Thank you Richard for the reply.
I tried "openssl s_client -connect localhost:636
-showcerts -state -ssl3 -CAfile /path/to/ca.pem" but
it failed. I got this:
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read server hello A
2439:error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1052:SSL alert number 40
2439:error:1409E0E5:SSL
routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:529:
My LDAP server's debug mode displays:
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client
hello C
TLS trace: SSL_accept:error in SSLv3 read client
hello C
TLS: can't accept.
TLS: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:882
connection_read(8): TLS accept error error=-1 id=10,
closing
connection_closing: readying conn=10 sd=8 for close
connection_close: conn=10 sd=8
daemon: removing 8
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
Would have any other suggestion please?
--- Richard Levitte - VMS Whacker
<[EMAIL PROTECTED]> wrote:
> In message
>
<[EMAIL PROTECTED]>
> on Wed, 23 Mar 2005 15:34:29 +0100 (CET), fatima
> riadi <[EMAIL PROTECTED]> said:
>
> ftmriadi> Once checking the SSL conection (by
> running the
> ftmriadi> command: 'openssl s_client -connect
> localhost:636
> ftmriadi> -showcerts -state -CAfile
> /path/to/ca.pem'), I get the
> ftmriadi> following output:
> ftmriadi>
> ftmriadi> CONNECTED(00000003)
> ftmriadi> SSL_connect:before/connect
> initialization
> ftmriadi> SSL_connect:SSLv2/v3 write client hello
> A
> ftmriadi> SSL3 alert read:fatal:handshake failure
> ftmriadi> SSL_connect:error in SSLv2/v3 read
> server hello A
> ftmriadi> 2338:error:14077410:SSL
> ftmriadi> routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake
> ftmriadi> failure:s23_clnt.c:470:
>
> Your client runs with the "umbrella" mode
> 'SSLv2/v3', which enables
> negotiation of actual SSL/TLS version.
> Unfortunately:
>
> ftmriadi> My server's debug output shows:
> ftmriadi>
> ftmriadi> TLS trace: SSL3 alert
> write:fatal:handshake failure
> ftmriadi> TLS trace: SSL_accept:error in SSLv3
> read client
> ftmriadi> hello B
> ftmriadi> TLS trace: SSL_accept:error in SSLv3
> read client
> ftmriadi> hello B
> ftmriadi> TLS: can't accept.
> ftmriadi> TLS: error:1408A0C1:SSL
> ftmriadi> routines:SSL3_GET_CLIENT_HELLO:no shared
> cipher
> ftmriadi> s3_srvr.c:882
> ftmriadi> connection_read(8): TLS accept error
> error=-1 id=0,
> ftmriadi> closing
> ftmriadi> connection_closing: readying conn=0 sd=8
> for close
> ftmriadi> connection_close: conn=0 sd=8
> ftmriadi> daemon: removing 8
> ftmriadi> daemon: select: listen=6
> active_threads=0 tvp=NULL
> ftmriadi> daemon: select: listen=7
> active_threads=0 tvp=NULL
> ftmriadi> daemon: activity on 1 descriptors
> ftmriadi> daemon: select: listen=6
> active_threads=0 tvp=NULL
> ftmriadi> daemon: select: listen=7
> active_threads=0 tvp=NULL
>
> It seems like your server runs in forced SSLv3 mode.
> That mode will
> not work well with someone who attempts an
> 'SSLv2/v3' type of
> negotiation, so either you must tell 'openssl
> s_client' to use the
> forced SSLv3 mode (you simply add the flag '-ssl3'),
> or you need to
> tell your server to run the "umbrella" mode. If you
> do the latter,
> there whould also be a way to tell it what SSL/TLS
> versions are
> acceptable.
>
> Start with testing if the following works:
>
> openssl s_client -connect localhost:636 -showcerts
> -state -ssl3 \
> -CAfile /path/to/ca.pem
__________________________________________________________________
D�couvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !
Cr�ez votre Yahoo! Mail sur http://fr.mail.yahoo.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
