On Fri, May 12, 2023 at 8:30 PM Jordan Brown openldap@jordan.maileater.net wrote:
So, as s_client implies when it says "read 0 bytes", the client said "hello" and the server hung up the phone.
That means that the server doesn't like the way that the client said hello.
There are three obvious reasons why that might happen:
The server doesn't really speak TLS, and when the client sent it this TLS gibberish the server just gave up. The server doesn't like the maximum TLS version that the client specified; it demands a later version. The server doesn't support any ciphers that the client offered.
For the first, there's no telling what the server might do.
For the second and third, I don't remember what the usual response is. I wouldn't be surprised if an immediate disconnect is usual.
So, what does that Client Hello packet look like?
For the third:
> The server doesn't support any > ciphers that the client offered.
That will generate an alert, which should cause traffic. For example, RFC 8446, Section 4.1.1 says: [1]
If the server is unable to negotiate a supported set of parameters (i.e., there is no overlap between the client and server parameters), it MUST abort the handshake with either a "handshake_failure" or "insufficient_security" fatal alert.
That should generate a message, and the client should read something.
I really feel like there's something wrong with the server configuration.
Doesn't systemd open a socket even if a service is _not_ running? I think systemd does it to make the service start fast. I.e., a `systemctl start slapd.service` will happen quickly because the listening socket is already operating.
Jeff