Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]
info at gwarband.de
info at gwarband.de
Mon Mar 20 23:09:30 EET 2017
The one that works fine was my openxchange server, that loads contacts
from openldap.
In my opinion I don't have installed a security framework list SELinux
or AppArmor.
The output of namei -l /etc/ssl/certs/LetsEncrypt.pem
f: /etc/ssl/certs/LetsEncrypt.pem
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root ssl
drwxr-xr-x root root certs
lrwxrwxrwx root root LetsEncrypt.pem ->
/etc/ssl/own/LetsEncrypt.crt
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root ssl
drwxr-x--- root ssl-cert own
-rw-r----- root ssl-cert LetsEncrypt.crt
Tobias
Am 2017-03-20 21:49, schrieb Aki Tuomi:
> Did you do some succesful lookup with something there? I can see few
> failed attempts and one that seems to have worked just fine.
>
> As pointed out earlier, are you using security frameworks like
> SELinux or AppArmor? Also, can you provide namei -l
> /etc/ssl/certs/LetsEncrypt.pem
>
> The failed attempts are really short, indicating a VERY early problem
> with SSL handshake.
>
> Aki
>
>> On March 20, 2017 at 9:24 PM info at gwarband.de wrote:
>>
>>
>> I have a new pcap from beginning to the end with openldap "TLS
>> negoiation failed"
>>
>> https://gwarband.de/openldap/tracefile.dump
>>
>> The sourceports are 45376 and 45377
>>
>> Tobias
>>
>> Am 2017-03-20 19:59, schrieb Aki Tuomi:
>>> Well, those actually *reduce* the possible algorithms that can be
>>> used, so uncommenting those can make things worse.
>>>
>>> Anyways, your pcap seems incomplete, can you try again?
>>>
>>> Aki
>>>
>>>> On March 20, 2017 at 8:14 PM info at gwarband.de wrote:
>>>>
>>>>
>>>> I have also tested with 2.2.28 and this version has the same issue.
>>>>
>>>> The finding of compatible ciphers is not the problem because I have
>>>> uncommented the ldap entrys:
>>>> TLSCipherSuite
>>>> SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
>>>> TLSProtocolMin 3.1
>>>>
>>>> Maybe you have further ideas.
>>>>
>>>> Am 2017-03-20 17:42, schrieb Aki Tuomi:
>>>>>> On March 20, 2017 at 5:28 PM info at gwarband.de wrote:
>>>>>>
>>>>>>
>>>>>> Can sombody say something about this request?
>>>>>>
>>>>>> This is an email from the openldap-technical mailinglist from
>>>>>> openldap.
>>>>>>
>>>>>> Systemdetails are mention in the other email.
>>>>>>
>>>>>> -------- Originalnachricht --------
>>>>>> Betreff: Re: Dovecot can't connect to openldap over starttls
>>>>>> Datum: 2017-03-20 16:18
>>>>>> Absender: Dan White <dwhite at cafedemocracy.org>
>>>>>> Empfänger: info at gwarband.de
>>>>>> Kopie: openldap-technical at openldap.org
>>>>>>
>>>>>> On 03/20/17 16:06 +0100, info at gwarband.de wrote:
>>>>>>>> Debug Dovecot's implementation of ldap_start_tls_s().
>>>>>>> I don't have any idea how to set a higher debug level to
>>>>>>> dovecot.
>>>>>>> In
>>>>>>> my opinion I have the highest. So I can't deliver a greater log.
>>>>>>
>>>>>> I recommend consulting Dovecot's advice on how to run a debugger,
>>>>>> or
>>>>>> dig
>>>>>> into the code which calls libldap.
>>>>>
>>>>> Hi!
>>>>> I just ran a quick test, and following things are needed:
>>>>>
>>>>> uris = ldap://ldap.host.com
>>>>> tls = yes
>>>>> tls_ca_cert_file = /path/to/cert-bundle.crt
>>>>>
>>>>> this has been tested with 2.2.28, and works just fine. Not sure
>>>>> why
>>>>> you are having issues.
>>>>>
>>>>> Of course this could be anything between not finding compatible
>>>>> ciphers to the LDAP server actually expecting client certificate,
>>>>> what
>>>>> with the logs not actually being too verbose unfortunately. There
>>>>> isn't too much to "debug" in Dovecot's TLS implementation, it's
>>>>> not
>>>>> doing anything fancy asides from calling the ldap_start_tls_s.
>>>>>
>>>>> I am not sure what debugging you could try further.
>>>>>
>>>>> Aki
More information about the dovecot
mailing list