[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP starts, but...

To: Pupeno <pupeno@pupeno.com>
Subject: Re: OpenLDAP starts, but...
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 15 Mar 2005 18:59:40 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <200503152315.40239.pupeno@pupeno.com>
References: <200503142255.03769.pupeno@pupeno.com> <3D1243C3E9105E2043650515@cadabra-dsl.stanford.edu> <6.2.1.2.0.20050315170355.0273fe08@mail.openldap.org> <200503152315.40239.pupeno@pupeno.com>

Given this error:
  TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

I'd make sure your ciphersuite settings are sensible.  Given
that ldapsearch was able to agree on a cipher with s_server,
particular attention to the slapd(8) cipher setting would
be appropriate.  I suggest commenting out any TLSCipherSuite
directive that you might have in slapd.conf(5) (since you
didn't provide a -cipher to s_server).  (And, before you
add TLSCipherSuite/TLS_CIPHER_SUITE back into to your OpenLDAP
configuration, you test with -cipher first.)

And, if that doesn't help, example other settings.  You
should be able to translate your s_client/s_server success
to ldapsearch/slapd success.  There is a direct relationship
between s_client/s_server options and ldapsearch/slapd
configuration options.

And if that doesn't help... I'd make sure you have not only
have the latest "stable" releases of OpenLDAP and OpenSSL
installed, but that you've installed them properly.

Kurt

At 06:15 PM 3/15/2005, Pupeno wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Je Mardo Marto 15 2005 22:13, Kurt D. Zeilenga skribis:
>> I don't believe Pupeno has expressed this publicly yet.
>> As far as I can tell, he's using s_client against slapd.
>> Where's the evidence (or his statement) that s_client is
>> working against s_server (on the systems he's having
>> problems with)?  If he's gotten s_client to work with
>> s_server, and verify to report no errors... then he should
>> say so.
>I'm sorry, I've had some chat sessions with Quanah and I might have thought 
>I've posted something that I didn't.
>
>> And if s_client/s_server are working, what about ldapsearch(1)
>> to s_server?
>I haven't tried it. Let's see.
>
>I start the server:
>
># openssl s_server -accept 1234 -cert /etc/ssl/certificate.pem 
>- -key /etc/ssl/privatekey.pem
>Using default temp DH parameters
>ACCEPT
>
>I run ldapsearch:
>
># ldapsearch -x -H ldaps://master.pupeno.com:1234
>
>the server says:
>
>- -----BEGIN SSL SESSION PARAMETERS-----
>MHUCAQECAgMBBAIAOAQgWlBOzysTy23s7dCp0t3KMKXk4LtGT+8Hx0p6XyIoCDoE
>MEcrHqRjqpNkTaR4kbZc5wzdX08SDJm7er6I+/6lD3qGiD9ozU9R9OsJyb/aoVs0
>K6EGAgRCN5VrogQCAgEspAYEBAEAAAA=
>- -----END SSL SESSION PARAMETERS-----
>Shared 
>ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:DHE-DSS-RC4-SHA:RC4-SHA:RC4-MD5:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-RC4-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
>CIPHER is DHE-DSS-AES256-SHA
>0
> `
>
>and that's all. Do you see anything wrong here ?
>
>Just for the record:
>s_client -> s_server [works]
>any browser -> apache [works]
>s_client -> slapd [doesn't work]
>ldapsearch -> slapd [doesn't work]
>
>> >The OpenSSL verify command with the trusted CA from cacert.org works.
>>
>> Looks to me (from his OpenSSL post) that a verify command is
>> returning errors.
>
>I believe the errors are because there's no certification for cacert.pem, 
>well, after all, it's a root certificate, the chain starts somewhere. Or do 
>you know how to solve those errors ? If I run the command this way:
>
># openssl verify -CAfile /etc/ssl/certs/cacert.pem -purpose sslserver 
>- -verbose/etc/ssl/certificate.pem
>/etc/ssl/certificate.pem: OK
>
>I don't get any error.
>
>> >However, using the openssl client to request the cert from his OpenLDAP
>> > server does not return a cert.  Testing the same thing against my ldap
>> > servers returned a cert.
>>
>> Well, if ldapsearch(1) works to s_server on his system, and
>> works against your server, I'd guess his server runtime
>> environment hosed.  File permissions or something.
>I had the a file permissions problems with the key and the certificate before, 
>in that case, slapd doesn't even start.
>
>Thank you.
>- -- 
>Pupeno: pupeno@pupeno.com - http://pupeno.com
>Reading Science Fiction ? http://sfreaders.com.ar
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.6 (GNU/Linux)
>
>iD8DBQFCN5bLfW48a9PWGkURAiVJAJwKpB0RI+CygayIVt8XpnLzcM8gBQCeLNiE
>9koV79HUeBdM7vBZ8DJzEqk=
>=g9P/
>-----END PGP SIGNATURE-----

Follow-Ups:
- Re: OpenLDAP starts, but...
  - From: Pupeno <pupeno@pupeno.com>

References:
- OpenLDAP starts, but...
  - From: Pupeno <pupeno@pupeno.com>
- Re: OpenLDAP starts, but...
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: OpenLDAP starts, but...
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: OpenLDAP starts, but...
  - From: Pupeno <pupeno@pupeno.com>

Prev by Date: Re: OpenLDAP starts, but...
Next by Date: Re: OpenLDAP starts, but...
Index(es):
- Chronological
- Thread