Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » LDAP and SSL (Using LDAP with SSL)
  •  
imorris

Messages: 15
Karma: 0
Send a private message to this user
I've been troubleshooting connections to LDAP using Mac OS X Address book. We can connect successfully with standard LDAP, and with secure LDAP when "allow self-signed certificates" is selected in the Address Book LDAP config (on 10.5, Leopard). It does not work when this option is not selected, with the following debug messages thrown in Kerio MailServer:

[05/Jun/2008 13:18:18][3244470272] {conn} SSL debug: id 0x902d650 SSL handshake started: before/accept initialization
[05/Jun/2008 13:18:18][3244470272] {conn} SSL debug: id 0x902d650 SSL_accept:before/accept initialization
[05/Jun/2008 13:18:18][3244470272] {conn} SSL debug: id 0x902d650 SSL_accept:error in SSLv2/v3 read client hello A
[05/Jun/2008 13:18:18][3244470272] {conn} Cannot accept SSL connection from 10.10.2.21:49197 to 10.10.1.10:636: SSL code 1, system error: (0) Unknown error: 0
[05/Jun/2008 13:18:18][3244470272] {conn} SSL error stack: 3244470272:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:562:


Any ideas on why this would not work? The certificate is a wildcard cert we use for our domain for secure mail connections. We get no errors from clients that the certificate is untrusted or invalid.

Thanks for any help you can provide.

The "allow self-signed certs" option is only available in 10.5, so 10.4 clients cannot connect via SSL to our LDAP server.

[Updated on: Thu, 05 June 2008 22:51]

  •  
AdamSteinberg

Messages: 4
Karma: 0
Send a private message to this user
I'm having a similar problem:
1) Secure webmail is working fine, we have a certificate by RapidSSL.
2) LDAP is working fine.
3) Secure LDAP is not working at all, I get these errors in the log:

[27/Jun/2008 10:50:08][144645632] {conn} SSL debug: id 0x3199ce0 SSL3 alert write:warning:close notify
[27/Jun/2008 10:50:11][148982272] {conn} SSL debug: id 0x3199ce0 SSL handshake started: before/accept initialization
[27/Jun/2008 10:50:11][148982272] {conn} SSL debug: id 0x3199ce0 SSL_accept:before/accept initialization
[27/Jun/2008 10:50:11][148982272] {conn} SSL debug: id 0x3199ce0 SSL_accept:SSLv3 read client hello A
[27/Jun/2008 10:50:11][148982272] {conn} SSL debug: id 0x3199ce0 SSL_accept:SSLv3 write server hello A
[27/Jun/2008 10:50:11][148982272] {conn} SSL debug: id 0x3199ce0 SSL_accept:SSLv3 write certificate A
[27/Jun/2008 10:50:11][148982272] {conn} SSL debug: id 0x3199ce0 SSL_accept:SSLv3 write server done A
[27/Jun/2008 10:50:11][148982272] {conn} SSL debug: id 0x3199ce0 SSL_accept:SSLv3 flush data [27/Jun/2008 10:50:11][148982272] {conn} SSL debug: id 0x3199ce0 SSL3 alert read:fatal:unknown CA
[27/Jun/2008 10:50:11][148982272] {conn} SSL debug: id 0x3199ce0 SSL_accept:failed in SSLv3 read client certificate A
[27/Jun/2008 10:50:11][148982272] {conn} Cannot accept SSL connection from 192.168.2.199:62500 to 192.168.2.56:636: SSL code 1, system error: (0) Unknown error: 0
[27/Jun/2008 10:50:11][148982272] {conn} SSL error stack: 148982272:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1053:SSL alert number 48

The client I'm trying to use is Apple Address Book, Mac OS X 10.5.3. Entourage works fine, both in Exchange mode and in LDAP queries, when using SSL.

No answer yet from support....
  •  
imorris

Messages: 15
Karma: 0
Send a private message to this user
Hi Adam,

I have put in a ticket for the above problem I described, and it has been escalated to the programmers.

You may be that there have been some changes to ldap on 10.5, such as in /etc/openldap/ldap.conf:

10.4:
TLS_REQCERT = never

10.5:
TLS_REQCERT = demand

This causes the ldap client to not trust even valid certificates when binding. It does not read from the keychain X509 anchors list, unfortunately. This is urelated to my problem with 10.4 clients, but might be to yours.

Joel R. posted an article about binding to OD in leopard that explains a bit:
http://www.afp548.com/article.php?story=20071203011158936

Good luck.
Previous Topic: Unpublishing Users
Next Topic: Log outgoing emails
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 09:57:38 CET 2017

Total time taken to generate the page: 0.00437 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.