I’ve built and installed the openssl 1.1.1c thinking my issues are incompatibility between the version of openldap and original openssl v1.0.2f  installed on my Centos 7

I get one step farther now, from the client’s debug output, but still fail at “tls_post_process_client_hello:no shared cipher.

Does anyone know why there is no shared cipher, when both server and client run on the same machine, and use the same libssl ??

Is there a config option I’m not aware of?

 

Server---------------------------------------------------------

5e0fb9f5 daemon: activity on 1 descriptor

5e0fb9f5 daemon: activity on:

5e0fb9f5 slap_listener_activate(7):

5e0fb9f5 daemon: epoll: listen=7 busy

5e0fb9f5 >>> slap_listener(ldaps://server.my-domain.com:636)

5e0fb9f5 daemon: accept() = 11

5e0fb9f5 daemon: listen=7, new connection on 11

5e0fb9f5 daemon: added 11r (active) listener=(nil)

5e0fb9f5 conn=1000 fd=11 ACCEPT from IP=127.0.0.1:52044 (IP=127.0.0.1:636)

5e0fb9f5 daemon: activity on 1 descriptor

5e0fb9f5 daemon: activity on:

5e0fb9f5 daemon: epoll: listen=7 active_threads=0 tvp=NULL

5e0fb9f5 daemon: activity on 1 descriptor

5e0fb9f5 daemon: activity on: 11r

5e0fb9f5 daemon: read active on 11

5e0fb9f5 daemon: epoll: listen=7 active_threads=0 tvp=NULL

5e0fb9f5 connection_get(11)

5e0fb9f5 connection_get(11): got connid=1000

5e0fb9f5 connection_read(11): checking for input on id=1000

TLS trace: SSL_accept:before SSL initialization

tls_read: want=5, got=5

  0000:  16 03 01 01 20                                     ....             

tls_read: want=288, got=288

  0000:  01 00 01 1c 03 03 c5 6e  9e 33 03 28 e6 22 df 0f   .......n.3.(.".. 

  0010:  ca 0d ca ec 17 54 b1 dd  8b 35 b0 55 ca d2 23 ca   .....T...5.U..#. 

  0020:  07 f1 c2 69 3b ca 20 7d  07 1c 28 37 b5 b4 69 7b   ...i;. }..(7..i{ 

  0030:  16 ad 62 dd 8e 97 6e 78  3a 9f c7 69 13 bd c7 fe   ..b...nx:..i.... 

  0040:  bb 0f 4a f4 92 78 21 00  3e 13 02 13 03 13 01 c0   ..J..x!.>....... 

  0050:  2c c0 30 00 9f cc a9 cc  a8 cc aa c0 2b c0 2f 00   ,.0.........+./. 

  0060:  9e c0 24 c0 28 00 6b c0  23 c0 27 00 67 c0 0a c0   ..$.(.k.#.'.g... 

  0070:  14 00 39 c0 09 c0 13 00  33 00 9d 00 9c 00 3d 00   ..9.....3.....=. 

  0080:  3c 00 35 00 2f 00 ff 01  00 00 95 00 0b 00 04 03   <.5./........... 

  0090:  00 01 02 00 0a 00 0c 00  0a 00 1d 00 17 00 1e 00   ................ 

  00a0:  19 00 18 00 23 00 00 00  16 00 00 00 17 00 00 00   ....#........... 

  00b0:  0d 00 30 00 2e 04 03 05  03 06 03 08 07 08 08 08   ..0............. 

  00c0:  09 08 0a 08 0b 08 04 08  05 08 06 04 01 05 01 06   ................ 

  00d0:  01 03 03 02 03 03 01 02  01 03 02 02 02 04 02 05   ................ 

  00e0:  02 06 02 00 2b 00 09 08  03 04 03 03 03 02 03 01   ....+........... 

  00f0:  00 2d 00 02 01 01 00 33  00 26 00 24 00 1d 00 20   .-.....3.&.$...  

  0100:  84 ce 50 d7 96 90 49 13  4b dd b0 71 51 52 51 c6   ..P...I.K..qQRQ. 

  0110:  21 6e 87 46 7f 33 f6 b4  fd f8 03 84 a1 96 c7 77   !n.F.3.........w 

TLS trace: SSL_accept:before SSL initialization

tls_write: want=7, written=7

  0000:  15 03 03 00 02 02 28                               ......(          

TLS trace: SSL3 alert write:fatal:handshake failure

TLS trace: SSL_accept:error in error

TLS: can't accept: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher.

