Hi Dieter:
Thanks for your quick reply. I have changed 'TLS_REQCERT try' and check the commonName of the host certificate, the common name is LDAP Server hostname "auth.server.com", the following is the query results: [root@auth cacerts]# openssl s_client -connect localhost:636 -showcerts -state -CAfile /etc/openldap/cacerts/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=CN/ST=BJ/L=BJ/O=TS/OU=IT/CN=auth.server.com/emailAddress=tianzy@server.com verify error:num=18:self signed certificate verify return:1 depth=0 /C=CN/ST=BJ/L=BJ/O=TS/OU=IT/CN=auth.server.com/emailAddress=tianzy@server.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A
Now, the /etc/openldap/ldap.conf file: URI ldap://ldap.server.com/ BASE dc=server,dc=com TLS_CACERT /etc/openldap/cacerts/cacert.pem #SSL ON TLS_REQCERT try
But, run "#ldapsearch -x -H ldap://ldap.server.com -ZZ" , I also get the following error: [root@client cacerts]# ldapsearch -x -H ldap://ldap.server.com -ZZ ldap_start_tls: Connect error (-11)
Tian Zhiying
From: DieterKlünter Date: 2013-10-23 17:35 To: openldap-technical CC: tianzy1225 Subject: Re: OpenLDAP 2.3.4 TLS negotiation failure Am Wed, 23 Oct 2013 16:47:25 +0800 schrieb "Tian Zhiying" tianzy1225@thundersoft.com:
Hi
On the LDAP Server , I run following command is ok: #ldapsearch -x -H ldap://ldap.server.com -ZZ #ldapsearch -x -H ldap://ldap.server.com
But on my client , I run "#ldapsearch -x -H ldap://ldap.server.com", is ok; Run "#ldapsearch -x -H ldap://ldap.server.com -ZZ" , I get the following error: [root@client cacerts]# ldapsearch -x -H ldap://ldap.server.com -ZZ ldap_start_tls: Connect error (-11)
On LDAP Server log file, I get the following error messages: Oct 23 16:41:25 auth slapd[4213]: conn=206 fd=24 ACCEPT from IP=192.168.9.9:45648 (IP=0.0.0.0:389) Oct 23 16:41:25 auth slapd[4213]: conn=206 op=0 STARTTLS Oct 23 16:41:25 auth slapd[4213]: conn=206 op=0 RESULT oid= err=0 text= Oct 23 16:41:25 auth slapd[4213]: conn=206 fd=24 closed (TLS negotiation failure)
My client ldap configuration: /etc/openldap/ldap.conf file: URI ldap://ldap.server.com/ BASE dc=server,dc=com TLS_CACERT /etc/openldap/cacerts/ca.crt SSL ON TLS_REQCERT demand
Set 'TLS_REQCERT try' and check the commonName of the host certificate. SSL ON is not an openldap configuration parameter. The /etc/ldap.conf file is not a openldap client configuration file, but of nss_ldap.
/etc/ldap.conf file: BASE dc=server,dc=com URI ldap://ldap.server.com SSL ON TLS_CACERT /etc/openldap/cacert/ca.crt TLS_REQCERT demand
Any suggestion what cause TLS negotiation failure?
-Dieter
Inline...
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap- technical-bounces@OpenLDAP.org] On Behalf Of Tian Zhiying Sent: Wednesday, October 23, 2013 2:59 AM To: DieterKlünter; openldap-technical Subject: Re: Re: OpenLDAP 2.3.4 TLS negotiation failure
Hi Dieter:
Thanks for your quick reply. I have changed 'TLS_REQCERT try' and check the commonName of the host certificate, the common name is LDAP Server hostname "auth.server.com", the following is the query results: [root@auth cacerts]# openssl s_client -connect localhost:636 -showcerts - state -CAfile /etc/openldap/cacerts/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=CN/ST=BJ/L=BJ/O=TS/OU=IT/CN=auth.server.com/emailAddres s=tianzy@server.com verify error:num=18:self signed certificate verify return:1
Here is your problem. The host does not trust the SSL cert. The 'CAfile' you've pointed the openssl command (and the real clients guessing by the path) isn't the CA chain for that SSL cert.
We also use an internal CA that our hosts don't trust globally. Same command and output for me:
[root@ldapmaster1.[snip] ~]# echo | openssl s_client -connect ldapmaster1.[snip]:636 -showcerts -state -CAfile /etc/openldap/cacerts/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=2 C = US, O = [snip], OU = PKI, CN = [snip] Internal Root CA verify return:1 depth=1 C = US, O = [snip], OU = PKI, CN = [snip] Internal Issuing CA 01 verify return:1 depth=0 C = US, ST = WA, L = Seattle, O = [snip], CN = ldap-vip. [snip], emailAddress = [snip] verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A
The command then continues to dump the cert, and the chain certs, as expected.
