Thanks for the suggestions everyone,
I've corrected an issue with the generation of the self-signed CA , I was using
the wrong 'cert'
For OpenSSL this gets put into:
/etc/pki/CA/cacert.pem
I have used the "Common Name" in the cert-generation as: server.my-domain.com
I have it in /etc/hosts as:
127.0.0.1 server.my-domain.com
I am using 'localhost' first in this investigation-stage, and will be used for
our unit-tests
The port 636 does not appear to be firewalled
I get a little farther now with these changes, 8 bytes are sent/received: see
below TLS: can't connect: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure.
----------------------------------------------------ldap server
/usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -h
ldaps://server.my-domain.com:636 -d -1
.
.
5e0f6aa1 daemon: activity on:
5e0f6aa1 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5e0f6b65 daemon: activity on 1 descriptor
5e0f6b65 daemon: activity on:
5e0f6b65 slap_listener_activate(7):
5e0f6b65 daemon: epoll: listen=7 busy
5e0f6b65 >>> slap_listener(ldaps://server.my-domain.com:636)
5e0f6b65 daemon: accept() = 11
5e0f6b65 daemon: listen=7, new connection on 11
5e0f6b65 daemon: added 11r (active) listener=(nil)
5e0f6b65 conn=1001 fd=11 ACCEPT from IP=127.0.0.1:51880 (IP=127.0.0.1:636)
5e0f6b65 daemon: activity on 1 descriptor
5e0f6b65 daemon: activity on:
5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5e0f6b65 daemon: activity on 1 descriptor
5e0f6b65 daemon: activity on: 11r
5e0f6b65 daemon: read active on 11
5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5e0f6b65 connection_get(11)
5e0f6b65 connection_get(11): got connid=1001
5e0f6b65 connection_read(11): checking for input on id=1001
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 16 03 01 01 1c 01 00 01 18 03 03 ...........
tls_read: want=278, got=278
0000: c7 eb 10 c3 5a af 18 e7 9b 3b ad 08 e6 cc b2 7d ....Z....;.....}
0010: ee a7 7d 0f c4 fe 01 49 8a 5b d3 94 c5 25 08 1d ..}....I.[...%..
0020: 00 00 ac c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 ....0.,.(.$.....
0030: a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 ........k.j.i.h.
0040: 39 00 38 00 37 00 36 00 88 00 87 00 86 00 85 c0 9.8.7.6.........
0050: 32 c0 2e c0 2a c0 26 c0 0f c0 05 00 9d 00 3d 00 2...*.&.......=.
0060: 35 00 84 c0 2f c0 2b c0 27 c0 23 c0 13 c0 09 00 5.../.+.'.#.....
0070: a4 00 a2 00 a0 00 9e 00 67 00 40 00 3f 00 3e 00 ........g.@.?.>.
0080: 33 00 32 00 31 00 30 00 9a 00 99 00 98 00 97 00 3.2.1.0.........
0090: 45 00 44 00 43 00 42 c0 31 c0 2d c0 29 c0 25 c0 E.D.C.B.1.-.).%.
00a0: 0e c0 04 00 9c 00 3c 00 2f 00 96 00 41 c0 12 c0 ......<./...A...
00b0: 08 00 16 00 13 00 10 00 0d c0 0d c0 03 00 0a 00 ................
00c0: 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 ff 01 ................
00d0: 00 00 43 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 ..C.............
00e0: 08 00 17 00 19 00 18 00 16 00 23 00 00 00 0d 00 ..........#.....
00f0: 20 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 04 ...............
0100: 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 ................
0110: 03 00 0f 00 01 01 ......
tls_write: want=7, written=7
0000: 15 03 03 00 02 02 28 ......(
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in error
TLS trace: SSL_accept:error in error
TLS: can't accept: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
cipher.
5e0f6b65 connection_read(11): TLS accept failure error=-1 id=1001, closing
5e0f6b65 connection_closing: readying conn=1001 sd=11 for close
5e0f6b65 connection_close: conn=1001 sd=11
5e0f6b65 daemon: removing 11
5e0f6b65 conn=1001 fd=11 closed (TLS negotiation failure)
5e0f6b65 daemon: activity on 1 descriptor
5e0f6b65 daemon: activity on:
5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL
^C5e0f6e38 daemon: shutdown requested and initiated.
5e0f6e38 daemon: removing 7r
5e0f6e38 daemon: closing 7
5e0f6e38 slapd shutdown: waiting for 0 operations/tasks to finish
5e0f6e38 slapd shutdown: initiated
5e0f6e38 slapd destroy: freeing system resources.
5e0f6e38 slapd stopped.
---------------------------------------------------- client
[root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -x -b '' -s base
'(objectclass=*)' namingContexts -H ldaps://server.my-domain.com:636 -d -1
ldap_url_parse_ext(ldaps://server.my-domain.com:636)
ldap_create
ldap_url_parse_ext(ldaps://server.my-domain.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP server.my-domain.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
tls_write: want=289, written=289
0000: 16 03 01 01 1c 01 00 01 18 03 03 8b 5c ad c3 76 ............\..v
0010: a2 eb 75 4f df e3 f3 7b 5c 55 73 5e 2c 43 62 de ..uO...{\Us^,Cb.
0020: 98 5f 5d b8 3b c0 82 32 46 86 cd 00 00 ac c0 30 ._].;..2F......0
0030: c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 .,.(.$..........
0040: 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7
0050: 00 36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a .6.........2...*
0060: c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f .&.......=.5.../
0070: c0 2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 .+.'.#..........
0080: 00 9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1
0090: 00 30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 .0.........E.D.C
00a0: 00 42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c .B.1.-.).%......
00b0: 00 3c 00 2f 00 96 00 41 c0 12 c0 08 00 16 00 13 .<./...A........
00c0: 00 10 00 0d c0 0d c0 03 00 0a 00 07 c0 11 c0 07 ................
00d0: c0 0c c0 02 00 05 00 04 00 ff 01 00 00 43 00 0b .............C..
00e0: 00 04 03 00 01 02 00 0a 00 0a 00 08 00 17 00 19 ................
00f0: 00 18 00 16 00 23 00 00 00 0d 00 20 00 1e 06 01 .....#..... ....
0100: 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 ................
0110: 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 ................
0120: 01 .
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 15 03 03 00 02 02 28 ......(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
From: openldap-technical <[email protected]> On Behalf Of
Christopher Paul
Sent: Thursday, January 2, 2020 6:17 PM
To: [email protected]
Subject: Re: Issues with OpenLdap using OpenTLS
I
On 1/2/20 8:36 AM, Dunne, Kenneth wrote:
All
I am able to connect to my home-built OpenSSL installation (from Dec-19
sources) on CentOS-7 without the TLS bind
[...]
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0
Hey Ken, is port 636 open on the host-based firewall if it's running? any other
firewalls blocking 636?
CP
