[COLUG] More LDAP silliness, Part Deux
Joshua Kramer
josh at globalherald.net
Wed Aug 30 14:46:39 EDT 2006
Greetings all,
I've been working for the past week or so to get OpenLDAP working with
TLS, to no aval. I generated (via my own CA) a certificate and key, and
followed the HOWTO directions I could find; when trying to connect, I
get this:
[root at threephase openldap-2.3.25]# bin/ldapsearch -h localhost -ZZ u:jb
ldap_start_tls: Connect error (-11)
additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
And, in the slapd logs, I see this:
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS: can't accept.
TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:882
connection_read(14): TLS accept failure error=-1 id=1, closing
connection_closing: readying conn=1 sd=14 for close
connection_close: conn=1 sd=14
I've seen in other mailing lists where people needed to adjust the
ciphers, and here are mine:
TLSCipherSuite DES-CBC3-SHA:HIGH:MEDIUM:+SSLv2
Is it going to be easier to install a bare-bones copy of CentOS 4.4 in a
XenU domain, and use the OpenLDAP et al included with CentOS, instead of
trying to shoehorn a custom-compiled OpenLDAP into a full OS?
Cheers,
Josh
More information about the colug432
mailing list