Bug#381788: [Pkg-openldap-devel] Re: Bug#381788: slapd: TLS connections fail when running as non-root

Berg, Michael michaeljberg at gmail.com
Wed Aug 9 03:52:11 UTC 2006 

> This error is coming straight from the OpenSSL libraries.
> Have you tried connecting with openssl s_client?

Yes.

I am running slapd listening on both ports 389 (using starttls) and port
636 (SSL only to support some software that doesn't support starttls).

As pointed out in my original bug report, I have run
"openssl s_client -connect 127.0.0.1:636"
to connect to the SSL only port.

When slapd is running as root, s_client successfully establishes a
connection.  When slapd is running as non-root, I get the error messages
==========
25159:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1057:SSL alert number 40
25159:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
==========

The manual page for s_client says that the only supported keywords for the
"-starttls <protocol>" option are currently "smtp" and "pop3", so I can't
use s_client to test ldap port 389+starttls.

But "ldapsearch -x -ZZ" (which is configured to use port 389+starttls)
gives the following error message when slapd is running as non-root
==========
ldap_start_tls: Connect error (-11)
        additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure
==========
and the "error:14094410:SSL" is the same as the error returned by s_client
on the SSL only port.

Again, these errors only happen when slapd is running as non-root.
s_client to the SSL port and ldapsearch to port 389+starttls both work
perfectly when slapd is running as root.


> <http://www.openldap.org/lists/openldap-software/200409/msg00242.html>
> 
> This link also notes someone hitting this issue in the past.

Same error messages, but somewhat different problem.
The link is someone trying to use client certificates and it not working.

I am *not* trying to use client certificates, and have
"TLSVerifyClient never" in my slapd.conf.

However, (based on the error messages) it seems that slapd is still
requiring a client certificate - and only when running as non-root for some
reason.

More information about the Pkg-openldap-devel mailing list