Hi,

We have a check (shell script) that talks to a customer's LDAP server (over which we have no control) and only SSLv2 seems to work when using "openssl s_client -connect". I am trying to make ldapclient use SSLv2 but it does not work (Our machine is running RHEL 5.4 x86_64.). First an the OpenSSL illustration

]# openssl s_client -ssl3 -connect 10.1.2.3:636 CONNECTED(00000003) depth=3 <omitted for privacy> verify return:1 depth=2 <omitted for privacy> verify return:1 depth=1 <omitted for privacy> verify return:1 depth=0 <omitted for privacy> verify return:1 6759:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: #

but if we use SSLv2 then it works - I am able to establish a connection and see the certificate used.

I have created a small ldap client config file with the following contents

TLS_REQCERT never TLS_CIPHER_SUITE SSLv2

I make sure that config is used by setting the "LDAPCONF" variable while calling ldapsearch, like so

# LDAPCONF=./ldaprc ldapsearch -H ldaps://10.1.2.3:636 -x -s base -D 'CN=binder,OU=Service Accounts,OU=example ou,dc=example,dc=com' -w 'secret' -b '' -d 1 ldap_create ldap_url_parse_ext(ldaps://10.1.2.3:636) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 10.1.2.3:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.1.2.3:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) #

but it mysteriously fails. If I make the configuration file us SSLv3, then the following output is given (but that is expected as the server does not seem to want to speak SSLv3) -

# LDAPCONF=./ldaprc ldapsearch -H ldaps://10.1.2.3:636 -x -s base -D 'CN=binder,OU=Service Accounts,OU=example ou,dc=example,dc=com' -w 'secret' -b '' -d 1 ldap_create ldap_url_parse_ext(ldaps://10.1.2.3:636) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 10.1.2.3:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.1.2.3:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 3, <omitted> TLS certificate verification: depth: 2, <omitted> TLS certificate verification: depth: 1, <omitted> TLS certificate verification: depth: 0, <omitted> TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1)

any suggestions would be much appreciated.

Regards,

Fred.