openldap-software May 2010 archive
Main Archive Page > Month Archives  > openldap-software archives
openldap-software: LDAPS connection failing with a "TLS acc

LDAPS connection failing with a "TLS accept failure error -1"

From: Marcelo de Moraes Serpa <celoserpa_at_nospam>
Date: Wed May 19 2010 - 03:53:05 GMT
To: openldap-software@openldap.org

Hello all,

I hope someone could help me -- I'm trying for almost one whole day already
and couldn't get LDAP over SSL to work, without success.

The objective is to setup a development box for testing purposes, so, the
simpler the better, however, it must be as simple as needed only.

I've followed this tutorial:
http://islandlinux.org/howto/installing-secure-ldap-openldap-ssl-ubuntu-using-self-signed-certificate.
I'm on Mac OSX Snow Leopard, though.

slapd version: @(#) $OpenLDAP: slapd 2.4.11 (Feb 11 2010 02:23:14)
//Installed from MacPorts

I have generated a self-signed certificate using this command:

sudo openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout
server.pem -days 3650

I've set the Common Name to "localhost".

The configuration files look like this (non-relevanted parts snipped):

slapd.conf:

TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCACertificateFile /Users/myuser/Sandbox/server.pem
TLSCertificateFile /Users/myuser/Sandbox/server.pem
TLSCertificateKeyFile /Users/myuser/Sandbox/server.pem

TLSVerifyUser never

ldap.conf

BASE dc=mycompany,dc=com
URI ldaps://localhost/
TLS_REQCERT never

I'm starting slapd with the following command:

sudo /usr/libexec/slapd -f /opt/local/etc/openldap/slapd.conf -d1 -h
"ldaps:///"

And testing the connection with the following:

ldapsearch -H ldaps://localhost -d255

When running ldapsearch, I get the following as output:

ldap_create
> ldap_url_parse_ext(ldaps://localhost)
> ldap_pvt_sasl_getmech
> ldap_search
> put_filter: "(objectclass=*)"
> put_filter: simple
> put_simple_filter: "objectclass=*"
> ldap_build_search_req ATTRS:
> supportedSASLMechanisms
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP localhost:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying ::1 636
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> TLS trace: SSL_connect:before/connect initialization
> tls_write: want=124, written=124
> 0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 39 00 00 .z....Q...
> ..9..
> 0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0
> 8..5............
> 0020: 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03
> ..3..2../.......
> 0030: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00
> ................
> 0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08
> ......@.........
> 0050: 00 00 06 04 00 80 00 00 03 02 00 80 0c e4 9d 98
> ................
> 0060: c1 ad 36 d0 88 fb 6b 92 32 a0 ce 22 63 82 99 3b
> ..6...k.2.."c..;
> 0070: 3b 3d 03 03 38 05 d0 a1 30 2d 9f d2
> ;=..8...0-..
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> tls_read: want=7, got=0
>
> TLS: can't connect.
> ldap_perror
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>

As you can see, it fails with the "TLS: can't connect" error message. Not
that obvious. I then switch to the terminal that has slapd running on the
fg, and I see the following:

(snip)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
*connection_read(13): TLS accept failure error=-1 id=0, closing*
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13

What I don't understand is why it is failing if I've set both sides to
ignore certificates. What am I doing wrong?

Marcelo.