Re: Failure of a TLS secure connection to an LDAP server

Wed, 23 Mar 2005 06:51:06 -0800 

In message <[EMAIL PROTECTED]> on Wed, 23 Mar 2005 15:34:29 +0100 (CET), fatima 
riadi <[EMAIL PROTECTED]> said:

ftmriadi> Once checking the SSL conection (by running the
ftmriadi> command: 'openssl s_client -connect localhost:636
ftmriadi> -showcerts -state -CAfile /path/to/ca.pem'), I get the
ftmriadi> following output:
ftmriadi>   
ftmriadi>   CONNECTED(00000003)
ftmriadi>   SSL_connect:before/connect initialization
ftmriadi>   SSL_connect:SSLv2/v3 write client hello A
ftmriadi>   SSL3 alert read:fatal:handshake failure
ftmriadi>   SSL_connect:error in SSLv2/v3 read server hello A
ftmriadi>   2338:error:14077410:SSL
ftmriadi> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
ftmriadi> failure:s23_clnt.c:470:

Your client runs with the "umbrella" mode 'SSLv2/v3', which enables
negotiation of actual SSL/TLS version.  Unfortunately:

ftmriadi> My server's debug output shows:
ftmriadi> 
ftmriadi>   TLS trace: SSL3 alert write:fatal:handshake failure
ftmriadi>   TLS trace: SSL_accept:error in SSLv3 read client
ftmriadi> hello B
ftmriadi>   TLS trace: SSL_accept:error in SSLv3 read client
ftmriadi> hello B
ftmriadi>   TLS: can't accept.
ftmriadi>   TLS: error:1408A0C1:SSL
ftmriadi> routines:SSL3_GET_CLIENT_HELLO:no shared cipher
ftmriadi> s3_srvr.c:882
ftmriadi>   connection_read(8): TLS accept error error=-1 id=0,
ftmriadi> closing
ftmriadi>   connection_closing: readying conn=0 sd=8 for close
ftmriadi>   connection_close: conn=0 sd=8
ftmriadi>   daemon: removing 8
ftmriadi>   daemon: select: listen=6 active_threads=0 tvp=NULL
ftmriadi>   daemon: select: listen=7 active_threads=0 tvp=NULL
ftmriadi>   daemon: activity on 1 descriptors
ftmriadi>   daemon: select: listen=6 active_threads=0 tvp=NULL
ftmriadi>   daemon: select: listen=7 active_threads=0 tvp=NULL

It seems like your server runs in forced SSLv3 mode.  That mode will
not work well with someone who attempts an 'SSLv2/v3' type of
negotiation, so either you must tell 'openssl s_client' to use the
forced SSLv3 mode (you simply add the flag '-ssl3'), or you need to
tell your server to run the "umbrella" mode.  If you do the latter,
there whould also be a way to tell it what SSL/TLS versions are
acceptable.

Start with testing if the following works:

openssl s_client -connect localhost:636 -showcerts -state -ssl3 \
        -CAfile /path/to/ca.pem 

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte                         [EMAIL PROTECTED]
                                        http://richard.levitte.org/

"When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up."
                                                -- C.S. Lewis
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to