[root@ldap01 cacerts]# netstat -panv | grep slap ... tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 3220/slapd tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 3220/slapd
[root@ldap01 cacerts]# grep TL /etc/openldap/slapd.conf # The next three lines allow use of TLS for encrypting connections using a # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCACertificateFile /etc/pki/CA/cacert.pem TLSCACertificateFile /etc/pki/tls/certs/cacert.pem # TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateFile /etc/openldap/cacerts/ldap01.infra.ops.hcs.cert.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/openldap/cacerts/ldap01.infra.ops.hcs.key.pem
***COMMENT: This command seems a little slow, but it succeeds ***
[root@ldap01 cacerts]# openssl s_client -CAfile /etc/pki/tls/certs/cacert.pem -connect 10.60.1.57:636 CONNECTED(00000003) depth=1 /C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs verify return:1 depth=0 /C=US/ST=MA/L=Waltham/O=NWN Corporation/OU=hcs/CN=ldap01.infra.ops.hcs/emailAddress=support@nwnit.com verify return:1 --- Certificate chain 0 s:/C=US/ST=MA/L=Waltham/O=NWN Corporation/OU=hcs/CN=ldap01.infra.ops.hcs/emailAddress=support@nwnit.com i:/C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs 1 s:/C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs i:/C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs --- Server certificate -----BEGIN CERTIFICATE----- MIIDATCCAmqgAwIBAgIJANZXaZL0G6eAMA0GCSqGSIb3DQEBBQUAMHIxCzAJBgNV BAYTAlVTMQswCQYDVQQIEwJNQTEYMBYGA1UEChMPTldOIENvcnBvcmF0aW9uMQww CgYDVQQLEwNoY3MxEzARBgNVBAMTCmNhLm9wcy5oY3MxGTAXBgkqhkiG9w0BCQEW CmNhQG9wcy5oY3MwHhcNMTEwODMxMDkwOTEyWhcNMTIwODMwMDkwOTEyWjCBlTEL MAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMRAwDgYDVQQHEwdXYWx0aGFtMRgwFgYD VQQKEw9OV04gQ29ycG9yYXRpb24xDDAKBgNVBAsTA2hjczEdMBsGA1UEAxMUbGRh cDAxLmluZnJhLm9wcy5oY3MxIDAeBgkqhkiG9w0BCQEWEXN1cHBvcnRAbnduaXQu Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDV/XlgAuwbisnokbCXUvXz M5SXTeG6D697Sgh7ggcvdwVprKlfFWCLu3RcSkBbJ69bTDgRQS6qlplUm9kB44XB Ej+8w+YVvTGxZWYIxyr3u2SKYFrIVj4DpeCZyYrgFds9JK9YGh6cDj57PGXbw9aK ApE1SKPNx2SCkMy9WSzLOwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUdO79 lD14LPMt0cviy00Bi/zoVz8wHwYDVR0jBBgwFoAURUA5pElJg/XvOcDIdWZ6W+EN 54IwDQYJKoZIhvcNAQEFBQADgYEANOSnNbRW+US5xf4fQrz0M765wuOKjvuWK4yG K5GcWPv8zAM9bEf0Ju9A9RiMzxwDfQndRQ84fTELXKQeHFYa0ELse8G4ZdxRyEtN GzigGoPQYqtofW3N2mIRb85RntHoIBwfrhnogsY2UXssIWc/8CGgwp4OjtYhiXMU JtHLAms= -----END CERTIFICATE----- subject=/C=US/ST=MA/L=Waltham/O=NWN Corporation/OU=hcs/CN=ldap01.infra.ops.hcs/emailAddress=support@nwnit.com issuer=/C=US/ST=MA/O=NWN Corporation/OU=hcs/CN=ca.ops.hcs/emailAddress=ca@ops.hcs --- No client certificate CA names sent --- SSL handshake has read 1775 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 1F3B030DD062E3EFC3E143DF978A622DD8B0E2167331EAC45C307C8997F59BC3 Session-ID-ctx: Master-Key: 834A1CF62289DB6C4367109B9EF2172796A4AF403F4FE040C4EDDC48ED722437E96717A860038A70323DFFD1EDE3562D Key-Arg : None Krb5 Principal: None Start Time: 1315065479 Timeout : 300 (sec) Verify return code: 0 (ok) ---
*** COMMENT: This obviosly doesn't ***
[root@ldap01 cacerts]# openssl s_client -CAfile /etc/pki/tls/certs/cacert.pem -connect 10.60.1.57:389 CONNECTED(00000003) 4392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: [root@ldap01 cacerts]#
The only thing I could think of is a timeout difference between ssl and tls, iun which case I'll be fine wheh I figure out why it's slow, but I'd like to validate that before moving on to the slowness problem. ANyone have ideas?
On Sep 3, 2011, at 6:00 PM, Nate Marks wrote:
[root@ldap01 cacerts]# openssl s_client -CAfile /etc/pki/tls/certs/cacert.pem -connect 10.60.1.57:389 CONNECTED(00000003) 4392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: [root@ldap01 cacerts]#
To use tls on the standard port you would need to submit the option -starttls xxx to openssl. Where xxx is the protocol. But ldap as protocol is not supported. Even if it would, you could not type in anything useful.
-- Marco
openldap-technical@openldap.org