[Date Prev][Date Next] [Chronological] [Thread] [Top]

Strange error during TLS handshake

To: openldap-software@openldap.org
Subject: Strange error during TLS handshake
From: Fabian Steiner <lists@fabis-site.net>
Date: Thu, 23 Aug 2007 18:31:54 +0200
Content-disposition: inline
User-agent: KMail/1.9.6

Heute 17:09:11
   
Hello!

For some time now we are using OpenLDAP in order to provide a stable 
network-wide authentication service. Of course, we also enabled TLS-Support 
so that any connection is encrypted. However, we encounter some problems 
which are definitely subject of SSL as they also occur when we try to test 
our setup using "openssl s_client" and "openssl s_server".
Most of the time TLS/SSL works perfect, but it may happen that we get the 
following error when we restart slapd:

$ ldapsearch -x -ZZ -d1
[...] 
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, 
subject: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim 
Marquartstein/CN=lsh-marquartstein.de, 
issuer: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim 
Marquartstein/CN=lsh-marquartstein.de
TLS certificate verification: depth: 0, err: 0, 
subject: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim 
Marquartstein/CN=uranos.lsh-marquartstein.de, 
issuer: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim 
Marquartstein/CN=lsh-marquartstein.de
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
        additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 
alert 
handshake failure
[...]

If this is the case we can't get it to work anymore and the whole server has 
to be switched off in order to make it work again. What might cause this 
problem? OS is Ubuntu Linux 6.06.1 Dapper Server-Edition.

Looking forward to your answer!

Thanks,
Fabian

P.S. We are using self-signed certificates of our own CA.

Follow-Ups:
- Re: Strange error during TLS handshake
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: slapo-dynlist search member=value search?
Next by Date: Re: ldap_bind: Can't contact LDAP server (-1)
Index(es):
- Chronological
- Thread