[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS handshake failure

To: daniel@up247solution.com
Subject: Re: TLS handshake failure
From: Rich Megginson <rich.megginson@gmail.com>
Date: Tue, 09 Aug 2011 08:49:21 -0600
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=dmjgk5mscTwv1ik++Dqk4Q0xZm5w6erOqJZ9rAba23g=; b=Y8oNQQhRBDEF9aF0kdqyJhsaITLXgK71N52vcDfpxl29FspYBN1SIDQ83+GjWYPZzw kK0+24C7bwJjPfk2IOTBh8S5DlP97uIHh7KTC0Wx5F/PA2d0Mn7cZheUACk8xo4LXSga PL/kmn3f4i76TzA/sB0dL9AonpSc/D6qxpLIM=
In-reply-to: <4E41453E.8050902@up247solution.com>
References: <4E41453E.8050902@up247solution.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Red Hat/3.1.11-2.el6_1 Lightning/1.0b3pre Thunderbird/3.1.11

On 08/09/2011 08:33 AM, Daniel Qian wrote:

Hi,
I have slapd 2.4.24 and everything works without TLS. but if I add a-Z option to the ldapsearch command I get this:
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -Dcn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config
ldap_start_tls: Connect error (-11)
ldap_result: Can't contact LDAP server (-1)
slapd.log shows something like this : connection_read(16): TLS acceptfailure error=-1 id=1006, closing
Output from openssl debug:
[root@ldaprov1 cacerts]# openssl s_client -connect hostname:389-showcerts -state -CAfile cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshakefailure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 113 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
The configurations are as follow (same command as above but withoutthe -Z option):
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -Dcn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf
olcConfigDir: /etc/openldap/slapd.d
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcLogLevel: 9
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem
olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt
olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0
I verified the ldap user can read all the TLS files and they are setupfine
[root@ldaprov1 cacerts]# openssl verify -purpose sslserver -CAfilecacert.pem ldaprov1.crt
ldaprov1.crt: OK


Anyone can tell me what I am missing here?

No, but we're missing
1) platform
2) tls implementation (openssl, moznss, gnutls)
3) output of ldapsearch -x -d 1 -Z ...... rest of arguments .....


Thanks,
Daniel

Follow-Ups:
- Re: TLS handshake failure
  - From: Daniel Qian <daniel@up247solution.com>

References:
- TLS handshake failure
  - From: Daniel Qian <daniel@up247solution.com>

Prev by Date: TLS handshake failure
Next by Date: Re: TLS handshake failure
Index(es):
- Chronological
- Thread