OpenSSL/openLDAP tls error

openldapopenssl

I have two openLDAP servers, each was setup side by side using a script that did all the heavy lifting, the two servers replicate their configs/users to each other, and for a long time I thought everything was working. Just discovered that one of the servers does not actually negotiate TLS, so nothing can authenticate against it.

Both systems are RHEL 6.7, both have been updated the exact same time in the exact same way since their creation. Each server should be 100% identical….

Using self signed certificates

If I(on the broken one): ldapsearch -ZZd 1 -D "cn=Manager,dc=example,dc=org" -w secret-b ""

TLS: loaded CA certificate file /etc/openldap/certs/ca-bundle.crt.
TLS: error: tlsm_PR_Recv returned 0 - error 22:Invalid argument
TLS: error: connect - force handshake failure: errno 22 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: TLS error -5938:Encountered end of file

This makes me worry, because I don't believe I should be using Moznss, as I had trouble with the databases in my initial tests, so I'm hard linking to the ca-bundle.crt, as well as server.key and server.crt, Which again, works fine in my other server.

on the other hand, if i:openssl s_client -connect server1:636 -cert server.crt -key server.key

CONNECTED(00000003)
140398252824392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

Which again, on my other server, produces good results, verifying the key.

Both errors, at least based on some searches, hint that it is related to the moznss database, but I cant figure out a) Why one is an issue and the other isn't, and b) How to either resolve the issue, or bypass the issue.

If anyone has any further troubleshooting idea's, or potential solutions, i'd be greatly appreciative.

Best Answer

Verify that the olcTLS*File directives in cn=config point to real files.

olcTLSCACertificateFile: /etc/ssl/certs/ca-bundle.crt
olcTLSCertificateFile: /etc/pki/tls/certs/server.example.com.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/server.example.com.key

Check your logs. By default CentOS doesn't log for slapd. slapd defaults to facilty LOCAL4 at severity DEBUG. You can either edit /etc/sysconfig/slapd or your modify syslog configuration.
```
# cat /etc/rsyslog.d/slapd.conf 
local4.*    /var/log/slapd.log
```
Don't forget to modify cn=config's olcLogLevel.
olcLogLevel: Config is probably the most relevant. man slapd-config has more details.

Best Answer

Related Solutions

Openssl update 1.0.1f to 1.0.1g broke sendmail (SSL23_GET_SERVER_HELLO:tlsv1 alert decode error)

Understanding the output of openssl s_client

Because of CA Cross-signing!

Related Topic