We are facing an issue in one of our openldap environments, while enabling secure queries via ldaps:// our integration environment keeps returning the following error to out ldapsearch command:
SSL3_READ_BYTES:sslv3 alert bad record mac
while the same command pointing to our production environment connects correctly and returns matching entries.
Both run under the following versions:
Red Hat Enterprise Linux Server release 6.2 (Santiago)
OpenLDAP: slapd 2.4.23
Each one has its own certificate, signed by the same CA.
In our integration environment, we have configured the following lines in our /etc/openldap/slapd.d/cn\=config.ldif :
And in the same file, production environment:
And we can check this problem doing the following:
# openssl s_client -connect localhost:636 -showcerts -CApath /etc/openldap/certs/root_CA.pem
depth=1 L = (...), OU = (...), CN = (...)
verify error:num=19:self signed certificate in certificate chain
139866277001032:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1193:SSL alert number 20
139866277001032:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
Any ideas on what's wrong, and how to configure our secure LDAPS:// for OpenLDAP?
Security Technical Consultant
SIA Spain, S.A.