then after a _LONG_ moment, a lot of tests with openssl s_server/s_client and ldapsearch / ldap server.. I MANAGE TO FIND THE PROBLEM !!! :)
the solution was :
CAfile MUST be in /etc/ssl/certs !! <<<<<<<<<
but I didn't have this /etc/ssl directory !!! So I just create this one and the /etc/ssl/certs.
# mkdir /etc/ssl /etc/ssl/certs /etc/ssl/private
copy my cacert.pem # cp /path/to/cacert.pem /etc/ssl/certs
modify my slapd.conf and ldap.conf slapd.conf : -------------------- TLSCipherSuite : HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/ssl/certs/servercrt.pem TLSCertificateKeyFile /etc/ssl/private/serverkey.pem TLSCACertificateFile /etc/ssl/certs/cacert.pem
/etc/openldap/ldap.conf : ---------------------------------------- Port 636 TLS_CACERT /etc/ssl/certs/cacert.pem
and it's works now :)
but it still doesn't work between openssl s_client/s_server
I always have this "handshake failure" and the "wrong number version" error when I use the option -ssl3, -tls1.
** without option in s_server command : ** it's work -> protocol tls1
** with ssl2 option in s_server command ! ** it's work -> protocole ssl2
** with ssl3 option in s_server command : ** doesnt work : handshake failure / wrong number version
** with tls1 option in s_server : ** doesnt work handshake failure / wrong version number
But, everythin wworks with ldapsearch and ldap serveur : ** ldaps:636 => ok ** ** ldap: 389 => ok ** ** ldap: 389 -Z => ok ** ** ldap:389 -ZZ=> ok **
is it a openssl bug?? I use the openssl 0.9.7d.
I still have one error when I start the ldap server : "Expecting : CERTIFICATE" but everything works :)
When I start the openssl s_server, i get the error "Expecting : D H parameters" (only when I start the s_server without options !! (ssl2, ssl3 or tls1) ), but it works :) :)
someone know something about this???
then I hope it's will help :) Gabrielle
From: "SECRET Defense" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: [SSL/TLS and LDAP] : wrong number version Date: Wed, 05 May 2004 18:10:45 +0200
hello !
First of all, I have an debian woody with openssl0.9.7 , openldap 2.1.23, berkeleyDB4.1.25
I would like to use the SSL/TLS support with ldap.
then I have (re)installed openssl0.9.7 (with the "shared" option)
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl no-kbr5 shared => ok
make depend => ok
make =>ok
make test =>ok
make install=ok
after I create the certificate (http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.0) no problem , except for : # /usr/share/ssl/misc/CA.sh -sign
configuration file routines : N_CONF_get_string : no value : conf_lib.c :328: group=CA_default name = unique_subject
I can create my certificate, I verify them : ( http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#verify ) they are ok...
after, I try to use openssl s_server and openssl s_client __with no option__
# openssl s_server -accept 1982 -cert /usr/local/openldap/var/openldap-data/servercert.pem -key /usr/local/openldap/var/openldap-data/serverkey.pem -debug -bugs
it's works !
Protocol : TLSv1
other test __ with ssl2 option__
# openssl s_server -accept 1982 -cert /usr/local/openldap/var/openldap-data/servercert.pem -key /usr/local/openldap/var/openldap-data/serverkey.pem -debug -bugs -ssl2
it's works !
Protocol : SSLv2
other test :__ with ssl3 option__
# openssl s_server -accept 1982 -cert /usr/local/openldap/var/openldap-data/servercert.pem -key /usr/local/openldap/var/openldap-data/serverkey.pem -debug -bugs -ssl3
It DOESN'T work ! :'( (since now.. more than 3 weeks)
the server says :
"SSL routines : SSL3_GET_RECORD : wrong version number:s3_pkt.c:297"
when I do :
"# openssl s_client -connect svrldap.tzm.fr:1982 -CAfile /usr/local/openldap/var/openldap-data/cacert.pem -showcerts -state
other test : __with tls1 option__
# openssl s_server -accept 1982 -cert /usr/local/openldap/var/openldap-data/servercert.pem -key /usr/local/openldap/var/openldap-data/serverkey.pem -debug -bugs -tls1
It DOESN'T work ! :'(
the server says :
"SSL routines : SSL3_GET_RECORD : wrong version number:s3_pkt.c:297"
when I do :
"# openssl s_client -connect svrldap.tzm.fr:1982 -CAfile /usr/local/openldap/var/openldap-data/cacert.pem -showcerts -state
So , i dont understand...
Why can't I use the tls1 option and the ssl3 option??
Default (no option in the s_server command) is the TLSv1, why when I ask tls1 only, it doesnt work???????????????????????
I tried something else : I start my ldap serveur on the 2 ports (389 and 636) test 1 : ldapsearch -x -b"dc=tzm_fr" -H 'ldap://svrldap.tzm.fr:389' => ok
test 2 : ldapsearch -x -b"dc=tzm_fr" -H 'ldap://svrldap.tzm.fr:389' -Z DOESNT work ! client : ldap_start_tls : connet error: handshake failure ldap_bind : can't contact LDAP server : handshake failure
server : SSL routines : SSL3_GET_CLIENT_HELLO: no shared cipher
test 3 : ldapsearch -x -b"dc=tzm_fr" -H 'ldap://svrldap.tzm.fr:389' -ZZ DOESNT work ! client : ldap_start_tls : connet error: handshake failure server : SSL routines : SSL3_GET_CLIENT_HELLO: no shared cipher
test 4 : ldapsearch -x -b"dc=tzm_fr" -H 'ldaps://svrldap.tzm.fr:636' DOESNT work ! client : ldap_start_tls : connet error: handshake failure server : SSL routines : SSL3_GET_CLIENT_HELLO: no shared cipher
What can it be???????? what does it mean?? I have this in my slapd.conf TLSCiphersuite : HIGH:MEDIUM:+SSLv2 TLSCertificateFile path/to/servercert.pem TLSCACertificateFIle : path/to/Cacert.pem TLSCertificateKeyFile : path/to/key.pem
I try A lot of Cipher suite, but always the same error... :/
Have U an idea?? coz I'm lost!!!!!!
Did someone manage to use TLS/SSL with openldap2.1.23????????
plz help me , coz SSL/TLS - LDAP is a very big part of my internship..
thanks in advance Gabrielle
PS : sorry for my english :)
_________________________________________________________________
Hotmail : un compte GRATUIT qui vous suit partout et tout le temps ! http://g.msn.fr/FR1000/9493
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
_________________________________________________________________
Hotmail : un compte GRATUIT qui vous suit partout et tout le temps ! http://g.msn.fr/FR1000/9493
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
