Hi Misc,
I just upgraded a LDAP server from 6.5 to 6.6 running authorization and
authentication services for a 100 some member university research group.
It appears TLS handshake is broken. This worked perfectly on 6.5 and
earlier.
titan# uname -a
OpenBSD titan.int.autonlab.org 6.6 GENERIC.MP#372 amd64
I am using LDAP daemon from the base
titan# more /etc/ldapd.conf
# $OpenBSD: ldapd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
schema "/etc/ldap/core.schema"
schema "/etc/ldap/inetorgperson.schema"
schema "/etc/ldap/nis.schema"
listen on lo0 tls certificate titan
listen on em0 tls certificate titan
listen on "/var/run/ldapi"
namespace "dc=autonlab,dc=org" {
rootdn "cn=admin,dc=autonlab,dc=org"
rootpw "{SSHA}secret"
index sn
index givenName
index cn
index mail
}
Server certificate is regenerated and signed by my own certification of
authority which is on the different machine. I used easy-rsa just like
for one of my OpenBSD server.
This is the configuration of openldap-client on the LDAP server itself
which is used to modify database
titan# pkg_info |grep openldap
openldap-client-2.4.48 open-source LDAP software (client)
openldap-server-2.4.48 open-source LDAP software (server)
titan# more ldap.conf
BASE dc=autonlab,dc=org
URI ldap://titan.int.autonlab.org:389
SIZELIMIT 12
TIMELIMIT 15
DEREF never
SSL START_TLS
TLS_REQCERT demand
TLS_CACERT /etc/ldap/certs/ca.crt
TLS_CERT /etc/ldap/certs/titan.crt
TLS_CACERTDIR /etc/ldap/certs
TLS_CIPHER_SUITE
ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL
TLS_PROTOCOL_MIN 3.3
I didn't change DNS settings and I even have
titan# more /etc/hosts
127.0.0.1 localhost
::1 localhost
192.168.6.1 titan.int.autonlab.org titan
I would appreciate any clues.
Cheers,
Predrag Punosevac
