Hi, > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Monday, June 09, 2008 3:36 AM > To: openssl-users@openssl.org > Subject: RE: ldaps client and oracle internet directory > > Hello, > > [EMAIL PROTECTED] wrote on 06/06/2008 06:25:38 PM: > > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > <snipped> > > > > With the following error, what are the things that I need to check? > > > Thanks Mike > > > > > > > > openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect > > > xxx:636 > > > > CONNECTED(00000003) > > > > 24664:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > > > handshake > > > > failure:s23_clnt.c:562: > > > Try to add "-debug -msg -state" flags to this command to get more > > verbose > > > output. > > > > Mark, > > That does help. Thanks. It should have been obvious from the error > > message above but I been thrashing so much on this that I am not > > thinking clearly. I did speak with the OID admin and he tells me that we > > are using the default config set, which is encryption only - no server > > auth. I am not sure if this is the source of the ssl handshake failure. > > I'm checking with the OID admin now. Thanks again for your suggestion. I > > hope this isn't too much off topic for this group. > > Mike > > > > +++++++++SUCCESSFUL SSL CONNECTION ON PORT 443+++++++++ > > # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect > > xxx:443 -state > > CONNECTED(00000003) > > SSL_connect:before/connect initialization > > SSL_connect:SSLv2/v3 write client hello A > > SSL_connect:SSLv3 read server hello A > > <response snipped> > > SSL_connect:SSLv3 read server certificate A > > SSL_connect:SSLv3 read server done A > > SSL_connect:SSLv3 write client key exchange A > > SSL_connect:SSLv3 write change cipher spec A > > SSL_connect:SSLv3 write finished A > > SSL_connect:SSLv3 flush data > > SSL_connect:SSLv3 read finished A > > --- > > > > +++++++++SSL HANDSHAKE FAILURE ON PORT 636+++++++++ > > # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect > > xxx:636 -state > > CONNECTED(00000003) > > SSL_connect:before/connect initialization > > SSL_connect:SSLv2/v3 write client hello A > > SSL3 alert read:fatal:handshake failure > > SSL_connect:error in SSLv2/v3 read server hello A > > 1460:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > > handshake failure:s23_clnt.c:562: > Because you get handshake alert after sending client_hello, server > do not accept some data in this packet. > With SSLv2/v3 client in reality sends SSL2 client_hello and this may > not be acceptable by server. You may add "-ssl3" or "-tls1" flags > to use exactly one of this protocol (without SSL2 client_hello) >
Ok, I am getting a different error now (see below). I'll do some more checking. Thanks, Mike +++++WITH -ssl3 switch+++++++++++++ # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:636 -state -ssl3 CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read server hello A 29817:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1057:SSL alert number 40 29817:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:534: +++++WITH -tls1 switch+++++++++++++ [EMAIL PROTECTED] ~]# openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxxx:636 -state -tls1 CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert write:fatal:handshake failure SSL_connect:error in SSLv3 read server hello A 29825:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:288: ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]