Hi,
I'm having an issue with and LDAP-UX client and I'm hoping to shed some light on this problem. I'm running OpenLDAP 2.3.39 on RHEL4 and my linux clients connect fine with TLS. My HPUX clients however are having problems. Here is what my slapd says when ran with a -d 255:
11daemon: activity on 1 descriptor daemon: activity on:
slap_listener(ldaps:///)
daemon: listen=8, new connection on 17 daemon: added 17r (active) listener=(nil) daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 17r daemon: read active on 17 connection_get(17) connection_get(17): got connid=39 connection_read(17): checking for input on id=39 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 30 1d 02 01 01 77 18 80 16 31 2e 0....w...1. TLS trace: SSL_accept:error in SSLv2/v3 read client hello A TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:580 connection_read(17): TLS accept failure error=-1 id=39, closing connection_closing: readying conn=39 sd=17 for close connection_close: conn=39 sd=17 daemon: removing 17
I'm not sure if it's using a different version of SSL or what. Please help as this is the final step before deploying OpenLDAP on my system.
Thanks
Adam Leach wrote:
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:580
Looks like your client trys to negotiate the SSLv23 protocol variant and your server does not accept this. You might have a look at the client's configuration to enforce SSLv3 or TLSv1. You should avoid using SSLv2 for security reasons anyway.
Ciao, Michael.
On Wed, 28 May 2008, Michael Ströder wrote:
Adam Leach wrote:
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:580
Looks like your client trys to negotiate the SSLv23 protocol variant and your server does not accept this. You might have a look at the client's configuration to enforce SSLv3 or TLSv1. You should avoid using SSLv2 for security reasons anyway.
"SSLv23" is OpenSSL's name for the version negotiation code, handling the choice between SSLv2, SSLv3, and TLSv1. Support for specific versions can be disabled using the SSL_{,CTX_}set_options() functions...which OpenLDAP doesn't call. With that ruled out, it looks from the OpenSSL code that the "unknown protocol" error would only be generated when the client sent something that didn't look like either the SSLv2 format or the SSLv3/TLS format, such as if it sent normal LDAP on the ldaps port.
Philip Guenther
It looks like my problem was that with LDAP-UX you can only use TLS over an unencrypted port. If you try to use it over 636 it fails. I guess this is normal. Thanks for the help.
On Wed, May 28, 2008 at 1:01 PM, Philip Guenther < guenther+ldapsoft@sendmail.com guenther%2Bldapsoft@sendmail.com> wrote:
On Wed, 28 May 2008, Michael Ströder wrote:
Adam Leach wrote:
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:580
Looks like your client trys to negotiate the SSLv23 protocol variant and your server does not accept this. You might have a look at the client's configuration to enforce SSLv3 or TLSv1. You should avoid using SSLv2 for security reasons anyway.
"SSLv23" is OpenSSL's name for the version negotiation code, handling the choice between SSLv2, SSLv3, and TLSv1. Support for specific versions can be disabled using the SSL_{,CTX_}set_options() functions...which OpenLDAP doesn't call. With that ruled out, it looks from the OpenSSL code that the "unknown protocol" error would only be generated when the client sent something that didn't look like either the SSLv2 format or the SSLv3/TLS format, such as if it sent normal LDAP on the ldaps port.
Philip Guenther
On Wed, 28 May 2008, Adam Leach wrote:
It looks like my problem was that with LDAP-UX you can only use TLS over an unencrypted port. If you try to use it over 636 it fails. I guess this is normal. Thanks for the help.
What, exactly, were you trying to do? Port 636 is the "ldaps" port, i.e., negotiate-SSL-on-connect, so you have to change the URI schema to use it. If you were trying to do use a URI like "ldap://hostname:636", then try again with "ldaps://hostname" (636 is the default port for the ldaps schema).
Philip Guenther
openldap-software@openldap.org
-
Adam Leach -
Michael Ströder -
Philip Guenther