Full_Name: zhang fan Version: 2.3.43 OS: RHEL5 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (202.108.130.138)
Hi Jon
I am an FVT member of CSTL system Z LDAP team .
Now I was configuring openldap with SSL support . But one problem came out and now I asked for your help .Thank you very much. My ldap server can work well before setting SSL .
the ssl related option in slapd.conf is TLSCipherSuite ALL TLSCACertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem TLSVerifyClient never
and I use openssl to test connection . [root@zosmf07 ~]# openssl s_client -connect zosmf07.cn.ibm.com:636 -showcerts -s tate -CAfile /etc/pki/tls/certs/slapd.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 7587:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake fa ilure:s23_clnt.c:583:
the server debug log look like this TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in SSLv3 read client hello B TLS trace: SSL_accept:error in SSLv3 read client hello B TLS: can't accept. TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:1009
But when I issue openssl s_server to start the 636 port ,the ssl handshake can get success. [root@zosmf07 ~]# openssl s_server -accept 636 -cert /etc/pki/tls/certs/slapd.pem -key /etc/pki/tls/certs/slapd.pem -state Using default temp DH parameters ACCEPT SSL_accept:before/accept initialization SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_accept:SSLv3 write certificate A SSL_accept:SSLv3 write key exchange A SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data SSL_accept:SSLv3 read client key exchange A SSL_accept:SSLv3 read finished A SSL_accept:SSLv3 write change cipher spec A SSL_accept:SSLv3 write finished A SSL_accept:SSLv3 flush data -----BEGIN SSL SESSION PARAMETERS----- MHUCAQECAgMBBAIAOQQgwtPmka9K2vuA3Eg6Vu8ZBGOIGiq2RVQBAR7/U//dIf4E MDXZOmotMZFmCsIV+5448cYBMN5zTGe6FJeVHxdu9KuEe0BYnZ69LW/GbLmNyemk 4KEGAgRQWUytogQCAgEspAYEBAEAAAA= -----END SSL SESSION PARAMETERS----- Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 CIPHER is DHE-RSA-AES256-SHA Secure Renegotiation IS supported
Thank you very much for your help .This problem botherred me for two weeks .I tried many method but can't deal it .Thank you.
ps: the above is a self-signed certificate . I tried CA , the same problem came out