-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I'm trying to get OpenLDAP to work with SSL. This is the error I get when I
try to search the server:
# ldapsearch -x -H ldaps://master.pupeno.com
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
on the server's logs I get:
daemon: activity on 1 descriptors
daemon: new connection on 15
ldap_pvt_gethostbyname_a: host=master, r=0
conn=0 fd=15 ACCEPT from IP=127.0.0.1:33112 (IP=0.0.0.0:636)
[...]
connection_get(15)
connection_get(15): got connid=0
connection_read(15): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 92 01 03 01 00 69 00 00 00 20 ......i...
tls_read: want=137, got=137
0000: 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 ..9..8..5.......
0010: 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 00 00 .......3..2../..
0020: 07 05 00 80 03 00 80 00 00 66 00 00 05 00 00 04 .........f......
0030: 01 00 80 08 00 80 00 00 63 00 00 62 00 00 61 00 ........c..b..a.
0040: 00 15 00 00 12 00 00 09 06 00 40 00 00 65 00 00 [EMAIL PROTECTED]
0050: 64 00 00 60 00 00 14 00 00 11 00 00 08 00 00 06 d..`............
0060: 04 00 80 00 00 03 02 00 80 97 46 fa 9b d2 96 1c ..........F.....
0070: 13 8a cb 59 49 64 c8 88 94 94 7a f1 9a b5 9f 1f ...YId....z.....
0080: db 08 47 4a 1f 40 19 28 6a [EMAIL PROTECTED](j
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 28 ......(
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS: can't accept.
TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:888
connection_read(15): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=15 for close
connection_close: conn=0 sd=15
[...]
I've tried s_client, and this is what I've got:
# openssl s_client -connect master.pupeno.com:636 -showcerts -state
- -CAfile /etc/ssl/certs/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
24889:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:473:
I can't find what's the problem, if anyone can give me a hint of what am I
doing wrong, I will appreciate it!
I've created a private DSA key according to
http://www.openssl.org/docs/HOWTO/keys.txt, I created a certificate request
according to http://www.openssl.org/docs/HOWTO/certificates.txt and I've got
my certificate from CAcert[1].
My key is at /etc/ssl/privatekey.pem and my certificate
at /etc/ssl/certificate.pem. CAcert's root certificate is
on /etc/ssl/certs/cacert.pem (I've run c_rehash).
I can check my certificate:
# openssl verify -CAfile /etc/ssl/certs/cacert.pem -purpose sslserver
- -verbose-issuer_checks /etc/ssl/certificate.pem
/etc/ssl/certificate.pem: /CN=master.pupeno.com
error 29 at 0 depth lookup:subject issuer mismatch
/CN=master.pupeno.com
error 29 at 0 depth lookup:subject issuer mismatch
/CN=master.pupeno.com
error 29 at 0 depth lookup:subject issuer mismatch
OK
My FQDN is 'master.pupeno.com':
# hostname -f
master.pupeno.com
and my certificate was issued for that domain:
# openssl x509 -in /etc/ssl/certificate.pem -noout -text | grep master
Subject: CN=master.pupeno.com
my OpenLDAP server is configured in this way:
TLSCertificateFile /etc/ssl/certificate.pem
TLSCertificateKeyFile /etc/ssl/privatekey.pem
TLSCACertificateFile /etc/ssl/certs/cacert.pem
If there's anything else I should check, please, tell me!
Thank you.
- --
Pupeno: [EMAIL PROTECTED] - http://pupeno.com
Reading Science Fiction ? http://sfreaders.com.ar
[1] http://cacert.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFCNoOMfW48a9PWGkURAmZ9AJ0YeAICFlwHTrlI4qJik1q48VY9uACfUQUl
3GnKnMCBapdutsdVVZGQ9J8=
=Dm94
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
