how can I use openssl to download my ldap cert over port 389 instead of 636 (TLS)?

I've used to use the following command to download my server SSL certs from LDAP in order to add them to tomcat/java keystores:

openssl s_client -connect 10.140.136.192:636

Since LDAP SSL (port 636) has been deprecated, I don't have port 636 available anymore. I've tried to find various incantations for openssl s_client such as -starttls and -tls1_2 however none of them produce the certificate. What is the magic word to do this?


OpenSSL supports starttls for a number of protocols with s_client:

-starttls protocol
send the protocol-specific message(s) to switch to TLS for communication. protocol is a keyword for the intended protocol. Currently, the only supported keywords are "smtp", "pop3", "imap", and "ftp".

which would allow you to easily retrieve the public certificate but LDAP isn't one them, unfortunately.

Since the upgrade to TLS is protocol specific you need a tool that understands the protocol. That rules out OpenSSL.

I don't have a directory at hand but wouldn't the verbose ldapsearch -Z -v -H ldap://ldap.example.com:389 ... display the certificate as part of the debugging info?
A quick search shows that Apache Directory studio will display the certificate too.

Update:

Openssl 1.1.1 included a patch to add LDAP support (RFC 4511) to s_client and -starttls ldap is now supported. RHEL/CentOS 7 versions of openssl appear to have backported that update (and others) to the openssl 1.0.2k package they ship, as the manual now has 8 additional starttls protocols:

-starttls protocol
send the protocol-specific message(s) to switch to TLS for communication. protocol is a keyword for the intended protocol. Currently, the only supported keywords are smtp, pop3, imap, ftp, xmpp, xmpp-server, irc, postgres, lmtp, nntp, sieve and ldap.