Re: handshake failure / SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr
Am 01.04.10 23:09, schrieb Victor Duchovni: On Thu, Apr 01, 2010 at 10:48:56PM +0200, G??tz Reinicke - IT Koordinator wrote: Hi, how do I check this? On both servers I do have installed the same client and server software and performing a secured connection from both systems to the master server works; from both systems to the slave server fails. If the slave has no certificate with a mutually agreeable public key algorithm, it will not offer any of the associated cipher-suites. Thus either the slave has a mis-configured cipher-list, is missing required certificates, or missing the associated private keys. Hi Viktor, thanks for your response. I don't know what went wrong and the error messages aren't of any help to me. You too mention a lot of different possibel sources of error. So I set up two new ldap servers (master and slave) and a third just for fun for a CA. Than I worked step by step to my previously used tutorial and voila: The connection from clients (local linux ldapsearch, remote Mac OS X Apache Directory Studio) to the servers are crypted. Even the replication from the master to the slave. Strike. Now I'm faced with some other questions regarding the CA, but this will be an othet posting. Happy Easter! - Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Staatsrätin für Demographischen Wandel und für Senioren im Staatsministerium Geschäftsführer: Prof. Thomas Schadt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: handshake failure / SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr
Make sure that the client and the server can use same suite of ciphers. -- Konrads Smelkovs Applied IT sorcery. On Thu, Apr 1, 2010 at 3:34 PM, Götz Reinicke - IT-Koordinator goetz.reini...@filmakademie.de wrote: Hi, this drives my crazy for about two days: I do have two virtual Red Hat El 5.4 servers in a test environment. One should be an openldap master, the second should be a openldap slave. openssl-0.9.8e-12.el5_4.1, openldap-2.3.43-3.el5 (RH EL original rpms) I followed some instructions to set up TLS: Set up a CA, generate/sign certificates and keys, install tham on the servers and configure openldap, restart. My problem is: tls works on the master (which also is my CA for the test), but not on the slave. I've openssl verifyed and openssl x509 -texted the certs - everything seams o.k. I've checked ip addresses, name resolving, locations, pathes, permissions, fileversions - anything I can think of. I've regenerated the key and cert for the slave following an other documentation (at least with the same steps), but alway do get the same error: from the ldap server debug: TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in SSLv3 read client hello B TLS trace: SSL_accept:error in SSLv3 read client hello B TLS: can't accept. TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:975 connection_read(13): TLS accept failure error=-1 id=0, closing from the ldap client debug: TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in SSLv2/v3 read server hello A TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure May be I missed a step or still skiped something ... A thousand kowtows for any helping hint...!! Best regards, Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: handshake failure / SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr
Hi, how do I check this? On both servers I do have installed the same client and server software and performing a secured connection from both systems to the master server works; from both systems to the slave server fails. Regards, Götz Am 01.04.10 21:57, schrieb Konrads Smelkovs: Make sure that the client and the server can use same suite of ciphers. -- Konrads Smelkovs Applied IT sorcery. On Thu, Apr 1, 2010 at 3:34 PM, Götz Reinicke - IT-Koordinator goetz.reini...@filmakademie.de mailto:goetz.reini...@filmakademie.de wrote: Hi, this drives my crazy for about two days: I do have two virtual Red Hat El 5.4 servers in a test environment. One should be an openldap master, the second should be a openldap slave. openssl-0.9.8e-12.el5_4.1, openldap-2.3.43-3.el5 (RH EL original rpms) I followed some instructions to set up TLS: Set up a CA, generate/sign certificates and keys, install tham on the servers and configure openldap, restart. My problem is: tls works on the master (which also is my CA for the test), but not on the slave. I've openssl verifyed and openssl x509 -texted the certs - everything seams o.k. I've checked ip addresses, name resolving, locations, pathes, permissions, fileversions - anything I can think of. I've regenerated the key and cert for the slave following an other documentation (at least with the same steps), but alway do get the same error: from the ldap server debug: TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in SSLv3 read client hello B TLS trace: SSL_accept:error in SSLv3 read client hello B TLS: can't accept. TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:975 connection_read(13): TLS accept failure error=-1 id=0, closing from the ldap client debug: TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in SSLv2/v3 read server hello A TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure May be I missed a step or still skiped something ... A thousand kowtows for any helping hint...!! Best regards, Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Staatsrätin für Demographischen Wandel und für Senioren im Staatsministerium Geschäftsführer: Prof. Thomas Schadt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: handshake failure / SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr
On Thu, Apr 01, 2010 at 10:48:56PM +0200, G??tz Reinicke - IT Koordinator wrote: Hi, how do I check this? On both servers I do have installed the same client and server software and performing a secured connection from both systems to the master server works; from both systems to the slave server fails. If the slave has no certificate with a mutually agreeable public key algorithm, it will not offer any of the associated cipher-suites. Thus either the slave has a mis-configured cipher-list, is missing required certificates, or missing the associated private keys. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
