I know there are a lot of question on this topic and ask for your patience.
I'm trying to figure out how to discern if slapd is properly configured for SSL/TLS. Reading through the slapd strace output shows that the cacert & certfile are being opened & read
slapd v2.3.27
When I look at netstat -an ports 389 & 636 are listening: tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
slapd.conf: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLS_CACertificateFile /var/data/ca/cacert.pem TLS_CertificateFile /var/data/ca/newcerts/ldap1cert.pem TLS_CertificateKeyFile /etc/openldap/ldap1keyclear.txt TLSVerifyClient never
Reading through the strace output shows that the cacert & certfile are being opened.
ldap.conf BASE dc=gmartin, dc=org URI ldap://linux2.gmartin.org TLS_CACERT /var/data/ca/cacert.pem
ldaprc: TLS_CACERT /var/data/ca/cacert.pem
When I try ldapsearch or openssl s_client, I receive: sslv3 alert handshake failure
And using slapd debug I see: TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:97
I checked the FAQ and I think I've looked at everything there. Not sure where to look next.
\Greg
Sorry for the long post, but I resolved most of this. It was all configuration detail. There were two things happening:
I was using: TLS_CACertificateFile TLS_CertificateFile TLS_CertificateKeyFile (Note the extra underscore)
not: TLSCACertificateFile TLSCertificateFile TLSCertificateKeyFile
I guess I got ldap.conf & slapd.conf directives confused. When I ran slapd in -d 255 I found that mistake.
Second: I had the following in slapd.conf & ldap.conf TLSCipherSuite DHE-RSA-AES256-SHA (which I cut & pasted from 'openssl cipers')
replaced it with TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP It's still not clear to me what the syntax should be. Trying to translate the openssl -v ciphers into what's mention in the manpage doesn't help me much. But I can be dense.
So a couple questions that don't need answers: - would there be value in making the slapd.conf & ldap.conf TLS directives align? - Should slaptest report the bad TLS directives?
And one more. In the man page for slapd, there is this explanation for the -h option -h URLlist slapd will by default serve ldap:/// (LDAP over TCP on all interfaces on default LDAP port). That is, it will bind using INADDR_ANY and port 389. The -h option may be used to specify LDAP (and other scheme) URLs to serve. For example, if slapd is given -h "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///", it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,
The last part seems inexact. It says -h ldaps:/// will cause slapd to listen on port 636 for LDAP over TLS. should that say something like:
"will cause slapd to listen for LDAP over SSL on port 636 and for start_tls on port 389?"
I've dropped all this in my blog at: http://linux2.gmartin.org:82/tiki/tiki-view_blog_post.php?blogId=2&postI...
BTW, I still can't get phpldapadmin to connect using tls, but that's for another day.
\Greg
Greg Martin wrote:
I know there are a lot of question on this topic and ask for your patience.
I'm trying to figure out how to discern if slapd is properly configured for SSL/TLS. Reading through the slapd strace output shows that the cacert & certfile are being opened & read
slapd v2.3.27
When I look at netstat -an ports 389 & 636 are listening: tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
slapd.conf: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLS_CACertificateFile /var/data/ca/cacert.pem TLS_CertificateFile /var/data/ca/newcerts/ldap1cert.pem TLS_CertificateKeyFile /etc/openldap/ldap1keyclear.txt TLSVerifyClient never
Reading through the strace output shows that the cacert & certfile are being opened.
ldap.conf BASE dc=gmartin, dc=org URI ldap://linux2.gmartin.org TLS_CACERT /var/data/ca/cacert.pem
ldaprc: TLS_CACERT /var/data/ca/cacert.pem
When I try ldapsearch or openssl s_client, I receive: sslv3 alert handshake failure
And using slapd debug I see: TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:97
I checked the FAQ and I think I've looked at everything there. Not sure where to look next.
\Greg
I have to add one more thing. It appears that with the proper certs specified in slapd.conf, no -h ldaps:/// is needed to make TLS available over port 389. My command line is now: /usr/libexec/slapd -u ldap -g ldap -f /etc/openldap/slapd.conf
and TLS is available. I don't think the man page or faq makes this clear. I've added a note to the faq
\Greg
Greg Martin wrote:
Sorry for the long post, but I resolved most of this. It was all configuration detail. There were two things happening:
I was using: TLS_CACertificateFile TLS_CertificateFile TLS_CertificateKeyFile (Note the extra underscore)
not: TLSCACertificateFile TLSCertificateFile TLSCertificateKeyFile
I guess I got ldap.conf & slapd.conf directives confused. When I ran slapd in -d 255 I found that mistake.
Second: I had the following in slapd.conf & ldap.conf TLSCipherSuite DHE-RSA-AES256-SHA (which I cut & pasted from 'openssl cipers')
replaced it with TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP It's still not clear to me what the syntax should be. Trying to translate the openssl -v ciphers into what's mention in the manpage doesn't help me much. But I can be dense.
So a couple questions that don't need answers:
- would there be value in making the slapd.conf & ldap.conf TLS
directives align?
- Should slaptest report the bad TLS directives?
And one more. In the man page for slapd, there is this explanation for the -h option -h URLlist slapd will by default serve ldap:/// (LDAP over TCP on all interfaces on default LDAP port). That is, it will bind using INADDR_ANY and port 389. The -h option may be used to specify LDAP (and other scheme) URLs to serve. For example, if slapd is given -h "ldap://127.0.0.1:9009/ ldaps:/// ldapi:///", it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,
The last part seems inexact. It says -h ldaps:/// will cause slapd to listen on port 636 for LDAP over TLS. should that say something like:
"will cause slapd to listen for LDAP over SSL on port 636 and for start_tls on port 389?"
I've dropped all this in my blog at: http://linux2.gmartin.org:82/tiki/tiki-view_blog_post.php?blogId=2&postI...
BTW, I still can't get phpldapadmin to connect using tls, but that's for another day.
\Greg
Greg Martin wrote:
I know there are a lot of question on this topic and ask for your patience.
I'm trying to figure out how to discern if slapd is properly configured for SSL/TLS. Reading through the slapd strace output shows that the cacert & certfile are being opened & read
slapd v2.3.27
When I look at netstat -an ports 389 & 636 are listening: tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
slapd.conf: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLS_CACertificateFile /var/data/ca/cacert.pem TLS_CertificateFile /var/data/ca/newcerts/ldap1cert.pem TLS_CertificateKeyFile /etc/openldap/ldap1keyclear.txt TLSVerifyClient never
Reading through the strace output shows that the cacert & certfile are being opened.
ldap.conf BASE dc=gmartin, dc=org URI ldap://linux2.gmartin.org TLS_CACERT /var/data/ca/cacert.pem
ldaprc: TLS_CACERT /var/data/ca/cacert.pem
When I try ldapsearch or openssl s_client, I receive: sslv3 alert handshake failure
And using slapd debug I see: TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:97
I checked the FAQ and I think I've looked at everything there. Not sure where to look next.
\Greg
openldap-software@openldap.org