Hello Seth, openssl s_client -connect... gets an error before a ciphersuite is indicated:
#openssl s_client -connect ldapserver:389 -tls1_2 CONNECTED(00000003) 140032666195616:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1453829896 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
Meanwhile on the slapd -d -1 debugging side the error is "Result too large" for function ber_get_next():
56a7af08 daemon: waked 56a7af08 daemon: select: listen=6 active_threads=0 tvp=NULL 56a7af08 daemon: select: listen=7 active_threads=0 tvp=NULL 56a7af08 daemon: activity on 1 descriptor 56a7af08 daemon: activity on:56a7af08 11r56a7af08 56a7af08 daemon: read activity on 11 56a7af08 daemon: select: listen=6 active_threads=0 tvp=NULL 56a7af08 connection_get(11) 56a7af08 daemon: select: listen=7 active_threads=0 tvp=NULL 56a7af08 connection_get(11): got connid=1000 56a7af08 connection_read(11): checking for input on id=1000 ber_get_next ldap_read: want=8, got=8 0000: 16 03 01 01 22 01 00 01 ...."... 56a7af08 ber_get_next on fd 11 failed errno=34 (Result too large) 56a7af08 connection_read(11): input error=-2 id=1000, closing. 56a7af08 connection_closing: readying conn=1000 sd=11 for close 56a7af08 daemon: activity on 1 descriptor 56a7af08 connection_close: conn=1000 sd=11 56a7af08 daemon: waked 56a7af08 daemon: select: listen=6 active_threads=0 tvp=NULL 56a7af08 daemon: select: listen=7 active_threads=0 tvp=NULL 56a7af08 daemon: removing 11 56a7af08 conn=1000 fd=11 closed (connection lost)
I tried several values for TLSCipherSuite in slapd.conf, but to no success yet. I will try some more.
Thanks for your help.
François
Hello Seth,
openssl s_client -connect... gets an error before a ciphersuite is indicated:
#openssl s_client -connect ldapserver:389 -tls1_2 :error: 1409E0E5: SSL routines: SSL3_WRITE_ BYTES:ssl handshake failure: s3_pkt. c:598
CONNECTED(00000003)
140032666195616
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1453829896
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Meanwhile on the slapd -d -1 debugging side the error is "Result too large" for function ber_get_next():
56a7af08 daemon: waked read(11) : checking for input on id=1000 read(11) : input error=-2 id=1000, closing.
56a7af08 daemon: select: listen=6 active_threads=0 tvp=NULL
56a7af08 daemon: select: listen=7 active_threads=0 tvp=NULL
56a7af08 daemon: activity on 1 descriptor
56a7af08 daemon: activity on:56a7af08 11r56a7af08
56a7af08 daemon: read activity on 11
56a7af08 daemon: select: listen=6 active_threads=0 tvp=NULL
56a7af08 connection_get(11)
56a7af08 daemon: select: listen=7 active_threads=0 tvp=NULL
56a7af08 connection_get(11): got connid=1000
56a7af08 connection_
ber_get_next
ldap_read: want=8, got=8
0000: 16 03 01 01 22 01 00 01 ...."...
56a7af08 ber_get_next on fd 11 failed errno=34 (Result too large)
56a7af08 connection_
56a7af08 connection_closing: readying conn=1000 sd=11 for close
56a7af08 daemon: activity on 1 descriptor
56a7af08 connection_close: conn=1000 sd=11
56a7af08 daemon: waked
56a7af08 daemon: select: listen=6 active_threads=0 tvp=NULL
56a7af08 daemon: select: listen=7 active_threads=0 tvp=NULL
56a7af08 daemon: removing 11
56a7af08 conn=1000 fd=11 closed (connection lost)
I tried several values for TLSCipherSuite in slapd.conf, but to no success yet. I will try some more.
Thanks for your help.
François