Make sure that the client and the server can use same suite of ciphers. -- Konrads Smelkovs Applied IT sorcery.
On Thu, Apr 1, 2010 at 3:34 PM, Götz Reinicke - IT-Koordinator < goetz.reini...@filmakademie.de> wrote: > Hi, > > this drives my crazy for about two days: > > I do have two virtual Red Hat El 5.4 servers in a test environment. One > should be an openldap master, the second should be a openldap slave. > > openssl-0.9.8e-12.el5_4.1, openldap-2.3.43-3.el5 (RH EL original rpms) > > I followed some instructions to set up TLS: Set up a CA, generate/sign > certificates and keys, install tham on the servers and configure > openldap, restart. > > My problem is: tls works on the master (which also is my CA for the > test), but not on the slave. > > I've "openssl verify"ed and "openssl x509 -text"ed the certs - > everything seams o.k. > > I've checked ip addresses, name resolving, locations, pathes, > permissions, fileversions - anything I can think of. > > I've regenerated the key and cert for the slave following an other > documentation (at least with the same steps), but alway do get the same > error: > > from the ldap server debug: > > TLS trace: SSL3 alert write:fatal:handshake failure > TLS trace: SSL_accept:error in SSLv3 read client hello B > TLS trace: SSL_accept:error in SSLv3 read client hello B > TLS: can't accept. > TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher > s3_srvr.c:975 > connection_read(13): TLS accept failure error=-1 id=0, closing > > from the ldap client debug: > > TLS trace: SSL3 alert read:fatal:handshake failure > TLS trace: SSL_connect:error in SSLv2/v3 read server hello A > TLS: can't connect. > ldap_perror > ldap_start_tls: Connect error (-11) > additional info: error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure > > May be I missed a step or still skiped something ... > > A thousand kowtows for any helping hint...!! > > Best regards, > > Götz > -- > Götz Reinicke > IT-Koordinator > > Tel. +49 7141 969 420 > Fax +49 7141 969 55 420 > E-Mail goetz.reini...@filmakademie.de > > Filmakademie Baden-Württemberg GmbH > Akademiehof 10 > 71638 Ludwigsburg > www.filmakademie.de > > Eintragung Amtsgericht Stuttgart HRB 205016 > Vorsitzende des Aufsichtsrats: > Prof. Dr. Claudia Hübner > > Geschäftsführer: > Prof. Thomas Schadt > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >