Hi Jordan

 

Thanks for the suggestion. My testing so far has used queries executed on the openldap server itself. To do a Wireshark capture, I need to have the query go over the network. So I generated the openssl command on a SLES 12 system (10.247.229.40) using openssl 1.0.2, sending to the SLES 15 (10.247.229.42) openldap system which is using openssl 1.1. Here’s the command execution:

 

ldpdd040:~ # openssl s_client -connect ldpdd042.hop.lab.emc.com:636 -servername ldpdd042.hop.lab.emc.com

CONNECTED(00000003)

139644189292176:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 326 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1683920466

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

ldpdd040:~ #

 

Here’s the capture:

 

 

So, the openldap server does not reply to the TLS Client Hello with the TLS Server Hello.

 

Thanks

tl

 

 

Internal Use - Confidential

From: Jordan Brown <openldap@jordan.maileater.net>
Sent: Friday, May 12, 2023 3:26 PM
To: Lemons, Terry; noloader@gmail.com
Cc: openldap-technical@openldap.org
Subject: Re: Debugging TLS negotiation failure

 

[EXTERNAL EMAIL]

[ Sigh.  Please ignore the previous message that I sent from a totally inappropriate address. ]

A packet capture and analysis by a tool like Wireshark may be helpful.

-- 
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris