Re: SSL handshake failure

[Rich Megginson <rich.megginson@gmail.com>]

On 02/23/2012 01:34 PM, Bryce Powell wrote:

Hi,

 

I can’t get slapd to respond successfully to TLS or SSL connections using an RSA 2048-bit PEM certificate:

 

$ ldapsearch -x -ZZ -d1 -H ldap://FQDNhostname

 

TLS: loaded CA certificate file /etc/openldap/cacerts/FQDNhostname.cacert.pem.

TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory

TLS: error: connect - force handshake failure: errno 21 - moznss error -5938

TLS: can't connect: TLS error -5938:Encountered end of file.

ldap_err2string

ldap_start_tls: Connect error (-11)

        additional info: TLS error -5938:Encountered end of file

 

 

$ openssl s_client -connect FQDNhostname:636 -CAfile /etc/openldap/cacerts/FQDNhostname.cacert.pem

CONNECTED(00000003)

140457427965768:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 113 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

---

 

 

The following packages are installed on CentOS 6.2:

 

openldap-servers-2.4.23-20.el6.x86_64

openldap-2.4.23-20.el6.x86_64

openldap-clients-2.4.23-20.el6.x86_64

openssl-1.0.0-20.el6_2.1.x86_64

openssl-devel-1.0.0-20.el6_2.1.x86_64

gnutls-2.8.5-4.el6.x86_64

gnutls-devel-2.8.5-4.el6.x86_64

nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64

 

 

The /etc/openldap/ldap.conf file contains:

 

TLS_CACERT /etc/openldap/cacerts/FQDNhostname.cacert.pem

 

, which contains a chain of three certificates (root CA, intermediate/functional, and issuing).

 

 

The /etc/openldap/slapd.conf file contains:

 

TLSCipherSuite HIGH:+SSLv3

TLSCertificateFile      /etc/openldap/FQDNhostname.cert.pem

TLSCertificateKeyFile   /etc/openldap/FQDNhostname.key.pem

 

The server is acting as a proxy to an Active Directory, and therefore I only have one LDAP database defined. My intention is to use LDAPS for communication between the client and LDAP proxy servers:

 

database                ldap

suffix                      "dc=abc,dc=local"

rebind-as-user

uri                          "ldap://IPaddress1/ ldap://IPaddress2/ ldap://IPaddress3/ ldap://IPaddress4/"

chase-referrals    yes

noundeffilter       yes

use-temporary-conn      yes

 

 

The certificate and private key are located in /etc/openldap/, with the following permissions :

-r--r-----. 1 ldap ldap 2076 Feb 21 15:30 FQDNhostname.cert.pem

-r--r-----. 1 ldap ldap 1675 Feb 21 15:35 FQDNhostname.sdi.key.pem

 

The CN of the certificate matches the FQDN host name of the LDAP server.

 

The private key is not password protected.

 

Everything checks out OK by testing the certificate using openssl:

$ openssl verify -purpose sslserver -CAfile /etc/openldap/cacerts/FQDNhostname.cacert.pem /etc/openldap/FQDNhostname.cert.pem

/etc/openldap/FQDNhostname.cert.pem: OK

 

OpenSSL client/server connections work fine too:

openssl s_server -cert /etc/openldap/FQDNhostname.cert.pem -key /etc/openldap/FQDNhostname.key.pem -cipher 'HIGH:+SSLv3

openssl s_client -connect FQDNhostname:4433 -CAfile /etc/openldap/cacerts/FQDNhostname.cacert.pem

 

 

Bryce Powell

Does it work if you specify TLSCACertificateFile /etc/openldap/cacerts/FQDNhostname.cacert.pem in your slapd.conf?
Can you get the -d 1 debug output from the server when you attempt to connect from the client?