5e0fb9f5 connection_read(11): TLS accept failure error=-1 id=1000, closing

5e0fb9f5 connection_closing: readying conn=1000 sd=11 for close

5e0fb9f5 connection_close: conn=1000 sd=11

5e0fb9f5 daemon: removing 11

5e0fb9f5 conn=1000 fd=11 closed (TLS negotiation failure)

5e0fb9f5 daemon: activity on 1 descriptor

5e0fb9f5 daemon: activity on:

5e0fb9f5 daemon: epoll: listen=7 active_threads=0 tvp=NULL

 

Client----------------------------------------------------------

[root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -x -ZZ  -d -1

ldap_create

ldap_extended_operation_s

ldap_extended_operation

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP server.my-domain.com:636

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 127.0.0.1:636

ldap_pvt_connect: fd: 3 tm: -1 async: 0

attempting to connect:

connect success

TLS trace: SSL_connect:before SSL initialization

tls_write: want=293, written=293

  0000:  16 03 01 01 20 01 00 01  1c 03 03 c5 6e 9e 33 03   .... .......n.3. 

  0010:  28 e6 22 df 0f ca 0d ca  ec 17 54 b1 dd 8b 35 b0   (.".......T...5. 

  0020:  55 ca d2 23 ca 07 f1 c2  69 3b ca 20 7d 07 1c 28   U..#....i;. }..( 

  0030:  37 b5 b4 69 7b 16 ad 62  dd 8e 97 6e 78 3a 9f c7   7..i{..b...nx:.. 

  0040:  69 13 bd c7 fe bb 0f 4a  f4 92 78 21 00 3e 13 02   i......J..x!.>.. 

  0050:  13 03 13 01 c0 2c c0 30  00 9f cc a9 cc a8 cc aa   .....,.0........ 

  0060:  c0 2b c0 2f 00 9e c0 24  c0 28 00 6b c0 23 c0 27   .+./...$.(.k.#.' 

  0070:  00 67 c0 0a c0 14 00 39  c0 09 c0 13 00 33 00 9d   .g.....9.....3.. 

  0080:  00 9c 00 3d 00 3c 00 35  00 2f 00 ff 01 00 00 95   ...=.<.5./...... 

  0090:  00 0b 00 04 03 00 01 02  00 0a 00 0c 00 0a 00 1d   ................ 

  00a0:  00 17 00 1e 00 19 00 18  00 23 00 00 00 16 00 00   .........#...... 

  00b0:  00 17 00 00 00 0d 00 30  00 2e 04 03 05 03 06 03   .......0........ 

  00c0:  08 07 08 08 08 09 08 0a  08 0b 08 04 08 05 08 06   ................ 

  00d0:  04 01 05 01 06 01 03 03  02 03 03 01 02 01 03 02   ................ 

  00e0:  02 02 04 02 05 02 06 02  00 2b 00 09 08 03 04 03   .........+...... 

  00f0:  03 03 02 03 01 00 2d 00  02 01 01 00 33 00 26 00   ......-.....3.&. 

  0100:  24 00 1d 00 20 84 ce 50  d7 96 90 49 13 4b dd b0   $... ..P...I.K.. 

  0110:  71 51 52 51 c6 21 6e 87  46 7f 33 f6 b4 fd f8 03   qQRQ.!n.F.3..... 

  0120:  84 a1 96 c7 77                                     ....w            

TLS trace: SSL_connect:SSLv3/TLS write client hello

tls_read: want=5, got=5

  0000:  15 03 03 00 02                                     .....            

tls_read: want=2, got=2

  0000:  02 28                                              .(               

TLS trace: SSL3 alert read:fatal:handshake failure

TLS trace: SSL_connect:error in error

TLS: can't connect: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure.

ldap_err2string

ldap_start_tls: Can't contact LDAP server (-1)

               additional info: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

 

 

thanks in advance for considering my problem !

Ken

 

 

 

 

 

From: openldap-technical <openldap-technical-bounces@openldap.org> On Behalf Of [ext] Dunne, Kenneth
Sent: Friday, January 3, 2020 10:41 AM
To: openldap-technical@openldap.org
Subject: RE: Issues with OpenLdap using OpenTLS

 

Thanks for the suggestions everyone,

I’ve corrected an issue with the generation of the self-signed CA , I was using the wrong ‘cert’

For OpenSSL this gets put into:

   /etc/pki/CA/cacert.pem

 

I have used the “Common Name” in the cert-generation as:  server.my-domain.com

I have it in /etc/hosts as:

    127.0.0.1         server.my-domain.com

I am using ‘localhost’ first in this investigation-stage, and will be used for our unit-tests

The port 636 does not appear to be firewalled

 

I get a little farther now with these changes, 8 bytes are sent/received: see below TLS: can't connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure.