You must put the entire CA chain from the Root CA to the signing/subordinate CA that signed this SSL cert (if applicable) in x509/PEM format in your 'CAfile' - assuming the Root CA isn't trusted server wide already.
Then try again. Also, make sure to use the name specified in your SSL cert when connecting/testing - mess with your local hosts file if needed.
- chris
depth=0 /C=CN/ST=BJ/L=BJ/O=TS/OU=IT/CN=auth.server.com/emailAddres s=tianzy@server.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A
Now, the /etc/openldap/ldap.conf file: URI ldap://ldap.server.com/ BASE dc=server,dc=com TLS_CACERT /etc/openldap/cacerts/cacert.pem #SSL ON TLS_REQCERT try
But, run "#ldapsearch -x -H ldap://ldap.server.com -ZZ" , I also get the following error: [root@client cacerts]# ldapsearch -x -H ldap://ldap.server.com -ZZ ldap_start_tls: Connect error (-11)
Tian Zhiying
From: DieterKlünter Date: 2013-10-23 17:35 To: openldap-technical CC: tianzy1225 Subject: Re: OpenLDAP 2.3.4 TLS negotiation failure Am Wed, 23 Oct 2013 16:47:25 +0800 schrieb "Tian Zhiying" tianzy1225@thundersoft.com:
Hi
On the LDAP Server , I run following command is ok: #ldapsearch -x -H ldap://ldap.server.com -ZZ #ldapsearch -x -H ldap://ldap.server.com
But on my client , I run "#ldapsearch -x -H ldap://ldap.server.com", is ok; Run "#ldapsearch -x -H ldap://ldap.server.com -ZZ" , I get the following error: [root@client cacerts]# ldapsearch -x -H ldap://ldap.server.com -ZZ ldap_start_tls: Connect error (-11)
On LDAP Server log file, I get the following error messages: Oct 23 16:41:25 auth slapd[4213]: conn=206 fd=24 ACCEPT from IP=192.168.9.9:45648 (IP=0.0.0.0:389) Oct 23 16:41:25 auth slapd[4213]: conn=206 op=0 STARTTLS Oct 23 16:41:25 auth slapd[4213]: conn=206 op=0 RESULT oid= err=0 text= Oct 23 16:41:25 auth slapd[4213]: conn=206 fd=24 closed (TLS negotiation failure)
My client ldap configuration: /etc/openldap/ldap.conf file: URI ldap://ldap.server.com/ BASE dc=server,dc=com TLS_CACERT /etc/openldap/cacerts/ca.crt SSL ON TLS_REQCERT demand
Set 'TLS_REQCERT try' and check the commonName of the host certificate. SSL ON is not an openldap configuration parameter. The /etc/ldap.conf file is not a openldap client configuration file, but of nss_ldap.
/etc/ldap.conf file: BASE dc=server,dc=com URI ldap://ldap.server.com SSL ON TLS_CACERT /etc/openldap/cacert/ca.crt TLS_REQCERT demand
Any suggestion what cause TLS negotiation failure?
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Hi Chris:
I have to regenerate the CA, and make sure that the hostname and common name match(ldap.server.com), the following is the command output: [root@ldap.server.com ~]# echo | openssl s_client -connect ldap.server.com:636 -showcerts -state -CAfile /etc/openldap/cacerts/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=CN/ST=BJ/O=TS/OU=IT/CN=ldap.server.com/emailAddress=tianzy@server.com verify return:1 depth=0 /C=CN/ST=BJ/L=BJ/O=TS/OU=IT/CN=ldap.server.com/emailAddress=tianzy@server.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A
On LDAP Server run the command: "ldapsearch -x -H ldap://ldap.server.com -ZZ" is ok, I think CA is no problem now. But on my client , it also ouput "ldap_start_tls: Connect error (-11) "
LDAP Server log file output: Oct 24 11:41:41 auth slapd[14371]: conn=49 fd=14 ACCEPT from IP=192.168.9.9:46226 (IP=0.0.0.0:389) Oct 24 11:41:41 auth slapd[14371]: conn=49 op=0 STARTTLS Oct 24 11:41:41 auth slapd[14371]: conn=49 op=0 RESULT oid= err=0 text= Oct 24 11:41:41 auth slapd[14371]: conn=49 fd=14 closed (TLS negotiation failure)
Tian Zhiying
From: Chris Jacobs Date: 2013-10-23 22:18 To: tianzy1225; DieterKlünter; openldap-technical Subject: RE: Re: OpenLDAP 2.3.4 TLS negotiation failure Inline...
