no peer certificate available

Question

I'm trying to verify that my LDAP server has the proper certificates for TLS.

I went to a remote box and type:

openssl s_client -connect host:389 -showcerts -state

And the reply I got was:

CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
140319263606600:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake f         failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 112 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

It seems I don't have certs property configured, but when I type this command

ldapsearch -d -1 -x -LLL -ZZ

It seems to like my tls, I'm royally confused, can somebody clarify?

Answer 1

For StartTLS you need to use a different command line arguments.

The latest versions I had, 0.9.8.x does not have any support for StartTLS LDAP.

The http://www.openssl.org/ site was down or unavailable when I wrote this; so I can not tell if it was added in the latest versions.

The starttls option on my versions show:

-starttls prot - use the STARTTLS command before starting TLS
                 for those protocols that support it, where
                 'prot' defines which one to assume.  Currently,
                 only "smtp", "pop3", "imap", "ftp" and "xmpp"
                 are supported.

The syntax should be:

openssl s_client -connect remote.host:389 -starttls ldap

-jim