On 23/10/2019 19:14, Predrag Punosevac wrote: > Hi Misc, > > I just upgraded a LDAP server from 6.5 to 6.6 running authorization and > authentication services for a 100 some member university research group. > It appears TLS handshake is broken. This worked perfectly on 6.5 and > earlier. > > titan# uname -a > OpenBSD titan.int.autonlab.org 6.6 GENERIC.MP#372 amd64 > > I am using LDAP daemon from the base > > titan# more /etc/ldapd.conf > # $OpenBSD: ldapd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $ > > schema "/etc/ldap/core.schema" > schema "/etc/ldap/inetorgperson.schema" > schema "/etc/ldap/nis.schema" > > listen on lo0 tls certificate titan > listen on em0 tls certificate titan > listen on "/var/run/ldapi" > > namespace "dc=autonlab,dc=org" { > rootdn "cn=admin,dc=autonlab,dc=org" > rootpw "{SSHA}secret" > index sn > index givenName > index cn > index mail > } > > > Server certificate is regenerated and signed by my own certification of > authority which is on the different machine. I used easy-rsa just like > for one of my OpenBSD server. > > > This is the configuration of openldap-client on the LDAP server itself > which is used to modify database > > titan# pkg_info |grep openldap > openldap-client-2.4.48 open-source LDAP software (client) > openldap-server-2.4.48 open-source LDAP software (server) > > titan# more ldap.conf > BASE dc=autonlab,dc=org > URI ldap://titan.int.autonlab.org:389 > > SIZELIMIT 12 > TIMELIMIT 15 > DEREF never > > SSL START_TLS > TLS_REQCERT demand > > TLS_CACERT /etc/ldap/certs/ca.crt > TLS_CERT /etc/ldap/certs/titan.crt > TLS_CACERTDIR /etc/ldap/certs > TLS_CIPHER_SUITE > ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL > TLS_PROTOCOL_MIN 3.3 > > I didn't change DNS settings and I even have > > titan# more /etc/hosts > 127.0.0.1 localhost > ::1 localhost > 192.168.6.1 titan.int.autonlab.org titan > > > I would appreciate any clues. > > Cheers, > Predrag Punosevac > > >
ldapsearch -d9 might give some hint. openssl s_client -connect titan.int.autonlab.org:389 -starttls ldap might also give something. G