Hi Jordan
Thanks for the suggestion. My testing so far has used queries executed on the openldap server itself. To do a Wireshark capture, I need to have the query go over the network. So I generated the openssl command on a SLES 12 system (10.247.229.40) using openssl 1.0.2, sending to the SLES 15 (10.247.229.42) openldap system which is using openssl 1.1. Here's the command execution:
ldpdd040:~ # openssl s_client -connect ldpdd042.hop.lab.emc.com:636 -servername ldpdd042.hop.lab.emc.com CONNECTED(00000003) 139644189292176:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 326 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1683920466 Timeout : 300 (sec) Verify return code: 0 (ok) --- ldpdd040:~ #
Here's the capture:
[cid:image001.png@01D984E9.21F5BEE0]
So, the openldap server does not reply to the TLS Client Hello with the TLS Server Hello.
Thanks tl
Internal Use - Confidential From: Jordan Brown openldap@jordan.maileater.net Sent: Friday, May 12, 2023 3:26 PM To: Lemons, Terry; noloader@gmail.com Cc: openldap-technical@openldap.org Subject: Re: Debugging TLS negotiation failure
[EXTERNAL EMAIL] [ Sigh. Please ignore the previous message that I sent from a totally inappropriate address. ]
A packet capture and analysis by a tool like Wireshark may be helpful.
--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
