Has OID at your site been configured for ldaps ? The SSL connection on 443 if I'm not mistaken is called StartTLS which is different from ldaps.
The URL below seems to suggest that ldaps in OID does not come configured out of the box. http://www.politi.no/help/adoidset.htm Saju -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Gaab Sent: Monday, June 09, 2008 10:40 AM To: openssl-users@openssl.org Subject: RE: ldaps client and oracle internet directory Hi, > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Monday, June 09, 2008 3:36 AM > To: openssl-users@openssl.org > Subject: RE: ldaps client and oracle internet directory > > Hello, > > [EMAIL PROTECTED] wrote on 06/06/2008 06:25:38 PM: > > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > <snipped> > > > > With the following error, what are the things that I need to check? > > > Thanks Mike > > > > > > > > openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect > > > xxx:636 > > > > CONNECTED(00000003) > > > > 24664:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > > > handshake > > > > failure:s23_clnt.c:562: > > > Try to add "-debug -msg -state" flags to this command to get more > > verbose > > > output. > > > > Mark, > > That does help. Thanks. It should have been obvious from the error > > message above but I been thrashing so much on this that I am not > > thinking clearly. I did speak with the OID admin and he tells me that we > > are using the default config set, which is encryption only - no server > > auth. I am not sure if this is the source of the ssl handshake failure. > > I'm checking with the OID admin now. Thanks again for your suggestion. I > > hope this isn't too much off topic for this group. > > Mike > > > > +++++++++SUCCESSFUL SSL CONNECTION ON PORT 443+++++++++ > > # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect > > xxx:443 -state > > CONNECTED(00000003) > > SSL_connect:before/connect initialization > > SSL_connect:SSLv2/v3 write client hello A > > SSL_connect:SSLv3 read server hello A > > <response snipped> > > SSL_connect:SSLv3 read server certificate A > > SSL_connect:SSLv3 read server done A > > SSL_connect:SSLv3 write client key exchange A > > SSL_connect:SSLv3 write change cipher spec A > > SSL_connect:SSLv3 write finished A > > SSL_connect:SSLv3 flush data > > SSL_connect:SSLv3 read finished A > > --- > > > > +++++++++SSL HANDSHAKE FAILURE ON PORT 636+++++++++ > > # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect > > xxx:636 -state > > CONNECTED(00000003) > > SSL_connect:before/connect initialization > > SSL_connect:SSLv2/v3 write client hello A > > SSL3 alert read:fatal:handshake failure > > SSL_connect:error in SSLv2/v3 read server hello A > > 1460:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > > handshake failure:s23_clnt.c:562: > Because you get handshake alert after sending client_hello, server > do not accept some data in this packet. > With SSLv2/v3 client in reality sends SSL2 client_hello and this may > not be acceptable by server. You may add "-ssl3" or "-tls1" flags > to use exactly one of this protocol (without SSL2 client_hello) > Ok, I am getting a different error now (see below). I'll do some more checking. Thanks, Mike +++++WITH -ssl3 switch+++++++++++++ # openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxx:636 -state -ssl3 CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read server hello A 29817:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1057:SSL alert number 40 29817:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:534: +++++WITH -tls1 switch+++++++++++++ [EMAIL PROTECTED] ~]# openssl s_client -CAfile /etc/openldap/cacerts/ca-cert.crt -connect xxxx:636 -state -tls1 CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert write:fatal:handshake failure SSL_connect:error in SSLv3 read server hello A 29825:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:288: ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
