On Wed, 2012-03-21 at 10:27 -0600, Rich Megginson wrote:
On 03/21/2012 10:09 AM, Jon Dufresne wrote:
Now that it is pointed out, this seems incorrect. Should this be changed to mode 644?
Yes.
Thanks!
With that fixed I am now closer to connecting. As originally thought the SSL handshake is failing.
Doing the same ldapsearch I now receive the following output:
$ ldapsearch -d7 -x -H ldaps://HOST:636 -D "BASE_DN" -W ldap_url_parse_ext(ldaps://HOST:636) ldap_create ldap_url_parse_ext(ldaps://HOST:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP HOST:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying HOST_IP:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: loaded CA certificate file /etc/openldap/cacerts/addtrust-ca.crt. tls_write: want=70, written=70 0000: 16 03 01 00 41 01 00 00 3d 03 01 4f 6a 16 7c 2b ....A...=..Oj.|+ 0010: 10 6a 06 5b f3 d0 05 28 48 34 82 53 f8 3a 88 7b .j.[...(H4.S.:.{ 0020: 42 0e 39 d0 7c 2f cb 32 91 33 2b 00 00 16 00 ff B.9.|/.2.3+..... 0030: 00 35 00 04 00 05 00 2f 00 0a 00 09 00 64 00 62 .5...../.....d.b 0040: 00 03 00 06 01 00 ...... tls_read: want=5, got=5 0000: 15 03 00 00 02 ..... tls_read: want=2, got=2 0000: 02 0a .. TLS: error: connect - force handshake failure: errno 21 - moznss error -12229 TLS: can't connect: TLS error -12229:SSL peer was not expecting a handshake message it received.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
As noted before, I can reproduce the handshake failure with OpenSSL's s_client.
$ openssl s_client -connect HOST:636 ... Failure
While adding the -no_tls1 flag will:
$ openssl s_client -connect HOST:636 -no_tls1 ... Success
My first thought was to pass along the no TLS option to OpenLDAP. Is this possible? Or should I be taking a different approach?
Thanks, Jon