SSL 例程:ssl23_write:ssl 握手失败:s23_lib.c:177:

tag-icon tag-icon openssl openldap certificate-authority debian-jessie
SSL 例程:ssl23_write:ssl 握手失败:s23_lib.c:177:

我有一个 openldap 主服务器和 2 个 openldap 从服务器。使用非自签名 CA。

openldap master:基于 stretch
slapd 2.4.44+dfsg-5+d amd64
openssl 1.1.0f-3+deb9u1 amd64命名 debian

openldap 从属:基于 stretch
slapd 2.4.44+dfsg-5+d amd64
openssl 1.1.0f-3+deb9u1 amd64命名 debian1

openldap master:名称 ldap 基于 o oracle linux 7.4
slapd 2.4.44-5.el7.x86_64
openssl-1.0.2k-8.0.1.el7.x86_64

基于 oracle linux 的 openldap 客户端无法连接到基于 debian strech 的 ldap master。

我在从属 debian 和从属 oracle linux 上所做的事情:

root@debian1:~# openssl verify -CAfile /etc/ssl/contatogs.com.br/cacert.pem /etc/ssl/contatogs.com.br/newcerts/cn\=debian1\,ou\=computers\,dc\=contatogs\,dc\=com\,dc\=br.crt.pem 
/etc/ssl/contatogs.com.br/newcerts/cn=debian1,ou=computers,dc=contatogs,dc=com,dc=br.crt.pem: **OK**

[root@ldap ~]# openssl verify -CAfile /etc/openldap/cacerts/cacert.pem /etc/openldap/certs/cn\=ldap\,ou\=>
/etc/openldap/certs/cn=ldap,ou=computers,dc=contatogs,dc=com,dc=br.crt.pem: **OK**

到目前为止一切顺利 80)

现在 debian1 从属设备上可能存在问题:

root@debian1:~# openssl s_client -connect debian.contatogs.com.br:389 -CAfile /etc/ssl/contatogs.com.br/cac
ert.pem  -state 
CONNECTED(00000003)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
**SSL_connect:error in SSLv3/TLS write client hello**
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1519415735
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

但尽管出现此错误/警告,只有 debian/debian 的主/从仍然有效。

现在oracle linux根本不能工作......

[root@ldap ~]# 
<contatogs.com.br:389 -CAfile /etc/openldap/cacerts/cacert.pem  -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
139967037114272:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
   PSK identity: None
    PSK identity hint: None
    Start Time: 1519415876
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

我几乎可以肯定问题出在 CA,但我不知道该如何解决...80)

任何帮助都将非常感激。

答案1

嗨,为了便于以后搜索,我找到了正确的方法来消除此错误。当我为从属服务器创建证书时,我使用客户端部分(TLS Web 客户端)创建证书,正确的方法是创建服务器证书(TLS Web 服务器)。帮助我发现此错误的是 serverfault 上的另一篇帖子,其中包含以下命令:openssl verify -purpose sslserver -CAfile cacert.pem ldaprov1.crt

相关内容