Hi everybody,
I'm trying to run OpenLDAP 2.2.13 on a CentOS 4.8 box with TLS/SSL enabled. Certificate should be ok (fqdn set as common name!), self-signed since I can't copy a cacert file to all clients that will one day have to connect to the server (among others a few iPhones).
"openssl x509 -in slapd.pem -noout -text" returns the correct contents of the certificate, "openssl s_client -connect localhost:636 -showcerts" works too (although it does hang at the end right after "---" which I guess is normal.. haven't left it running for 300 seconds yet). However, whenever trying to connect to my LDAP server through port 636 I get the above error message. The full message when performing "ldapsearch -x -h localhost:636 -b dc=home" (no difference if I replace localhost with the fqdn):
daemon: activity on 1 descriptors daemon: new connection on 10 daemon: added 10r daemon: activity on: daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 10r daemon: read activity on 10 connection_get(10): got connid=7 connection_read(10): checking for input on id=7 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:error in SSLv2/v3 read client hello A TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol s23_srvr.c:580
connection_read(10): TLS accept error error=-1 id=7, closing connection_closing: readying conn=7 sd=10 for close connection_close: conn=7 sd=10 daemon: removing 10 daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL
Same error message when trying to connect with jxplorer or Thunderbird. Any ideas what else I could try? I've tried various ways of creating a certificate, including both the CentOS recommended "make slapd.pem" in / usr/share/ssl/certs and the "openssl" way but neither made any difference. They all resulted in the exact same error pattern. Frankly, I'm out of ideas.
Thanks in advance, Martin
Am Wed, 15 Dec 2010 22:27:23 +0000 (UTC) schrieb Martin Jungowski martin@rhm.de:
Hi everybody,
I'm trying to run OpenLDAP 2.2.13 on a CentOS 4.8 box with TLS/SSL enabled. Certificate should be ok (fqdn set as common name!), self-signed since I can't copy a cacert file to all clients that will one day have to connect to the server (among others a few iPhones).
"openssl x509 -in slapd.pem -noout -text" returns the correct contents of the certificate, "openssl s_client -connect localhost:636 -showcerts" works too (although it does hang at the end right after "---" which I guess is normal.. haven't left it running for 300 seconds yet). However, whenever trying to connect to my LDAP server through port 636 I get the above error message. The full message when performing "ldapsearch -x -h localhost:636 -b dc=home" (no difference if I replace localhost with the fqdn):
daemon: activity on 1 descriptors daemon: new connection on 10 daemon: added 10r daemon: activity on: daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 10r daemon: read activity on 10 connection_get(10): got connid=7 connection_read(10): checking for input on id=7 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:error in SSLv2/v3 read client hello A TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol s23_srvr.c:580
probably a protocol mismatch in slapd.conf and ldap.conf. The protocol used is defined as part of the cipher suite, something like SSLv2, or TLSv1
-Dieter
openldap-technical@openldap.org
-
Dieter Kluenter -
Martin Jungowski