Re: LDAP tls: handshake failure

Wed, 23 Oct 2019 12:12:40 -0700 

On 23/10/2019 19:14, Predrag Punosevac wrote:
> Hi Misc,
>
> I just upgraded a LDAP server from 6.5 to 6.6 running authorization and
> authentication services for a 100 some member university research group.
> It appears TLS handshake is broken. This worked perfectly on 6.5 and
> earlier.
>
> titan# uname -a
> OpenBSD titan.int.autonlab.org 6.6 GENERIC.MP#372 amd64
>
> I am using LDAP daemon from the base
>
> titan# more /etc/ldapd.conf
> #       $OpenBSD: ldapd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
>
> schema "/etc/ldap/core.schema"
> schema "/etc/ldap/inetorgperson.schema"
> schema "/etc/ldap/nis.schema"
>
> listen on lo0 tls certificate titan
> listen on em0 tls certificate titan
> listen on "/var/run/ldapi"
>
> namespace "dc=autonlab,dc=org" {
>         rootdn          "cn=admin,dc=autonlab,dc=org"
>         rootpw          "{SSHA}secret"
>         index           sn
>         index           givenName
>         index           cn
>         index           mail
> }
>
>
> Server certificate is regenerated and signed by my own certification of
> authority which is on the different machine. I used easy-rsa just like
> for one of my OpenBSD server.
>
>
> This is the configuration of openldap-client on the LDAP server itself
> which is used to modify database
>
> titan# pkg_info |grep openldap
> openldap-client-2.4.48 open-source LDAP software (client)
> openldap-server-2.4.48 open-source LDAP software (server)
>
> titan# more ldap.conf
> BASE    dc=autonlab,dc=org
> URI     ldap://titan.int.autonlab.org:389
>
> SIZELIMIT       12
> TIMELIMIT       15
> DEREF   never
>
> SSL START_TLS
> TLS_REQCERT demand
>
> TLS_CACERT      /etc/ldap/certs/ca.crt
> TLS_CERT        /etc/ldap/certs/titan.crt
> TLS_CACERTDIR   /etc/ldap/certs
> TLS_CIPHER_SUITE
> ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL
> TLS_PROTOCOL_MIN 3.3
>
> I didn't change DNS settings and I even have 
>
> titan# more /etc/hosts
> 127.0.0.1       localhost
> ::1             localhost
> 192.168.6.1     titan.int.autonlab.org titan
>
>
> I would appreciate any clues.
>
> Cheers,
> Predrag Punosevac
>
>
>

ldapsearch -d9 might give some hint.

openssl s_client -connect titan.int.autonlab.org:389 -starttls ldap

might also give something.

G

Reply via email to