ok, t would be nice if it is a configuration problem I have tried the openssl -s_client. openssl s_client -connect oracle.hhb.bonn.de:636 -showcerts CONNECTED(00000003) 8907:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:465:
and here is a part of slapd.conf TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateFile /etc/openldap/servercrt.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem #loglevel 1 and the ldap.conf tls_cacert /etc/openldap/cacert.pem nss_base_passwd ou=People,dc=hhb,dc=bonn,dc=de nss_base_shadow ou=People,dc=hhb,dc=bonn,dc=de nss_base_group ou=Groups,dc=hhb,dc=bonn,dc=de host 10.100.0.202 base dc=hhb,dc=bonn,dc=de ldap_version 3 ssl start_tls pam_password crypt ------------------------------------- the cert-files and the key is generated by the following commands on the server: /usr/share/ssl/misc/CA.sh -newca openssl req -new -nodes -keyout newreq.pem -out newreq.pem /usr/share/ssl/misc/CA.sh -sign after that I copied the file newreq.pem to serverkey.pem and newcert.pem to servercrt.pem I changed mode of serverkey.pem to 600 and ownership to ldap after that I transferred thd file cacert.pem to my /etc/openldap directory on both mashines. Karsten Quanah Gibson-Mount schrieb: > > > --On Wednesday, August 23, 2006 7:22 PM +0200 Dieter Kluenter > <[EMAIL PROTECTED]> wrote: > >> Karsten Römke <[EMAIL PROTECTED]> writes: >> >>> Quanah Gibson-Mount schrieb: >>>> >>>> >>>> --On Wednesday, August 23, 2006 6:09 PM +0200 Karsten Römke >>>> <[EMAIL PROTECTED]> wrote: >> >>> TLS trace: SSL_connect:before/connect initialization >>> TLS trace: SSL_connect:SSLv2/v3 write client hello A >>> TLS trace: SSL3 alert read:fatal:handshake failure >>> TLS trace: SSL_connect:error in SSLv2/v3 read server hello A >>> TLS: can't connect. >>> ldap_perror >>> ldap_start_tls: Connect error (91) >>> additional info: error:14077410:SSL >>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure >> >> This is quite obvious a certificate and/or configuration problem. >> >> Please submit the TLS configuration part of slapd.conf and the clients >> ldap.conf. >> You may test the server with openssl s_client(1), for this slapd >> should listen to port 639 >> openssl s_client -connect ldap.server:639 -showcerts > > I think you mean port 636. > > --Quanah > > > -- > Quanah Gibson-Mount > Principal Software Developer > ITS/Shared Application Services > Stanford University > GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html > > --- > You are currently subscribed to [email protected] as: > [EMAIL PROTECTED] > To unsubscribe send email to [EMAIL PROTECTED] with the word > UNSUBSCRIBE as the SUBJECT of the message. > --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
