Site Navigation

Date:      Mon, 22 Nov 2010 13:47:44 +0100
From:      Erik Norgaard <norgaard@locolomo.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: TLS enabled LDAP, clients fail to connect
Message-ID:  <4CEA6670.9020805@locolomo.org>
In-Reply-To: <AANLkTikGs2Kw4U8Fe956G_FxKOOvO8uXWuskuGeWZc79@mail.gmail.com>
References:  <AANLkTikGs2Kw4U8Fe956G_FxKOOvO8uXWuskuGeWZc79@mail.gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On 21/11/10 23.20, bluethundr wrote:
> I am attempting to setup SSL/TLS support on my openLDAP 2.4 server on FreeBSD.
...
> [root@VIRTCENT08:/etc/openldap/cacerts]#openssl s_client -connect
> ldap.summitnjhome.com:389 -showcerts -CAfile gd_bundle.crt
> CONNECTED(00000003)
> 3156:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:

 From the man page, s_client(1):

"If the handshake fails then there are several possible causes, if it is 
nothing obvious like no client certificate then the -bugs, -ssl2, -ssl3, 
-tls1, -no_ssl2, -no_ssl3, -no_tls1 options can be tried in case it is a 
buggy server."

But rather than using s_client, you may try using ldapsearch(1)

I use openldap-sasl-server-2.4.23, in slapd.conf:

TLSCipherSuite          HIGH
TLSCertificateFile      /path/to/server/certs/MyServerCert.cer
TLSCertificateKeyFile   /path/to/server/certs/MyServerKey.key

The server need only be configured with TLSCACertificateFile options if 
you use TLS for client authentication. Multiple certificates can be 
stored in this file by concatenating the certificate files.

in ldap.conf:

TLS_CACERT      /path/to/certs/MyCARoot.cer

The MyCARoot.cer must be the CA root certificate used to issue the 
server certificate. You may add more certificates by concatenation.

Other TLS options may be configured to enable TLS client authentication.

Then with the command:

ldapsearch -Z -h ldap.example.com -x -D "cn=My Name, ou=Some Org, 
dc=example, dc=com" -w UpsThisIsVerySecret -b "dc=example, dc=com" 
"(telephoneNumber=*555*)" cn sn telephoneNumber

I connect, in paralel using snort -vCd port 389, I see this:

11/22-13:31:15.332512 172.16.1.127:52454 -> 172.16.0.1:389
TCP TTL:64 TOS:0x0 ID:18677 IpLen:20 DgmLen:83 DF
***AP*** Seq: 0x1B6C4BE1  Ack: 0xB1212BEB  Win: 0x8218  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1062950892 2880608010
0....w...1.3.6.1.4.1.1466.20037

That 1.3.6.1.4.1.1466.20037 is the OID for StartTLS. The rest is 
giberish, but it works.

BR, Erik

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4CEA6670.9020805>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact