Hi!
I'm trying to convert out rencreplc configurtation using plain authentication over TLS to external authentication using a user certificate. It almost works, but slapd is reporting "connection_read(11): TLS accept failure error=-1 id=1002, closing" and "conn=1002 fd=11 closed (TLS negotiation failure)" while I can connect using the certificate and peer with openssl s_client
Openssl reports: ... Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 20974 bytes and written 5070 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2400 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ...
Somehow I suspect that the certificate being a user certificate (DN mapped to a user entry) is not acceptable in syncrepl's tls_cert; can anybody confirm? The problem is that I'd like to trust a user certificate more than a host certificate for replication. And if I'd use a host certificate, how could I authenticate the user being used to get the changes?
I looked a lot around using popular search engines, but could not find a useful example that is complete enough.
Let me remark at this point that the description of tls_reqsan is quite poor in {SLAPD-CONFIG(5); it was not obvious to me that i9s is about "Subject Alternate Name". The other thing I noticed was a capitalized "Binding" in "...to establish a TLS session before Binding to the provider." (also in SLAPD-CONFIG(5))
Kind regards, Ulrich Windl
Windl, Ulrich wrote:
Hi!
Im trying to convert out rencreplc configurtation using plain authentication over TLS to external authentication using a user certificate.
It almost works, but slapd is reporting connection_read(11): TLS accept failure error=-1 id=1002, closing and conn=1002 fd=11 closed (TLS negotiation failure) while I can connect using the certificate and peer with openssl s_client
Run slapd with debug output, -d -1.
Openssl reports:
Nothing relevant.
Somehow I suspect that the certificate being a user certificate (DN mapped to a user entry) is not acceptable in syncrepls tls_cert; can anybody confirm?
No. Any certificate can be used, and if it is signed by a trusted CA then it is valid regardless of DN mapping.
The problem is that Id like to trust a user certificate more than a host certificate for replication.
And if Id use a host certificate, how could I authenticate the user being used to get the changes?
I looked a lot around using popular search engines, but could not find a useful example that is complete enough.
Let me remark at this point that the description of tls_reqsan is quite poor in {SLAPD-CONFIG(5); it was not obvious to me that i9s is about Subject Alternate Name.
sAN is the well known abbreviation of Subject Alternative Name. This is standard X.509 terminology.
Hi!
Just answering my own question: I had some incorrect syncrepl configurations that caused the error (wrong mech). After having fixed those, I don't see any error any more.
Kind regards, Ulrich Windl
From: Windl, Ulrich u.windl@ukr.de Sent: Wednesday, March 19, 2025 2:55 PM To: openldap-technical@openldap.org Subject: [EXT] Q: Using SASL EXTERNAL with certificates for syncrepl
Hi!
I'm trying to convert out rencreplc configurtation using plain authentication over TLS to external authentication using a user certificate. It almost works, but slapd is reporting "connection_read(11): TLS accept failure error=-1 id=1002, closing" and "conn=1002 fd=11 closed (TLS negotiation failure)" while I can connect using the certificate and peer with openssl s_client
Openssl reports: ... Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 20974 bytes and written 5070 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2400 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ...
Somehow I suspect that the certificate being a user certificate (DN mapped to a user entry) is not acceptable in syncrepl's tls_cert; can anybody confirm? The problem is that I'd like to trust a user certificate more than a host certificate for replication. And if I'd use a host certificate, how could I authenticate the user being used to get the changes?
I looked a lot around using popular search engines, but could not find a useful example that is complete enough.
Let me remark at this point that the description of tls_reqsan is quite poor in {SLAPD-CONFIG(5); it was not obvious to me that i9s is about "Subject Alternate Name". The other thing I noticed was a capitalized "Binding" in "...to establish a TLS session before Binding to the provider." (also in SLAPD-CONFIG(5))
Kind regards, Ulrich Windl
openldap-technical@openldap.org
-
Howard Chu -
Windl, Ulrich