-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I'm trying to get OpenLDAP to work with SSL. This is the error I get when I try to search the server:
# ldapsearch -x -H ldaps://master.pupeno.com ldap_bind: Can't contact LDAP server (-1) additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure on the server's logs I get: daemon: activity on 1 descriptors daemon: new connection on 15 ldap_pvt_gethostbyname_a: host=master, r=0 conn=0 fd=15 ACCEPT from IP=127.0.0.1:33112 (IP=0.0.0.0:636) [...] connection_get(15) connection_get(15): got connid=0 connection_read(15): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 92 01 03 01 00 69 00 00 00 20 ......i... tls_read: want=137, got=137 0000: 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 ..9..8..5....... 0010: 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 00 00 .......3..2../.. 0020: 07 05 00 80 03 00 80 00 00 66 00 00 05 00 00 04 .........f...... 0030: 01 00 80 08 00 80 00 00 63 00 00 62 00 00 61 00 ........c..b..a. 0040: 00 15 00 00 12 00 00 09 06 00 40 00 00 65 00 00 [EMAIL PROTECTED] 0050: 64 00 00 60 00 00 14 00 00 11 00 00 08 00 00 06 d..`............ 0060: 04 00 80 00 00 03 02 00 80 97 46 fa 9b d2 96 1c ..........F..... 0070: 13 8a cb 59 49 64 c8 88 94 94 7a f1 9a b5 9f 1f ...YId....z..... 0080: db 08 47 4a 1f 40 19 28 6a [EMAIL PROTECTED](j tls_write: want=7, written=7 0000: 15 03 01 00 02 02 28 ......( TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in SSLv3 read client hello B TLS trace: SSL_accept:error in SSLv3 read client hello B TLS: can't accept. TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:888 connection_read(15): TLS accept error error=-1 id=0, closing connection_closing: readying conn=0 sd=15 for close connection_close: conn=0 sd=15 [...] I've tried s_client, and this is what I've got: # openssl s_client -connect master.pupeno.com:636 -showcerts -state - -CAfile /etc/ssl/certs/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 24889:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:473: I can't find what's the problem, if anyone can give me a hint of what am I doing wrong, I will appreciate it! I've created a private DSA key according to http://www.openssl.org/docs/HOWTO/keys.txt, I created a certificate request according to http://www.openssl.org/docs/HOWTO/certificates.txt and I've got my certificate from CAcert[1]. My key is at /etc/ssl/privatekey.pem and my certificate at /etc/ssl/certificate.pem. CAcert's root certificate is on /etc/ssl/certs/cacert.pem (I've run c_rehash). I can check my certificate: # openssl verify -CAfile /etc/ssl/certs/cacert.pem -purpose sslserver - -verbose-issuer_checks /etc/ssl/certificate.pem /etc/ssl/certificate.pem: /CN=master.pupeno.com error 29 at 0 depth lookup:subject issuer mismatch /CN=master.pupeno.com error 29 at 0 depth lookup:subject issuer mismatch /CN=master.pupeno.com error 29 at 0 depth lookup:subject issuer mismatch OK My FQDN is 'master.pupeno.com': # hostname -f master.pupeno.com and my certificate was issued for that domain: # openssl x509 -in /etc/ssl/certificate.pem -noout -text | grep master Subject: CN=master.pupeno.com my OpenLDAP server is configured in this way: TLSCertificateFile /etc/ssl/certificate.pem TLSCertificateKeyFile /etc/ssl/privatekey.pem TLSCACertificateFile /etc/ssl/certs/cacert.pem If there's anything else I should check, please, tell me! Thank you. - -- Pupeno: [EMAIL PROTECTED] - http://pupeno.com Reading Science Fiction ? http://sfreaders.com.ar [1] http://cacert.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCNoOMfW48a9PWGkURAmZ9AJ0YeAICFlwHTrlI4qJik1q48VY9uACfUQUl 3GnKnMCBapdutsdVVZGQ9J8= =Dm94 -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]