and ldap.conf. The protocol
used is defined as part of the cipher suite, something like SSLv2, or
TLSv1

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E