Thanks, Howard. Would you know how I can find a suitable package that uses openssl?
I also tried moving the CA certificate chain file to the /etc/openldap/cacerts/ folder, splitting the file into 3 separate certificates, and running c_rehash to generate the hashed links. After modifying ldap.conf to use the cacerts folder instead of the ca file:
TLS: file cso_root_ca.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: loaded CA certificate file /etc/openldap/cacerts/5de054ac.0 from CA certificate directory /etc/openldap/cacerts. TLS: loaded CA certificate file /etc/openldap/cacerts/241dd1a5.0 from CA certificate directory /etc/openldap/cacerts. TLS: loaded CA certificate file /etc/openldap/cacerts/95df54c4.0 from CA certificate directory /etc/openldap/cacerts. TLS: file cso_functional_ca.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file cso_issuing_ca.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: error: connect - force handshake failure: errno 0 - moznss error -5938 TLS: can't connect: TLS error -5938:Encountered end of file. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -5938:Encountered end of file
So I guess I'm stuck until I compile from scratch using openssl, or find a package that doesn't use Mozilla NSS.
Thanks
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: February 23, 2012 1:04 PM To: Bryce Powell Cc: openldap-technical@openldap.org Subject: Re: SSL handshake failure
Bryce Powell wrote:
Hi, I can't get slapd to respond successfully to TLS or SSL connections using an RSA 2048-bit PEM certificate:
You're using Mozilla NSS, so the fact that OpenSSL tools accept your cert doesn't help you.
While a lot of good work has gone into the Mozilla NSS support, I would still say the MozNSS design is braindead and is not well suited for anything besides the Netscape/Mozilla browser codebase and should be avoided. Rebuild OpenLDAP using OpenSSL and I suspect these problems will disappear.
$ ldapsearch -x -ZZ -d1 -H ldap://FQDNhostname TLS: loaded CA certificate file /etc/openldap/cacerts/FQDNhostname.cacert.pem. TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory TLS: error: connect - force handshake failure: errno 21 - moznss error -5938 TLS: can't connect: TLS error -5938:Encountered end of file. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -5938:Encountered end of file $ openssl s_client -connect FQDNhostname:636 -CAfile /etc/openldap/cacerts/FQDNhostname.cacert.pem CONNECTED(00000003) 140457427965768:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 113 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
The following packages are installed on CentOS 6.2: openldap-servers-2.4.23-20.el6.x86_64 openldap-2.4.23-20.el6.x86_64 openldap-clients-2.4.23-20.el6.x86_64 openssl-1.0.0-20.el6_2.1.x86_64 openssl-devel-1.0.0-20.el6_2.1.x86_64 gnutls-2.8.5-4.el6.x86_64 gnutls-devel-2.8.5-4.el6.x86_64 nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64 The /etc/openldap/ldap.conf file contains: TLS_CACERT /etc/openldap/cacerts/FQDNhostname.cacert.pem , which contains a chain of three certificates (root CA, intermediate/functional, and issuing). The /etc/openldap/slapd.conf file contains: TLSCipherSuite HIGH:+SSLv3 TLSCertificateFile /etc/openldap/FQDNhostname.cert.pem TLSCertificateKeyFile /etc/openldap/FQDNhostname.key.pem The server is acting as a proxy to an Active Directory, and therefore I only have one LDAP database defined. My intention is to use LDAPS for communication between the client and LDAP proxy servers: database ldap suffix "dc=abc,dc=local" rebind-as-user uri "ldap://IPaddress1/ ldap://IPaddress2/ ldap://IPaddress3/ ldap://IPaddress4/" chase-referrals yes noundeffilter yes use-temporary-conn yes The certificate and private key are located in /etc/openldap/, with the following permissions : -r--r-----. 1 ldap ldap 2076 Feb 21 15:30 FQDNhostname.cert.pem -r--r-----. 1 ldap ldap 1675 Feb 21 15:35 FQDNhostname.sdi.key.pem The CN of the certificate matches the FQDN host name of the LDAP server. The private key is not password protected. Everything checks out OK by testing the certificate using openssl: $ openssl verify -purpose sslserver -CAfile /etc/openldap/cacerts/FQDNhostname.cacert.pem /etc/openldap/FQDNhostname.cert.pem /etc/openldap/FQDNhostname.cert.pem: OK OpenSSL client/server connections work fine too: openssl s_server -cert /etc/openldap/FQDNhostname.cert.pem -key /etc/openldap/FQDNhostname.key.pem -cipher 'HIGH:+SSLv3 openssl s_client -connect FQDNhostname:4433 -CAfile /etc/openldap/cacerts/FQDNhostname.cacert.pem *Bryce Powell*