TLS enabled LDAP, clients fail to connect

Erik Norgaard norgaard at locolomo.org
Mon Nov 22 12:47:48 UTC 2010 

On 21/11/10 23.20, bluethundr wrote:
> I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD.
...
> [root at VIRTCENT08:/etc/openldap/cacerts]#openssl s_client -connect
> ldap.summitnjhome.com:389 -showcerts -CAfile gd_bundle.crt
> CONNECTED(00000003)
> 3156:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:

 From the man page, s_client(1):

"If the handshake fails then there are several possible causes, if it is 
nothing obvious like no client certificate then the -bugs, -ssl2, -ssl3, 
-tls1, -no_ssl2, -no_ssl3, -no_tls1 options can be tried in case it is a 
buggy server."

But rather than using s_client, you may try using ldapsearch(1)

I use openldap-sasl-server-2.4.23, in slapd.conf:

TLSCipherSuite          HIGH
TLSCertificateFile      /path/to/server/certs/MyServerCert.cer
TLSCertificateKeyFile   /path/to/server/certs/MyServerKey.key

The server need only be configured with TLSCACertificateFile options if 
you use TLS for client authentication. Multiple certificates can be 
stored in this file by concatenating the certificate files.

in ldap.conf:

TLS_CACERT      /path/to/certs/MyCARoot.cer

The MyCARoot.cer must be the CA root certificate used to issue the 
server certificate. You may add more certificates by concatenation.

Other TLS options may be configured to enable TLS client authentication.

Then with the command:

ldapsearch -Z -h ldap.example.com -x -D "cn=My Name, ou=Some Org, 
dc=example, dc=com" -w UpsThisIsVerySecret -b "dc=example, dc=com" 
"(telephoneNumber=*555*)" cn sn telephoneNumber

I connect, in paralel using snort -vCd port 389, I see this:

11/22-13:31:15.332512 172.16.1.127:52454 -> 172.16.0.1:389
TCP TTL:64 TOS:0x0 ID:18677 IpLen:20 DgmLen:83 DF
***AP*** Seq: 0x1B6C4BE1  Ack: 0xB1212BEB  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1062950892 2880608010
0....w...1.3.6.1.4.1.1466.20037

That 1.3.6.1.4.1.1466.20037 is the OID for StartTLS. The rest is 
giberish, but it works.

BR, Erik

More information about the freebsd-questions mailing list