terry.lemons@dell.com wrote:
Hi Howard
Thanks very much for the reply and the suggestion. Here is the output of a ldapsearch command that completes successfully when I omit '-H ldaps://ldpdd042.hop.lab.emc.com:636':
The lack of any server reply to the client's Hello message strikes me as probably a TLS version mismatch. Check what versions of TLS libraries are in use on both the client and server, and if they've been configured to include or exclude any particular TLS versions.
Also, both slapd and the clients should be configured to use the self-signed server cert as a CA cert.
ldpdd042:~ # ldapsearch -d -1 -x -b 'dc=example,dc=com' '(objectclass=*)' -H ldaps://ldpdd042.hop.lab.emc.com:636 ldap_url_parse_ext(ldaps://ldpdd042.hop.lab.emc.com:636) ldap_create ldap_url_parse_ext(ldaps://ldpdd042.hop.lab.emc.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldpdd042.hop.lab.emc.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.247.229.42:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization tls_write: want=334, written=334 0000: 16 03 01 01 49 01 00 01 45 03 03 a2 85 24 0b ee ....I...E....$.. 0010: 8f 28 13 34 a4 e5 6a c3 48 50 69 d7 81 72 96 02 .(.4..j.HPi..r.. 0020: 7b 56 46 6a ec d0 f3 64 71 35 b2 20 fd 17 70 c9 {VFj...dq5. ..p. 0030: 15 23 3d 7c 31 66 99 84 f3 92 4b c7 a9 ab e2 f8 .#=|1f....K..... 0040: 5b b3 42 44 7e 91 f5 4b 9a 5b c9 b1 00 46 13 02 [.BD~..K.[...F.. 0050: 13 03 13 01 c0 2c c0 30 cc a9 cc a8 c0 ad c0 2b .....,.0.......+ 0060: c0 2f c0 ac c0 23 c0 27 c0 0a c0 14 c0 09 c0 13 ./...#.'........ 0070: 00 9d c0 9d 00 9c c0 9c 00 3d 00 3c 00 35 00 2f .........=.<.5./ 0080: 00 9f cc aa c0 9f 00 9e c0 9e 00 6b 00 67 00 39 ...........k.g.9 0090: 00 33 00 ff 01 00 00 b6 00 00 00 1d 00 1b 00 00 .3.............. 00a0: 18 6c 64 70 64 64 30 34 32 2e 68 6f 70 2e 6c 61 .ldpdd042.hop.la 00b0: 62 2e 65 6d 63 2e 63 6f 6d 00 0b 00 04 03 00 01 b.emc.com....... 00c0: 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 ................ 00d0: 18 00 23 00 00 00 16 00 00 00 17 00 00 00 0d 00 ..#............. 00e0: 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 08 0............... 00f0: 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 03 ................ 0100: 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 06 ................ 0110: 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 2d ..+............- 0120: 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 49 ea .....3.&.$... I. 0130: 8c 2a c7 1e 18 82 13 d1 46 3d 46 b0 b7 2b bd b2 .*......F=F..+.. 0140: 6e 13 ec ab c5 fa 25 4d 4f cc 58 77 78 69 n.....%MO.Xwxi TLS trace: SSL_connect:SSLv3/TLS write client hello tls_read: want=5, got=0
TLS trace: SSL_connect:error in SSLv3/TLS write client hello TLS: can't connect: . ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ldpdd042:~ #
Here's what was written to /var/log/messages:
2023-05-11T16:04:32.584581-04:00 ldpdd042 slapd[21376]: conn=1000 fd=12 ACCEPT from IP=10.247.229.42:47346 (IP=0.0.0.0:636) 2023-05-11T16:04:32.594205-04:00 ldpdd042 slapd[21376]: connection_get(12) 2023-05-11T16:04:32.594295-04:00 ldpdd042 slapd[21376]: conn=1000 fd=12 closed (TLS negotiation failure)
I'm using a self-signed server certificate, so no CA should be involved. Not sure if that is causing the problem?
Thanks! tl