I'm trying to retrieve the public SSL certificate from my organization's LDAPS server. I'm following the instructions here, which recommend I run the following openssl command:
openssl s_client -showcerts -connect mydomain.local:636
This command establishes a connection, but seems to indicate there is no certificate found:
CONNECTED(000001C0)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1535471188
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
write:errno=10054
Does this mean that my organization is using LDAP instead of LDAPS on port 636? Is there another way to get the SSL certificate being used by my organization for LDAPS?
Best Answer
It likely means your organization either hasn't installed a certificate on the domain controller you connected to or the cert it has is invalid/expired. Unless they remediate that, LDAP won't be listening on 636 (or 3269). It will only be listening on 389 (and 3268) for non encrypted LDAP.