TLS enabled LDAP, clients fail to connect
Erik Norgaard
norgaard at locolomo.org
Mon Nov 22 12:47:48 UTC 2010
On 21/11/10 23.20, bluethundr wrote:
> I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD.
...
> [root at VIRTCENT08:/etc/openldap/cacerts]#openssl s_client -connect
> ldap.summitnjhome.com:389 -showcerts -CAfile gd_bundle.crt
> CONNECTED(00000003)
> 3156:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
From the man page, s_client(1):
"If the handshake fails then there are several possible causes, if it is
nothing obvious like no client certificate then the -bugs, -ssl2, -ssl3,
-tls1, -no_ssl2, -no_ssl3, -no_tls1 options can be tried in case it is a
buggy server."
But rather than using s_client, you may try using ldapsearch(1)
I use openldap-sasl-server-2.4.23, in slapd.conf:
TLSCipherSuite HIGH
TLSCertificateFile /path/to/server/certs/MyServerCert.cer
TLSCertificateKeyFile /path/to/server/certs/MyServerKey.key
The server need only be configured with TLSCACertificateFile options if
you use TLS for client authentication. Multiple certificates can be
stored in this file by concatenating the certificate files.
in ldap.conf:
TLS_CACERT /path/to/certs/MyCARoot.cer
The MyCARoot.cer must be the CA root certificate used to issue the
server certificate. You may add more certificates by concatenation.
Other TLS options may be configured to enable TLS client authentication.
Then with the command:
ldapsearch -Z -h ldap.example.com -x -D "cn=My Name, ou=Some Org,
dc=example, dc=com" -w UpsThisIsVerySecret -b "dc=example, dc=com"
"(telephoneNumber=*555*)" cn sn telephoneNumber
I connect, in paralel using snort -vCd port 389, I see this:
11/22-13:31:15.332512 172.16.1.127:52454 -> 172.16.0.1:389
TCP TTL:64 TOS:0x0 ID:18677 IpLen:20 DgmLen:83 DF
***AP*** Seq: 0x1B6C4BE1 Ack: 0xB1212BEB Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1062950892 2880608010
0....w...1.3.6.1.4.1.1466.20037
That 1.3.6.1.4.1.1466.20037 is the OID for StartTLS. The rest is
giberish, but it works.
BR, Erik
More information about the freebsd-questions
mailing list