Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

handshake failure / SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr

2,602 views
Skip to first unread message

Götz Reinicke - IT-Koordinator

unread,
Apr 1, 2010, 8:34:33 AM4/1/10
to
Hi,

this drives my crazy for about two days:

I do have two virtual Red Hat El 5.4 servers in a test environment. One
should be an openldap master, the second should be a openldap slave.

openssl-0.9.8e-12.el5_4.1, openldap-2.3.43-3.el5 (RH EL original rpms)

I followed some instructions to set up TLS: Set up a CA, generate/sign
certificates and keys, install tham on the servers and configure
openldap, restart.

My problem is: tls works on the master (which also is my CA for the
test), but not on the slave.

I've "openssl verify"ed and "openssl x509 -text"ed the certs -
everything seams o.k.

I've checked ip addresses, name resolving, locations, pathes,
permissions, fileversions - anything I can think of.

I've regenerated the key and cert for the slave following an other
documentation (at least with the same steps), but alway do get the same
error:

from the ldap server debug:

TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS trace: SSL_accept:error in SSLv3 read client hello B
TLS: can't accept.
TLS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:975
connection_read(13): TLS accept failure error=-1 id=0, closing

from the ldap client debug:

TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

May be I missed a step or still skiped something ...

A thousand kowtows for any helping hint...!!

Best regards,

Gï¿œtz
--
Gï¿œtz Reinicke
IT-Koordinator

Tel. +49 7141 969 420
Fax +49 7141 969 55 420
E-Mail goetz.r...@filmakademie.de

Filmakademie Baden-Wï¿œrttemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hï¿œbner

Geschï¿œftsfï¿œhrer:
Prof. Thomas Schadt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Konrads Smelkovs

unread,
Apr 1, 2010, 3:57:33 PM4/1/10
to
Make sure that the client and the server can use same suite of ciphers.
--
Konrads Smelkovs
Applied IT sorcery.


       Götz
--
Götz Reinicke

IT-Koordinator

Tel. +49 7141 969 420
Fax  +49 7141 969 55 420
E-Mail goetz.r...@filmakademie.de

Filmakademie Baden-Württemberg GmbH

Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner

Geschäftsführer:

Victor Duchovni

unread,
Apr 1, 2010, 5:09:01 PM4/1/10
to
On Thu, Apr 01, 2010 at 10:48:56PM +0200, G??tz Reinicke - IT Koordinator wrote:

> Hi,
>
> how do I check this?
>
> On both servers I do have installed the same client and server software
> and performing a secured connection from both systems to the master
> server works; from both systems to the slave server fails.

If the slave has no certificate with a mutually agreeable public key
algorithm, it will not offer any of the associated cipher-suites. Thus
either the slave has a mis-configured cipher-list, is missing required
certificates, or missing the associated private keys.

--
Viktor.

0 new messages