Bob Clough via FreeIPA-users wrote:
I'm having some issues talking to our new Freeipa servers via TLS
from Python 3.5 on Debian Stretch. Previously we had a Freeipa 4.2 server on Fedora 23
which was not showing this error, but i suspect that's because it had SSLv3 turned on.
I'm also having a similar error with etherpad's ldap support which is nodejs, so
it isn't limited to just python.
Trying to open the ldap on port 636, or starttls on port 389 gives the following error:
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure
(_ssl.c:720)
I've written the following minimal test case that shows the error:
#!/usr/bin/env python3
import socket,ssl
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
wrappedSocket = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLS,
ciphers='ALL')
wrappedSocket.connect(("ipa1.hz.codethink.co.uk", 636))
wrappedSocket.close()
Connecting with openssl s_client -connect ipa1.hz.codethink.co.uk:636 connects
successfully.
Any ideas how I can work around this? I *think* the error is a cipher set
incompatibility between the two systems, but i've turned on all available non-null
ciphers at both ends and am out of ideas beyond that.
Why do you think that?
If you have NSS installed it provides an SSL proxy called ssltap. It
will print the details of the SSL handshake and show where the alert is
being raised. That would tell you.
Otherwise I think wireshark and likely other tools can do the same.
The 389-ds access log should show the connection request at least. I'm
not sure if it logs anything to errors in the case of a failed handshake.
rob