TLS/SSL Handshake Error

Hello,

After creating a self-signed certificate as per the, OpenLDAP Admin Guide, TLS/SSL was enabled. The CN used when creating the certificates was the hostname of the LDAP server - "node01". However, when conducting further TLS/SSL tests there appears to be a handshaking error between the client and server. Additionally, when checking the Server certificates using the " openssl s_client -connect :636 -state -CAfile /var/certs/cacert.pem -cert /var/certs/servercrt.pem -key /var/certs/serverkey.pem" command it indicates that the client private certificate key can't be loaded and expecting a start line (see below). Appreciate any additional info. Config data as follows:

CLIENT CONFIG DATA

/etc/ldap.conf

host node01 base dc=S80,dc=com uri ldaps://node01/ ldap_version 3 port 636 timelimit 120 bind_timelimit 120 bind_policy soft idle_timelimit 3600 ssl on tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts tls_reqcert never tls_ciphers TLSv1 pam_password md5

/etc/openldap/ldap.conf

URI ldaps://node01:636 HOST node01 BASE dc=S80,dc=com TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT never

/etc/openldap/cacerts/cacert.pem

Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Virginia, O=XXX, OU=S80, CN=node01/emailAddress=XXX Validity Not Before: Feb 21 15:10:48 2008 GMT Not After : Feb 20 15:10:48 2011 GMT Subject: C=US, ST=Virginia, O=XXX, OU=S80, CN=node01/emailAddress=XXX Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:da:b9:b0:ba:ca:95:f1:fc:48:6e:e9:d5:5d:d5: 22:aa:9e:38:19:7d:0c:14:65:44:fa:12:69:f6:98: 6a:38:43:11:29:20:a8:a2:98:a9:00:ce:40:19:e5: 56:46:1b:85:d6:99:91:5f:7b:a9:19:ac:7b:7c:cc: 42:13:88:99:99:af:98:52:9b:a4:60:77:ca:e7:ae: 41:97:c0:8c:5e:f9:a1:44:c0:6b:29:ec:3f:9b:1e: 59:dc:05:f5:b8:a8:ed:71:7c:db:51:26:1f:59:ee: 04:fc:b0:24:77:64:2e:be:df:a7:1a:91:34:81:f4: a6:d6:b9:26:64:63:2f:19:95 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier:

C1:AA:5F:32:3D:7F:80:FA:4A:A1:A2:24:BC:66:AB:CE:C3:5A:A8:E0 X509v3 Authority Key Identifier:

keyid:C1:AA:5F:32:3D:7F:80:FA:4A:A1:A2:24:BC:66:AB:CE:C3:5A:A8:E0

Signature Algorithm: sha1WithRSAEncryption 37:84:43:62:ed:98:c3:31:85:24:3e:8d:d8:88:9f:4d:8f:00: dc:08:21:ee:9d:19:07:21:c0:70:cf:b1:38:94:49:34:de:42: 93:5e:51:79:95:6b:d6:2d:7f:92:f7:da:49:d0:92:65:81:8f: ed:0e:24:0a:0d:17:cd:73:fe:c2:86:9c:40:22:04:af:7b:d6: 1e:ba:2c:5a:f4:d8:52:ab:8f:94:45:ae:bc:11:07:06:0d:da: 11:6f:f5:1a:63:ae:05:0a:64:32:b1:f0:5c:eb:21:6b:d1:ff: bb:0a:42:a9:a9:23:f3:ab:d4:9f:b4:26:4e:d4:ea:7b:0a:26: df:a4 -----BEGIN CERTIFICATE----- .....XXX

-----END CERTIFICATE-----

SERVER CONFIG DATA

Server IP: 192.168.10.1 Hostname: node01 Suffix: dc=S80,dc=com

Certificate Common Name (CN): node01

/etc/openldap/slapd.conf

TLSCACertificateFile /var/certs/cacert.pem TLSCertificateFile /var/certs/servercrt.pem TLSCertificateKeyFile /var/certs/serverkey.pem

database ldbm suffix "dc=S80,dc=com"

SERVER KEY (serverkey.pem) -----BEGIN CERTIFICATE REQUEST----- ...XXX -----END CERTIFICATE REQUEST-----

ERRORS OBSERVED (SERVER)

[root@node01 certs]# openssl s_client -connect :636 -state -CAfile /var/certs/cacert.pem -cert /var/certs/servercrt.pem -key /var/certs/serverkey.pem unable to load client certificate private key file 8086:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY

[root@node01 certs]# ldapsearch -d127 -x -H ldaps://node01 uid=uid ldap_create ldap_url_parse_ext(ldaps://node01) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP node01:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.10.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization tls_write: want=133, written=133 0000: 80 83 01 03 01 00 5a 00 00 00 20 00 00 39 00 00 ......Z... ..9.. 0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 8..5............ 0020: 00 00 33 00 00 32 00 00 2f 03 00 80 00 00 66 00 ..3..2../.....f. 0030: 00 05 00 00 04 01 00 80 00 00 63 00 00 62 00 00 ..........c..b.. 0040: 15 00 00 12 00 00 09 06 00 40 00 00 65 00 00 64 .........@..e..d 0050: 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 ................ 0060: 00 03 02 00 80 28 9b 68 41 39 df 12 52 12 ab 41 .....(.hA9..R..A 0070: 20 11 b0 b9 d0 76 3d 5c 2d f6 3a 00 49 28 07 d4 ....v=-.:.I(.. 0080: 67 8d 26 70 fb g.&p.

TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=7 0000: 15 03 01 00 02 02 28 ......(

TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in SSLv2/v3 read server hello A TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

ERRORS OBSERVED (CLIENT)

[root@node03 ~]# openssl s_client -connect node01:636 -showcerts -state -CAfile /etc/openldap/cacerts/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 3531:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562:

[root@node03 ~]# ldapsearch -d127 -x -H ldaps://node01 uid=uid ldap_create ldap_url_parse_ext(ldaps://node01) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP node01:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.10.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization tls_write: want=133, written=133 0000: 80 83 01 03 01 00 5a 00 00 00 20 00 00 39 00 00 ......Z... ..9.. 0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 8..5............ 0020: 00 00 33 00 00 32 00 00 2f 03 00 80 00 00 66 00 ..3..2../.....f. 0030: 00 05 00 00 04 01 00 80 00 00 63 00 00 62 00 00 ..........c..b.. 0040: 15 00 00 12 00 00 09 06 00 40 00 00 65 00 00 64 .........@..e..d 0050: 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 ................ 0060: 00 03 02 00 80 51 97 63 fc ee 43 25 a8 d2 e4 8c .....Q.c..C%.... 0070: ef 63 6e e0 97 b7 cd c2 1e 14 97 c9 50 5d 82 6b .cn.........P].k 0080: 3f f5 d0 6f a4 ?..o.

TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=7 0000: 15 03 01 00 02 02 28 ......(

TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in SSLv2/v3 read server hello A TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure