On 2018-11-05, Joel Carnat <[email protected]> wrote: > Hi, > > I'm using ldap(1) to query a remote Synology Directory Server (OpenLDAP > 2.4.x). > Unfortunately, it fails saying: > TLS failed: handshake failed: error:14004410:SSL > routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure > ldap: LDAP connection failed > > When I use the OpenLDAP ldapsearch, same arguments, I succeeds. > > Using openssl s_client, I could confirm that the OpenLDAP server accept > TLS: > New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > (...)
If this were a cert problem you'd get a message like this from ldap(1) TLS failed: certificate verification failed: unable to get local issuer certificate ldap: LDAP connection failed or TLS failed: name `XX' not present in server certificate So it's not that. ldap(1) uses libtls which defaults to only allowing secure ciphers, specifically TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE. ldap(1) doesn't provide a way to weaken that, though you could add a call to tls_config_set_ciphers(tls_config, "compat") in ldapc_connect() to test if it would work. Or an s_client command that would force these ciphers: openssl s_client -cipher TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE -CAfile /etc/ssl/cert.pem -connect $hostname:636 If not, perhaps the Synology box is using old OpenSSL without support for these ciphers, or perhaps the cipher config is forcing only old ciphers. FWIW this is what I am currently using on OpenBSD slapd: olcTLSCipherSuite: TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE
