Debugging TLS negotiation failure

Thu, 11 May 2023 11:03:32 -0700 

Hi

I've followed the instructions in 
https://www.openldap.org/doc/admin26/quickstart.html to deploy openldap 2.6.4 
on a SLES 15 SP4 system. Once I confirmed that this was working correctly, I 
moved on to configure TLS, following the instructions in 
https://www.openldap.org/doc/admin26/tls.html. When I try a connection to the 
LDAPS port (636), I see the following:

ldpdd040:~ # openssl s_client -connect ldpdd042.hop.lab.emc.com:636
CONNECTED(00000003)
139702302594704:error:140790E5:SSL routines:ssl23_write:ssl handshake 
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 293 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1683823897
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
ldpdd040:~ #

I'm using this command to start slapd:
 /usr/local/libexec/slapd -F /usr/local/etc/slapd.d -s 3 -h "ldap:/// ldaps:///"

When I execute the openssl command above, I look in /var/log/messages and see:

2023-05-11T12:51:55.213884-04:00 ldpdd042 slapd[20101]: conn=1000 fd=12 ACCEPT 
from IP=10.247.229.40:56844 (IP=0.0.0.0:636)
2023-05-11T12:51:55.213944-04:00 ldpdd042 slapd[20101]: connection_get(12): got 
connid=1000
2023-05-11T12:51:55.214004-04:00 ldpdd042 slapd[20101]: connection_read(12): 
checking for input on id=1000
2023-05-11T12:51:55.214065-04:00 ldpdd042 slapd[20101]: connection_read(12): 
TLS accept failure error=-1 id=1000, closing
2023-05-11T12:51:55.214138-04:00 ldpdd042 slapd[20101]: connection_close: 
conn=1000 sd=12
2023-05-11T12:51:55.214207-04:00 ldpdd042 slapd[20101]: conn=1000 fd=12 closed 
(TLS negotiation failure)
ldpdd0

I've appended these lines to /usr/local/etc/openldap/slapd.conf:

# Added TLS directives
#
TLSCACertificateFile    /var/lib/ca-certificates/ca-bundle.pem
TLSCertificateFile      /etc/ssl/private/server.cert
TLSCertificateKeyFile   /etc/ssl/private/server.key
#TLSCipherSuite         ALL

I can't find any log information that helps me understand what the problem is. 
I'm using a self-signed server certificate that has the cn using the FQDN of 
the server.

How can I debug this?

Thanks!
tl

Reply via email to