Heute 17:09:11 Hello!
For some time now we are using OpenLDAP in order to provide a stable network-wide authentication service. Of course, we also enabled TLS-Support so that any connection is encrypted. However, we encounter some problems which are definitely subject of SSL as they also occur when we try to test our setup using "openssl s_client" and "openssl s_server". Most of the time TLS/SSL works perfect, but it may happen that we get the following error when we restart slapd:
$ ldapsearch -x -ZZ -d1 [...] TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim Marquartstein/CN=lsh-marquartstein.de, issuer: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim Marquartstein/CN=lsh-marquartstein.de TLS certificate verification: depth: 0, err: 0, subject: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim Marquartstein/CN=uranos.lsh-marquartstein.de, issuer: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim Marquartstein/CN=lsh-marquartstein.de TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure [...]
If this is the case we can't get it to work anymore and the whole server has to be switched off in order to make it work again. What might cause this problem? OS is Ubuntu Linux 6.06.1 Dapper Server-Edition.
Looking forward to your answer!
Thanks, Fabian
P.S. We are using self-signed certificates of our own CA.
Since you seem to be noting a problem on the server, it would make the most sense to actually supply the debug trace from the server. You might also provide the versions of OpenSSL and OpenLDAP that are in use.
Fabian Steiner wrote:
Heute 17:09:11
Hello!
For some time now we are using OpenLDAP in order to provide a stable network-wide authentication service. Of course, we also enabled TLS-Support so that any connection is encrypted. However, we encounter some problems which are definitely subject of SSL as they also occur when we try to test our setup using "openssl s_client" and "openssl s_server". Most of the time TLS/SSL works perfect, but it may happen that we get the following error when we restart slapd:
$ ldapsearch -x -ZZ -d1 [...] TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim Marquartstein/CN=lsh-marquartstein.de, issuer: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim Marquartstein/CN=lsh-marquartstein.de TLS certificate verification: depth: 0, err: 0, subject: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim Marquartstein/CN=uranos.lsh-marquartstein.de, issuer: /C=DE/ST=Bavaria/L=Marquartstein/O=Staatliches Landschulheim Marquartstein/CN=lsh-marquartstein.de TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure [...]
If this is the case we can't get it to work anymore and the whole server has to be switched off in order to make it work again. What might cause this problem? OS is Ubuntu Linux 6.06.1 Dapper Server-Edition.
Looking forward to your answer!
Thanks, Fabian
P.S. We are using self-signed certificates of our own CA.
On Thursday 23 August 2007 20:28:15 Howard Chu wrote:
Since you seem to be noting a problem on the server, it would make the most sense to actually supply the debug trace from the server. You might also provide the versions of OpenSSL and OpenLDAP that are in use.
ldapsearch was executed on the server - if I start slapd with debug options (-d1) enabled I get exactly the same error message. Unfortunately I have only SSH access at that moment and I would prefer not reproducing it because otherwise I probably won't be able to login anymore. If these pieces of information are not enough, please let me know. I will try what I can do then.
slapd: 2.3.30-2 (installed via apt-get) openssl: 0.9.8a-7ubuntu0.3 (installed via apt-get)
Do you have any ideas what might cause this problems?
Thanks, Fabian
openldap-software@openldap.org