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap- technical-bounces@OpenLDAP.org] On Behalf Of Tian Zhiying Sent: Wednesday, October 23, 2013 2:59 AM To: DieterKlünter; openldap-technical Subject: Re: Re: OpenLDAP 2.3.4 TLS negotiation failure
Hi Dieter:
Thanks for your quick reply. I have changed 'TLS_REQCERT try' and check the commonName of the host certificate, the common name is LDAP Server hostname "auth.server.com", the following is the query results: [root@auth cacerts]# openssl s_client -connect localhost:636 -showcerts - state -CAfile /etc/openldap/cacerts/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=CN/ST=BJ/L=BJ/O=TS/OU=IT/CN=auth.server.com/emailAddres s=tianzy@server.com verify error:num=18:self signed certificate verify return:1
Here is your problem. The host does not trust the SSL cert. The 'CAfile' you've pointed the openssl command (and the real clients guessing by the path) isn't the CA chain for that SSL cert.
We also use an internal CA that our hosts don't trust globally. Same command and output for me:
[root@ldapmaster1.[snip] ~]# echo | openssl s_client -connect ldapmaster1.[snip]:636 -showcerts -state -CAfile /etc/openldap/cacerts/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=2 C = US, O = [snip], OU = PKI, CN = [snip] Internal Root CA verify return:1 depth=1 C = US, O = [snip], OU = PKI, CN = [snip] Internal Issuing CA 01 verify return:1 depth=0 C = US, ST = WA, L = Seattle, O = [snip], CN = ldap-vip. [snip], emailAddress = [snip] verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A
The command then continues to dump the cert, and the chain certs, as expected.
You must put the entire CA chain from the Root CA to the signing/subordinate CA that signed this SSL cert (if applicable) in x509/PEM format in your 'CAfile' - assuming the Root CA isn't trusted server wide already.
Then try again. Also, make sure to use the name specified in your SSL cert when connecting/testing - mess with your local hosts file if needed.
- chris
depth=0 /C=CN/ST=BJ/L=BJ/O=TS/OU=IT/CN=auth.server.com/emailAddres s=tianzy@server.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A
Now, the /etc/openldap/ldap.conf file: URI ldap://ldap.server.com/ BASE dc=server,dc=com TLS_CACERT /etc/openldap/cacerts/cacert.pem #SSL ON TLS_REQCERT try
But, run "#ldapsearch -x -H ldap://ldap.server.com -ZZ" , I also get the following error: [root@client cacerts]# ldapsearch -x -H ldap://ldap.server.com -ZZ ldap_start_tls: Connect error (-11)
Tian Zhiying
From: DieterKlünter Date: 2013-10-23 17:35 To: openldap-technical CC: tianzy1225 Subject: Re: OpenLDAP 2.3.4 TLS negotiation failure Am Wed, 23 Oct 2013 16:47:25 +0800 schrieb "Tian Zhiying" tianzy1225@thundersoft.com:
Hi
On the LDAP Server , I run following command is ok: #ldapsearch -x -H ldap://ldap.server.com -ZZ #ldapsearch -x -H ldap://ldap.server.com
But on my client , I run "#ldapsearch -x -H ldap://ldap.server.com", is ok; Run "#ldapsearch -x -H ldap://ldap.server.com -ZZ" , I get the following error: [root@client cacerts]# ldapsearch -x -H ldap://ldap.server.com -ZZ ldap_start_tls: Connect error (-11)
On LDAP Server log file, I get the following error messages: Oct 23 16:41:25 auth slapd[4213]: conn=206 fd=24 ACCEPT from IP=192.168.9.9:45648 (IP=0.0.0.0:389) Oct 23 16:41:25 auth slapd[4213]: conn=206 op=0 STARTTLS Oct 23 16:41:25 auth slapd[4213]: conn=206 op=0 RESULT oid= err=0 text= Oct 23 16:41:25 auth slapd[4213]: conn=206 fd=24 closed (TLS negotiation failure)
My client ldap configuration: /etc/openldap/ldap.conf file: URI ldap://ldap.server.com/ BASE dc=server,dc=com TLS_CACERT /etc/openldap/cacerts/ca.crt SSL ON TLS_REQCERT demand
Set 'TLS_REQCERT try' and check the commonName of the host certificate. SSL ON is not an openldap configuration parameter. The /etc/ldap.conf file is not a openldap client configuration file, but of nss_ldap.
/etc/ldap.conf file: BASE dc=server,dc=com URI ldap://ldap.server.com SSL ON TLS_CACERT /etc/openldap/cacert/ca.crt TLS_REQCERT demand
Any suggestion what cause TLS negotiation failure?
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
openldap-technical@openldap.org