'Re: Help troubleshooting SSL certificates issue'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Re: Help troubleshooting SSL certificates issue
From:       Howard Chu <hyc () symas ! com>
Date:       2023-09-25 17:03:40
Message-ID: 9e99508a-ed17-57df-ea41-5b7abdbf67a0 () symas ! com
[Download RAW message or body]

Jérôme BECOT wrote:
> Hello,
> 
> We have a couple of old ldap servers (Debian 7/openldap 2.4.31) on which we try to \
> replace the certificates. On these servers we have a bundled configuration:

Presumably since that's a Debian build it was built using GnuTLS. I suggest you try \
using gnutls-cli with your PEM file and see what works or doesn't work.
> 
> # config
> dn: cn=config
> olcTLSCACertificateFile: /etc/ldap/tls/multi.deverywa.re.pem
> olcTLSCertificateFile: /etc/ldap/tls/multi.deverywa.re.pem
> olcTLSCertificateKeyFile: /etc/ldap/tls/multi.deverywa.re.pem
> 
> The file is a bundle containing both the certificates (wildcard and it's issuer) \
> and the key. Until this year we just had to upload the new bundle and restart \
> slapd. This year Gandi changed their signing certificate but it is still issued by \
> UserTrust. But OpenLDAP refuses to use it now. 
> We tried to set LogLevel to any, but nothing really showed in the log. On the \
> server side: 
> slapd[9217]: connection_read(16): TLS accept failure error=-1 id=1041, closing
> 
> On the client side (localhost):
> 
> openssl s_client -connect localhost:636 -servername ldap.deverywa.re
> CONNECTED(00000003)
> 140365161965224:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake \
>                 failure:s23_lib.c:177:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 315 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol   : TLSv1.2
> Cipher       : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Key-Arg     : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1695652388
> Timeout     : 300 (sec)
> Verify return code: 0 (ok)
> 
> We still use 2048 RSA key to generate the certificates. We have checked permissions \
> and it is fine. How could I debug what's wrong on the server side ? 
> Thank you
> 
> -- 
> *Jérôme BECOT*
> Ingénieur DevOps Infrastructure
> 
> Téléphone fixe: 01 82 28 37 06
> Mobile : +33 757 173 193
> Deveryware - 43 rue Taitbout - 75009 PARIS
> https://www.deveryware.com <https://www.deveryware.com>
> 
> Deveryware_Logo
> <https://www.deveryware.com>


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic