RE: ldaps client and oracle internet directory
Hi, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 09, 2008 3:36 AM To: openssl-users@openssl.org Subject: RE: ldaps client and oracle internet directory Hello, [EMAIL PROTECTED] wrote on 06/06/2008 06:25:38 PM: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] snipped With the following error, what are the things that I need to check? Thanks Mike openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:636 CONNECTED(0003) 24664:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: Try to add -debug -msg -state flags to this command to get more verbose output. Mark, That does help. Thanks. It should have been obvious from the error message above but I been thrashing so much on this that I am not thinking clearly. I did speak with the OID admin and he tells me that we are using the default config set, which is encryption only - no server auth. I am not sure if this is the source of the ssl handshake failure. I'm checking with the OID admin now. Thanks again for your suggestion. I hope this isn't too much off topic for this group. Mike +SUCCESSFUL SSL CONNECTION ON PORT 443+ # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:443 -state CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A response snipped SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- +SSL HANDSHAKE FAILURE ON PORT 636+ # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:636 -state CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 1460:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: Because you get handshake alert after sending client_hello, server do not accept some data in this packet. With SSLv2/v3 client in reality sends SSL2 client_hello and this may not be acceptable by server. You may add -ssl3 or -tls1 flags to use exactly one of this protocol (without SSL2 client_hello) Ok, I am getting a different error now (see below). I'll do some more checking. Thanks, Mike +WITH -ssl3 switch+ # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:636 -state -ssl3 CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read server hello A 29817:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1057:SSL alert number 40 29817:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:534: +WITH -tls1 switch+ [EMAIL PROTECTED] ~]# openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect :636 -state -tls1 CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert write:fatal:handshake failure SSL_connect:error in SSLv3 read server hello A 29825:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:288: __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: ldaps client and oracle internet directory
Has OID at your site been configured for ldaps ? The SSL connection on 443 if I'm not mistaken is called StartTLS which is different from ldaps. The URL below seems to suggest that ldaps in OID does not come configured out of the box. http://www.politi.no/help/adoidset.htm Saju -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Gaab Sent: Monday, June 09, 2008 10:40 AM To: openssl-users@openssl.org Subject: RE: ldaps client and oracle internet directory Hi, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 09, 2008 3:36 AM To: openssl-users@openssl.org Subject: RE: ldaps client and oracle internet directory Hello, [EMAIL PROTECTED] wrote on 06/06/2008 06:25:38 PM: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] snipped With the following error, what are the things that I need to check? Thanks Mike openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:636 CONNECTED(0003) 24664:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: Try to add -debug -msg -state flags to this command to get more verbose output. Mark, That does help. Thanks. It should have been obvious from the error message above but I been thrashing so much on this that I am not thinking clearly. I did speak with the OID admin and he tells me that we are using the default config set, which is encryption only - no server auth. I am not sure if this is the source of the ssl handshake failure. I'm checking with the OID admin now. Thanks again for your suggestion. I hope this isn't too much off topic for this group. Mike +SUCCESSFUL SSL CONNECTION ON PORT 443+ # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:443 -state CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A response snipped SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- +SSL HANDSHAKE FAILURE ON PORT 636+ # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:636 -state CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 1460:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: Because you get handshake alert after sending client_hello, server do not accept some data in this packet. With SSLv2/v3 client in reality sends SSL2 client_hello and this may not be acceptable by server. You may add -ssl3 or -tls1 flags to use exactly one of this protocol (without SSL2 client_hello) Ok, I am getting a different error now (see below). I'll do some more checking. Thanks, Mike +WITH -ssl3 switch+ # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:636 -state -ssl3 CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read server hello A 29817:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1057:SSL alert number 40 29817:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:534: +WITH -tls1 switch+ [EMAIL PROTECTED] ~]# openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect :636 -state -tls1 CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert write:fatal:handshake failure SSL_connect:error in SSLv3 read server hello A 29825:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:288: __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: ldaps client and oracle internet directory
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] snipped With the following error, what are the things that I need to check? Thanks Mike openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:636 CONNECTED(0003) 24664:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: Try to add -debug -msg -state flags to this command to get more verbose output. Mark, That does help. Thanks. It should have been obvious from the error message above but I been thrashing so much on this that I am not thinking clearly. I did speak with the OID admin and he tells me that we are using the default config set, which is encryption only - no server auth. I am not sure if this is the source of the ssl handshake failure. I'm checking with the OID admin now. Thanks again for your suggestion. I hope this isn't too much off topic for this group. Mike +SUCCESSFUL SSL CONNECTION ON PORT 443+ # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:443 -state CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A response snipped SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- +SSL HANDSHAKE FAILURE ON PORT 636+ # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:636 -state CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 1460:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: ldaps client and oracle internet directory
Hello, [EMAIL PROTECTED] wrote on 06/06/2008 06:25:38 PM: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] snipped With the following error, what are the things that I need to check? Thanks Mike openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:636 CONNECTED(0003) 24664:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: Try to add -debug -msg -state flags to this command to get more verbose output. Mark, That does help. Thanks. It should have been obvious from the error message above but I been thrashing so much on this that I am not thinking clearly. I did speak with the OID admin and he tells me that we are using the default config set, which is encryption only - no server auth. I am not sure if this is the source of the ssl handshake failure. I'm checking with the OID admin now. Thanks again for your suggestion. I hope this isn't too much off topic for this group. Mike +SUCCESSFUL SSL CONNECTION ON PORT 443+ # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:443 -state CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A response snipped SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- +SSL HANDSHAKE FAILURE ON PORT 636+ # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:636 -state CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 1460:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: Because you get handshake alert after sending client_hello, server do not accept some data in this packet. With SSLv2/v3 client in reality sends SSL2 client_hello and this may not be acceptable by server. You may add -ssl3 or -tls1 flags to use exactly one of this protocol (without SSL2 client_hello) Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
ldaps client and oracle internet directory
I am trying to establish a connection from a openldap/openssl client to Oracle Internet Directory. I know this isn't much to go on but will at least begin the conversation. I am getting the following error on the client. I am able to connect to 443 but unable to connect to 636. With the following error, what are the things that I need to check? Thanks Mike openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect 10.10.7.86:636 CONNECTED(0003) 24664:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: winmail.dat
Re: ldaps client and oracle internet directory
Hello, [EMAIL PROTECTED] wrote on 06/05/2008 03:01:14 PM: I am trying to establish a connection from a openldap/openssl client to Oracle Internet Directory. I know this isn't much to go on but will at least begin the conversation. I am getting the following error on the client. I am able to connect to 443 but unable to connect to 636. With the following error, what are the things that I need to check? Thanks Mike openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect 10.10.7.86:636 CONNECTED(0003) 24664:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: Try to add -debug -msg -state flags to this command to get more verbose output. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]