terry.lem...@dell.com wrote:
> Hi Howard
>
> Thanks very much for the reply and the suggestion. Here is the output of a
> ldapsearch command that completes successfully when I omit '-H
> ldaps://ldpdd042.hop.lab.emc.com:636':
The lack of any server reply to the client's Hello message strikes me as
probably a TLS version mismatch.
Check what versions of TLS libraries are in use on both the client and server,
and if they've been configured
to include or exclude any particular TLS versions.
Also, both slapd and the clients should be configured to use the self-signed
server cert as a CA cert.
>
> ldpdd042:~ # ldapsearch -d -1 -x -b 'dc=example,dc=com' '(objectclass=*)' -H
> ldaps://ldpdd042.hop.lab.emc.com:636
> ldap_url_parse_ext(ldaps://ldpdd042.hop.lab.emc.com:636)
> ldap_create
> ldap_url_parse_ext(ldaps://ldpdd042.hop.lab.emc.com:636/??base)
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP ldpdd042.hop.lab.emc.com:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.247.229.42:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> attempting to connect:
> connect success
> TLS trace: SSL_connect:before SSL initialization
> tls_write: want=334, written=334
> 0000: 16 03 01 01 49 01 00 01 45 03 03 a2 85 24 0b ee ....I...E....$..
> 0010: 8f 28 13 34 a4 e5 6a c3 48 50 69 d7 81 72 96 02 .(.4..j.HPi..r..
> 0020: 7b 56 46 6a ec d0 f3 64 71 35 b2 20 fd 17 70 c9 {VFj...dq5. ..p.
> 0030: 15 23 3d 7c 31 66 99 84 f3 92 4b c7 a9 ab e2 f8 .#=|1f....K.....
> 0040: 5b b3 42 44 7e 91 f5 4b 9a 5b c9 b1 00 46 13 02 [.BD~..K.[...F..
> 0050: 13 03 13 01 c0 2c c0 30 cc a9 cc a8 c0 ad c0 2b .....,.0.......+
> 0060: c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 c0 13 ./...#.'........
> 0070: 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 00 2f .........=.<.5./
> 0080: 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 00 39 ...........k.g.9
> 0090: 00 33 00 ff 01 00 00 b6 00 00 00 1d 00 1b 00 00 .3..............
> 00a0: 18 6c 64 70 64 64 30 34 32 2e 68 6f 70 2e 6c 61 .ldpdd042.hop.la
> 00b0: 62 2e 65 6d 63 2e 63 6f 6d 00 0b 00 04 03 00 01 b.emc.com.......
> 00c0: 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 ................
> 00d0: 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d 00 ..#.............
> 00e0: 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 08 0...............
> 00f0: 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 03 ................
> 0100: 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 06 ................
> 0110: 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 2d ..+............-
> 0120: 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 49 ea .....3.&.$... I.
> 0130: 8c 2a c7 1e 18 82 13 d1 46 3d 46 b0 b7 2b bd b2 .*......F=F..+..
> 0140: 6e 13 ec ab c5 fa 25 4d 4f cc 58 77 78 69 n.....%MO.Xwxi
> TLS trace: SSL_connect:SSLv3/TLS write client hello
> tls_read: want=5, got=0
>
> TLS trace: SSL_connect:error in SSLv3/TLS write client hello
> TLS: can't connect: .
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
> ldpdd042:~ #
>
> Here's what was written to /var/log/messages:
>
> 2023-05-11T16:04:32.584581-04:00 ldpdd042 slapd[21376]: conn=1000 fd=12
> ACCEPT from IP=10.247.229.42:47346 (IP=0.0.0.0:636)
> 2023-05-11T16:04:32.594205-04:00 ldpdd042 slapd[21376]: connection_get(12)
> 2023-05-11T16:04:32.594295-04:00 ldpdd042 slapd[21376]: conn=1000 fd=12
> closed (TLS negotiation failure)
>
> I'm using a self-signed server certificate, so no CA should be involved. Not
> sure if that is causing the problem?
>
> Thanks!
> tl
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
