From: Michael H. <mi...@de...> - 2010-06-01 08:50:10
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks! I have the following problem. I am using openldap-2.4.11 with TLS enabled. I've a CaCert certificate and enabled it in the slapd.conf with TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1 TLSCertificateFile /etc/ssl/${FQDN}.crt TLSCACertificatePath /etc/ssl/ TLSCertificateKeyFile /etc/ssl/private/${FQDN}.key TLSVerifyClient never and I am serving "ldaps://${FQDN}:636/". Now I am able to connect and retrieve the ssl cert (where class3.crt is the root cert from CaCert) openssl s_client -connect ${FQDN} -showcerts -state -CAfile class3.crt CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=2 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=su...@ca... [...] SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 3AC41F487E5862C0010613C09A44ABE42C7F7BFE344CF35A4DA474B333490580 Session-ID-ctx: Master-Key: 12A49AE0D9004A8B4FD6D4F247D6B7F6F8EFFBF71F592A99280738ECDA4816E0ACA220A03650DDB9C671BB353D578780 Key-Arg : None Krb5 Principal: None Start Time: 1275381418 Timeout : 300 (sec) Verify return code: 0 (ok) - --- Looks very good to me. Next step is to use ldapsearch to connect to my ldap server over ldaps:// ldapsearch -H ldaps://${FQDN}:636 -x -b "dc=${domain},dc=${end}" -D "uid=${user},ou=people,dc=${domain},dc=${end}" -W and retrieve the responce I am awaiting. Now the problem in JXplorer. I am adding the Cacert root cert and even the server crt itself to the cacerts keystore with your nice key management gui. If I am now trying to connect to the server with the following data: Host: ${FQDN} Port: 636 Protocol: LDAPv3 Base DN: dc=${domain},dc=${end} Level: SSL + User + Password User DN: uid=${user},ou=people,dc=derhammer,dc=net Password: <SECRET_ONE> I get the following error in the pop up: Error opening connection: simple bind failed: ${FQDN}:636 and this exception: javax.naming.CommunicationException: simple bind failed: ${FQDN}:636 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake] Ok - the SSL handshake does not work - but why? My guess is that there is some difference between the ldaps:// (I open the connection per SSL) and the ldap:// with StartTLS (I open an uncrypt connection and request TLS). I am not an expert in all this SSL/TLS crap but I am running out of ideas what I can change in my setup. I also think that most people would configure their openldap server this way and therefor must have the same problems - assumed that I don't make a conceptional misstake. I'd really appreciate your help because I'd "love" to use the jxplorer to browse and edit my ldap directory. (BTW: without SSL everything works pretty well - but I can't do a simple bind without SSL for security reasons!) Greets, Michael - -- - ---------------------------------------------------------------------- Michael Hammer GPG-Key-ID: 0x1BA5F0DE phone: +43 (0) 650 86 33 55 8 Graz - AUSTRIA http://www.michael-hammer.at/ - ---------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwEyaoACgkQPsRu3xul8N45OwCeItY4hGFT+/NtktNpXJu/iqL8 S0AAn2NLDnJCpOfQJjRYcxlyLRAnkXxf =LKnM -----END PGP SIGNATURE----- |