-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello,
In http://marc.theaimsgroup.com/?l=openssl-users&m=116111352610602&w=2 Geert Van Muylem reports a similar problem but didn't get a response, so I just repost this issue along with my findings. ============= = Short form: ============= I can't connect to my Active Directory Server's LDAPS-Port due to an SSL handshake failure. I can reproduce the following using some different Versions and Builds (Windows, FreeBSD, Solaris, Linux) of OpenSSL. openssl s_client -connect windowsserver.fqdn:636 -CAfile /etc/ldap-certs gives me a handshake failure: =============================================================================== 65580:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_lib.c:226: =============================================================================== If I add either of the "-debug", "-pause", "-ssl2" command line switches the connection is established fine... When using a different SSL stack (i.e. Windows' own one, Mozilla Thunderbird's NSS SSL library), the connection is established, too. Has anyone encountered similar behaviour? Is it a bug in OpenSSL? Is it maybe related to "Excessive Message Size" http://marc.theaimsgroup.com/?l=openssl-users&m=109407896323615&w=2 ? ================================ = The long form, including Logs: ================================ After installing a third-party signed SSL certificate on my Windows 2003 Server Active Directory according to http://support.microsoft.com/kb/321051 and successfully testing it with LDP.exe (Windows LDAP tool), I am encountering a weird behaviour when connecting from an Unix box: openssl s_client -connect windowsserver.fqdn:636 -CAfile /etc/ldap-certs gives me a Handshake failure: =============================================================================== CONNECTED(00000003) depth=2 /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Classic - G01 verify return:1 depth=1 /C=DE/O=Technische Universitaet Clausthal/OU=Rechenzentrum/CN=TU Clausthal CA/[EMAIL PROTECTED] verify return:1 depth=0 /C=DE/O=Technische Universitaet Clausthal/OU=Rechenzentrum/CN=loony.rz.tu-clausthal.de verify return:1 65580:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_lib.c:226: =============================================================================== But when I enable debugging (i.e. slow the connect down) or use the "-pause" command line switch to openssl s_client everything works ok: =============================================================================== CONNECTED(00000003) depth=2 /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Classic - G01 verify return:1 depth=1 /C=DE/O=Technische Universitaet Clausthal/OU=Rechenzentrum/CN=TU Clausthal CA/[EMAIL PROTECTED] verify return:1 depth=0 /C=DE/O=Technische Universitaet Clausthal/OU=Rechenzentrum/CN=loony.rz.tu-clausthal.de verify return:1 - --- Certificate chain 0 s:/C=DE/O=Technische Universitaet Clausthal/OU=Rechenzentrum/CN=loony.rz.tu-clausthal.de i:/C=DE/O=Technische Universitaet Clausthal/OU=Rechenzentrum/CN=TU Clausthal CA/[EMAIL PROTECTED] 1 s:/C=DE/O=Technische Universitaet Clausthal/OU=Rechenzentrum/CN=TU Clausthal CA/[EMAIL PROTECTED] i:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Classic - G01 - --- Server certificate - -----BEGIN CERTIFICATE----- MIIFaDCCBFCgAwIBAgIECMIIIjANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMC [...snip...] uaYlXm7V9FsyJnFD2NQDqqHWq06oXO4bU56ItqhyC1imjgQQIJQBDKrF614= - -----END CERTIFICATE----- subject=/C=DE/O=Technische Universitaet Clausthal/OU=Rechenzentrum/CN=loony.rz.tu-clausthal.de issuer=/C=DE/O=Technische Universitaet Clausthal/OU=Rechenzentrum/CN=TU Clausthal CA/[EMAIL PROTECTED] - --- Acceptable client certificate CA names [...shortened, didn't seem interesting...] - --- SSL handshake has read 6154 bytes and written 464 bytes - --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 102400009BDD594E6960B392F17C1DC5A32FE58B5CC31ACFBA5287C913AA0DFF Session-ID-ctx: Master-Key: 160034A2A91FC70E8F59F44ECC521FC426675B64B0D5F1FB5CC2FC13D3FE8F7F15A96C677363539007497557366E1EFF Key-Arg : None Start Time: 1171372661 Timeout : 300 (sec) Verify return code: 0 (ok) - --- ^C =============================================================================== I also found out that the handshake succeeds when I'm forcing SSLv2 (see short form above), but of course that too is no solution for my problem. Looks like a timing issue - has anyone encountered this before? bye Christian - -- Christian Marg mail: mailto:[EMAIL PROTECTED] Rechenzentrum TU Clausthal web : http://www.rz.tu-clausthal.de D-38678 Clausthal-Zellerfeld fon : 05323/72-2043 Germany ICQ : <on request> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF000VXwu7mUb3ymMRApnWAJ9JoCco0aVoahkAfCm8MJyAIQWSUQCdGUoP NFxmzxGxMjFkna+1FuMiHjc= =ancw -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