 

----------------------------------------------------ldap server

/usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -h ldaps://server.my-domain.com:636 -d -1

.

.

5e0f6aa1 daemon: activity on:

5e0f6aa1 daemon: epoll: listen=7 active_threads=0 tvp=NULL

5e0f6b65 daemon: activity on 1 descriptor

5e0f6b65 daemon: activity on:

5e0f6b65 slap_listener_activate(7):

5e0f6b65 daemon: epoll: listen=7 busy

5e0f6b65 >>> slap_listener(ldaps://server.my-domain.com:636)

5e0f6b65 daemon: accept() = 11

5e0f6b65 daemon: listen=7, new connection on 11

5e0f6b65 daemon: added 11r (active) listener=(nil)

5e0f6b65 conn=1001 fd=11 ACCEPT from IP=127.0.0.1:51880 (IP=127.0.0.1:636)

5e0f6b65 daemon: activity on 1 descriptor

5e0f6b65 daemon: activity on:

5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL

5e0f6b65 daemon: activity on 1 descriptor

5e0f6b65 daemon: activity on: 11r

5e0f6b65 daemon: read active on 11

5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL

5e0f6b65 connection_get(11)

5e0f6b65 connection_get(11): got connid=1001

5e0f6b65 connection_read(11): checking for input on id=1001

TLS trace: SSL_accept:before/accept initialization

tls_read: want=11, got=11

  0000:  16 03 01 01 1c 01 00 01  18 03 03                  ...........      

tls_read: want=278, got=278

  0000:  c7 eb 10 c3 5a af 18 e7  9b 3b ad 08 e6 cc b2 7d   ....Z....;.....} 

  0010:  ee a7 7d 0f c4 fe 01 49  8a 5b d3 94 c5 25 08 1d   ..}....I.[...%.. 

  0020:  00 00 ac c0 30 c0 2c c0  28 c0 24 c0 14 c0 0a 00   ....0.,.(.$..... 

  0030:  a5 00 a3 00 a1 00 9f 00  6b 00 6a 00 69 00 68 00   ........k.j.i.h. 

  0040:  39 00 38 00 37 00 36 00  88 00 87 00 86 00 85 c0   9.8.7.6......... 

  0050:  32 c0 2e c0 2a c0 26 c0  0f c0 05 00 9d 00 3d 00   2...*.&.......=. 

  0060:  35 00 84 c0 2f c0 2b c0  27 c0 23 c0 13 c0 09 00   5.../.+.'.#..... 

  0070:  a4 00 a2 00 a0 00 9e 00  67 00 40 00 3f 00 3e 00   ........g.@.?.>. 

  0080:  33 00 32 00 31 00 30 00  9a 00 99 00 98 00 97 00   3.2.1.0......... 

  0090:  45 00 44 00 43 00 42 c0  31 c0 2d c0 29 c0 25 c0   E.D.C.B.1.-.).%. 

  00a0:  0e c0 04 00 9c 00 3c 00  2f 00 96 00 41 c0 12 c0   ......<./...A... 

  00b0:  08 00 16 00 13 00 10 00  0d c0 0d c0 03 00 0a 00   ................ 

  00c0:  07 c0 11 c0 07 c0 0c c0  02 00 05 00 04 00 ff 01   ................ 

  00d0:  00 00 43 00 0b 00 04 03  00 01 02 00 0a 00 0a 00   ..C............. 

  00e0:  08 00 17 00 19 00 18 00  16 00 23 00 00 00 0d 00   ..........#..... 

  00f0:  20 00 1e 06 01 06 02 06  03 05 01 05 02 05 03 04    ............... 

  0100:  01 04 02 04 03 03 01 03  02 03 03 02 01 02 02 02   ................ 

  0110:  03 00 0f 00 01 01                                  ......           

tls_write: want=7, written=7

  0000:  15 03 03 00 02 02 28                               ......(          

TLS trace: SSL3 alert write:fatal:handshake failure

TLS trace: SSL_accept:error in error

TLS trace: SSL_accept:error in error

TLS: can't accept: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher.

5e0f6b65 connection_read(11): TLS accept failure error=-1 id=1001, closing

5e0f6b65 connection_closing: readying conn=1001 sd=11 for close

5e0f6b65 connection_close: conn=1001 sd=11

5e0f6b65 daemon: removing 11

5e0f6b65 conn=1001 fd=11 closed (TLS negotiation failure)

5e0f6b65 daemon: activity on 1 descriptor

5e0f6b65 daemon: activity on:

5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL

^C5e0f6e38 daemon: shutdown requested and initiated.

