RE: Openldap server with TLS not working

[Axel Grosse]

Hi Ben, Dieter
can we focus on LDAPS because TLS1 is not an option and even if LDAPS is 
deprecated I should be able to configure it ..

TLSCACertificateFile /etc/openldap/ssl/VordelCA.crt
TLSCertificateFile /etc/openldap/ssl/VordelDev.crt
TLSCertificateKeyFile /etc/openldap/ssl/VordelDev.key
TLSVerifyClient never


are this entries in the slapd.conf sutable for LDAPS ?
if not whats missing ?

start the server with 
/usr/sbin/slapd -h ldap://192.168.30.169:636 -u ldap


thanks a lot
Axel


AXEL GROSSE
Principal Solution Architect, Sales Solution Center, Axway
P: +61-405-995-768 
828 Pacific Highway
Gordon, 2072 NSW
agro...@axway.com
http://www.axway.com


-----Original Message-----
From: openldap-technical-boun...@openldap.org 
[mailto:openldap-technical-boun...@openldap.org] On Behalf Of Dieter Klünter
Sent: Thursday, 3 October 2013 6:46 PM
To: openldap-technical@openldap.org
Subject: Re: Openldap server with TLS not working

Am Thu, 3 Oct 2013 00:16:28 +0000
schrieb Axel Grosse <agro...@axway.com>:

> Hi ben,
> thanks for the comment.
> agree with you on TLS usage should be perferred
> but the client that is connecting is only capable of LDAPS ... he has
> not implemented TLS Client jet .
> 
> But can you please take a look to the error I am facing
> 
> openssl s_client -connect 192.168.30.169:389 -showcerts
> -CAfile ./ssl/VordelCA.crt CONNECTED(00000003)
> 710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
> 
> any idea what can cause this ?
>  
> 
> AXEL GROSSE
> Principal Solution Architect, Sales Solution Center, Axway
> P: +61-405-995-768 
> 828 Pacific Highway
> Gordon, 2072 NSW
> agro...@axway.com
> http://www.axway.com
> 
> -----Original Message-----
> From: openldap-technical-boun...@openldap.org
> [mailto:openldap-technical-boun...@openldap.org] On Behalf Of btb
> Sent: Wednesday, 2 October 2013 10:57 PM To:
> openldap-technical@openldap.org Subject: Re: Openldap server with TLS
> not working
> 
> On 2013.10.02 07.29, Axel Grosse wrote:
> 
> > when I test on the server itself ..
> > openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile 
> > ./ssl/VordelCA.crt
> > CONNECTED(00000003)
> > 710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> > failure:s23_lib.c:188:
> 
> ldaps [port 636] is deprecated.  use starttls with the standard port
> [389].  to test, just use ldapsearch [see the reference to -Z in the
> man page]

You are connnecting to port 389, but s_client is not able to initiate a
LDAP startTLS  session (only SMTP and IMAP), so you have to connect
ldaps and port 636.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E