# OpenLDAP not working wit TLS



## erikf154 (May 18, 2009)

I'm trying to get OpenLDAP to work with TLS. I've tested my certificates running openssl s_server on port 4433 and then connecting with openssl s_client to view the certificates and it works fine.

However, when I start the slapd daemon and then try:

```
openssl s_client -connect kitauth001.mid.no:389 -showcerts
CONNECTED(00000003)
15292:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_lib.c:188:
```

The debug.log reveals the following:

```
May 18 13:20:21 kitauth001 slapd[15289]: daemon: activity on 1 descriptor
May 18 13:20:21 kitauth001 slapd[15289]: slap_listener_activate(7):
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=6 active_threads=0 tvp=NULL
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=7 busy
May 18 13:20:21 kitauth001 slapd[15289]: >>> slap_listener(ldap://0.0.0.0/)
May 18 13:20:21 kitauth001 slapd[15289]: daemon: listen=7, new connection on 11
May 18 13:20:21 kitauth001 slapd[15289]: daemon: added 11r (active) listener=0x0
May 18 13:20:21 kitauth001 slapd[15289]: conn=1 fd=11 ACCEPT from IP=10.11.2.10:57973 (IP=0.0.0.0:389)
May 18 13:20:21 kitauth001 slapd[15289]: daemon: activity on 1 descriptor
May 18 13:20:21 kitauth001 slapd[15289]: daemon: waked
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=6 active_threads=0 tvp=NULL
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=7 active_threads=0 tvp=NULL
May 18 13:20:21 kitauth001 slapd[15289]: daemon: activity on 1 descriptor
May 18 13:20:21 kitauth001 slapd[15289]: daemon: activity on:
May 18 13:20:21 kitauth001 slapd[15289]:  11r
May 18 13:20:21 kitauth001 slapd[15289]:
May 18 13:20:21 kitauth001 slapd[15289]: daemon: read activity on 11
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=6 active_threads=0 tvp=NULL
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=7 active_threads=0 tvp=NULL
May 18 13:20:21 kitauth001 slapd[15289]: connection_get(11)
May 18 13:20:21 kitauth001 slapd[15289]: connection_get(11): got connid=1
May 18 13:20:21 kitauth001 slapd[15289]: connection_read(11): checking for input on id=1
May 18 13:20:21 kitauth001 slapd[15289]: ber_get_next on fd 11 failed errno=34 (Result too large)
May 18 13:20:21 kitauth001 slapd[15289]: connection_read(11): input error=-2 id=1, closing.
May 18 13:20:21 kitauth001 slapd[15289]: connection_closing: readying conn=1 sd=11 for close
May 18 13:20:21 kitauth001 slapd[15289]: connection_close: conn=1 sd=11
May 18 13:20:21 kitauth001 slapd[15289]: daemon: removing 11
May 18 13:20:21 kitauth001 slapd[15289]: conn=1 fd=11 closed (connection lost)
May 18 13:20:21 kitauth001 slapd[15289]: daemon: activity on 1 descriptor
May 18 13:20:21 kitauth001 slapd[15289]: daemon: waked
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=6 active_threads=0 tvp=NULL
May 18 13:20:21 kitauth001 slapd[15289]: daemon: select: listen=7 active_threads=0 tvp=NULL
```
Got this in the slapd.conf

```
security ssf=128
TLSCertificateFile /usr/local/etc/openldap/cert.crt
TLSCertificateKeyFile /usr/local/etc/openldap/cert.key
TLSCACertificateFile /usr/local/etc/openldap/cert.crt
```

Any idea why it's not working?


----------



## DutchDaemon (May 18, 2009)

Please choose an appropriate forum next time; the General forum is a last resort (see sticky there).


----------



## erikf154 (May 18, 2009)

Will do


----------



## DutchDaemon (May 18, 2009)

erikf154 said:
			
		

> ```
> security ssf=128
> TLSCertificateFile /usr/local/etc/openldap/[B]cert.crt[/B]
> TLSCertificateKeyFile /usr/local/etc/openldap/cert.key
> ...



TLS and TLSCA have the same cert file? I'd expect to see a cacert.crt or something similar (using neither ldap or tls myself)


----------



## erikf154 (May 18, 2009)

It's a self signed certificate. I tried using the CA.pl to create a demo CA certificate, but I still got the same error.


----------