5e0f6e38 daemon: removing 7r

5e0f6e38 daemon: closing 7

5e0f6e38 slapd shutdown: waiting for 0 operations/tasks to finish

5e0f6e38 slapd shutdown: initiated

5e0f6e38 slapd destroy: freeing system resources.

5e0f6e38 slapd stopped.

 

---------------------------------------------------- client

[root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts -H ldaps://server.my-domain.com:636 -d -1

ldap_url_parse_ext(ldaps://server.my-domain.com:636)

ldap_create

ldap_url_parse_ext(ldaps://server.my-domain.com:636/??base)

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP server.my-domain.com:636

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 127.0.0.1:636

ldap_pvt_connect: fd: 3 tm: -1 async: 0

attempting to connect:

connect success

TLS trace: SSL_connect:before/connect initialization

tls_write: want=289, written=289

  0000:  16 03 01 01 1c 01 00 01  18 03 03 8b 5c ad c3 76   ............\..v 

  0010:  a2 eb 75 4f df e3 f3 7b  5c 55 73 5e 2c 43 62 de   ..uO...{\Us^,Cb. 

  0020:  98 5f 5d b8 3b c0 82 32  46 86 cd 00 00 ac c0 30   ._].;..2F......0 

  0030:  c0 2c c0 28 c0 24 c0 14  c0 0a 00 a5 00 a3 00 a1   .,.(.$.......... 

  0040:  00 9f 00 6b 00 6a 00 69  00 68 00 39 00 38 00 37   ...k.j.i.h.9.8.7 

  0050:  00 36 00 88 00 87 00 86  00 85 c0 32 c0 2e c0 2a   .6.........2...* 

  0060:  c0 26 c0 0f c0 05 00 9d  00 3d 00 35 00 84 c0 2f   .&.......=.5.../ 

  0070:  c0 2b c0 27 c0 23 c0 13  c0 09 00 a4 00 a2 00 a0   .+.'.#.......... 

  0080:  00 9e 00 67 00 40 00 3f  00 3e 00 33 00 32 00 31   ...g.@.?.>.3.2.1 

  0090:  00 30 00 9a 00 99 00 98  00 97 00 45 00 44 00 43   .0.........E.D.C 

  00a0:  00 42 c0 31 c0 2d c0 29  c0 25 c0 0e c0 04 00 9c   .B.1.-.).%...... 

  00b0:  00 3c 00 2f 00 96 00 41  c0 12 c0 08 00 16 00 13   .<./...A........ 

  00c0:  00 10 00 0d c0 0d c0 03  00 0a 00 07 c0 11 c0 07   ................ 

  00d0:  c0 0c c0 02 00 05 00 04  00 ff 01 00 00 43 00 0b   .............C.. 

  00e0:  00 04 03 00 01 02 00 0a  00 0a 00 08 00 17 00 19   ................ 

  00f0:  00 18 00 16 00 23 00 00  00 0d 00 20 00 1e 06 01   .....#..... .... 

  0100:  06 02 06 03 05 01 05 02  05 03 04 01 04 02 04 03   ................ 

  0110:  03 01 03 02 03 03 02 01  02 02 02 03 00 0f 00 01   ................ 

  0120:  01                                                 .                

TLS trace: SSL_connect:SSLv2/v3 write client hello A

tls_read: want=7, got=7

  0000:  15 03 03 00 02 02 28                               ......(          

TLS trace: SSL3 alert read:fatal:handshake failure

TLS trace: SSL_connect:error in SSLv2/v3 read server hello A

TLS: can't connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure.

ldap_err2string

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

 

 

From: openldap-technical <openldap-technical-bounces@openldap.org> On Behalf Of Christopher Paul
Sent: Thursday, January 2, 2020 6:17 PM
To: openldap-technical@openldap.org
Subject: Re: Issues with OpenLdap using OpenTLS

 

I

On 1/2/20 8:36 AM, Dunne, Kenneth wrote:

All

 

  I am able to connect to my home-built OpenSSL installation (from Dec-19 sources) on CentOS-7 without the TLS bind

[...]

TLS trace: SSL_connect:SSLv2/v3 write client hello A

tls_read: want=7, got=0

Hey Ken, is port 636 open on the host-based firewall if it's running? any other firewalls blocking 636?

CP