Descobri que o ApacheDS não suporta SSLv2, o mesmo que o Java 1.7 por padrão. Por isso, desativei o SSLv2 no OpenLDAP adicionando também uma versão mínima do protocolo: TLS_PROTOCOL_MIN 3.3 . Essa foi a minha solução.
Eu preciso conectar o banco de dados ApacheDS usando startTLS com o cliente OpenLDAP. Meu arquivo ldaprc contém:
URI ldap://127.0.0.1:7323 ldaps://127.0.0.1:7423
SSL start_tls
SASL_MECH plain
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
TLS_REQCERT allow
O comando que usei é:
ldapsearch -H ldap://localhost:7323 -D "uid=admin,ou=system" -w secret -Z -d1
Eu verifiquei, meu servidor está escutando nessas portas, consigo me conectar com outros clientes (por exemplo, ldapbrowser, jxplorer), mas os testes com o OpenLdap falham:
...
ldap_connect_to_host: Trying 127.0.0.1:7323
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7f81d95282a0 msgid 1
wait4msg ld 0x7f81d95282a0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f81d95282a0 msgid 1 all 1
** ld 0x7f81d95282a0 Connections:
* host: 127.0.0.1 port: 7323 (default)
refcnt: 2 status: Connected
last used: Tue Dec 8 09:51:45 2015
** ld 0x7f81d95282a0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f81d95282a0 request count 1 (abandoned 0)
** ld 0x7f81d95282a0 Response Queue:
Empty
ld 0x7f81d95282a0 response count 0
ldap_chkResponseList ld 0x7f81d95282a0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f81d95282a0 NULL
ldap_int_select
read1msg: ld 0x7f81d95282a0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 38 contents:
read1msg: ld 0x7f81d95282a0 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f81d95282a0 0 new referrals
read1msg: mark request completed, ld 0x7f81d95282a0 msgid 1
request done: ld 0x7f81d95282a0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL3 alert read:fatal:unexpected_message
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message.
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: error:140773F2:SSLroutines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message
Alguma ideia do que estou fazendo errado ou do que estou perdendo?
edite: Como você me perguntou eu usei a opção -ZZ e o que eu tenho:
ldapsearch -H ldap://localhost:7323 -D "uid=admin,ou=system" -w secret -ZZ -d1 ldap_url_parse_ext(ldap://localhost:7323)
ldap_create
ldap_url_parse_ext(ldap://localhost:7323/??base) ldap_extended_operation_s ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:7323
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:7323
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7ff278d7e2a0 msgid 1
wait4msg ld 0x7ff278d7e2a0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7ff278d7e2a0 msgid 1 all 1
** ld 0x7ff278d7e2a0 Connections:
* host: localhost port: 7323 (default) refcnt: 2 status: Connected
last used: Mon Dec 14 08:48:04 2015
** ld 0x7ff278d7e2a0 Outstanding Requests: * msgid 1, origid 1, status
InProgress outstanding referrals 0, parent count 0 ld 0x7ff278d7e2a0 request count 1 (abandoned 0)
** ld 0x7ff278d7e2a0 Response Queue: Empty ld 0x7ff278d7e2a0 response count 0 ldap_chkResponseList ld 0x7ff278d7e2a0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7ff278d7e2a0 NULL
ldap_int_select read1msg: ld 0x7ff278d7e2a0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 38 contents:
read1msg: ld 0x7ff278d7e2a0 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7ff278d7e2a0 0 new referrals read1msg: mark request completed, ld 0x7ff278d7e2a0 msgid 1 request done: ld 0x7ff278d7e2a0 msgid 1 res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (x)
ber: ber_scanf fmt (}) ber: ldap_msgfree<br/>TLS trace:
SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A<br/> TLS trace: SSL3 alert read:fatal:unexpected_message
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv#
alert unexpected message.
ldap_err2string
ldap_start_tls: Connect error (-11) additional info: error:140773F2:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message