Hi,
We have a check (shell script) that talks to a customer's LDAP server
(over which we have no control) and only SSLv2 seems to work when
using "openssl s_client -connect". I am trying to make ldapclient use
SSLv2 but it does not work (Our machine is running RHEL 5.4 x86_64.).
First an the OpenSSL illustration
]# openssl s_client -ssl3 -connect 10.1.2.3:636
CONNECTED(00000003)
depth=3 <omitted for privacy>
verify return:1
depth=2 <omitted for privacy>
verify return:1
depth=1 <omitted for privacy>
verify return:1
depth=0 <omitted for privacy>
verify return:1
6759:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:530:
#
but if we use SSLv2 then it works - I am able to establish a
connection and see the certificate used.
I have created a small ldap client config file with the following contents
TLS_REQCERT never
TLS_CIPHER_SUITE SSLv2
I make sure that config is used by setting the "LDAPCONF" variable
while calling ldapsearch, like so
# LDAPCONF=./ldaprc ldapsearch -H ldaps://10.1.2.3:636 -x -s base -D
'CN=binder,OU=Service Accounts,OU=example ou,dc=example,dc=com' -w
'secret' -b '' -d 1
ldap_create
ldap_url_parse_ext(ldaps://10.1.2.3:636)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.1.2.3:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.1.2.3:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
#
but it mysteriously fails. If I make the configuration file us SSLv3,
then the following output is given (but that is expected as the server
does not seem to want to speak SSLv3) -
# LDAPCONF=./ldaprc ldapsearch -H ldaps://10.1.2.3:636 -x -s base -D
'CN=binder,OU=Service Accounts,OU=example ou,dc=example,dc=com' -w
'secret' -b '' -d 1
ldap_create
ldap_url_parse_ext(ldaps://10.1.2.3:636)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.1.2.3:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.1.2.3:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 3, <omitted>
TLS certificate verification: depth: 2, <omitted>
TLS certificate verification: depth: 1, <omitted>
TLS certificate verification: depth: 0, <omitted>
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
any suggestions would be much appreciated.
Regards,
Fred.