how can I use openssl to download my ldap cert over port 389 instead of 636 (TLS)?

openssl openldap

I've used to use the following command to download my server SSL certs from LDAP in order to add them to tomcat/java keystores:

openssl s_client -connect 10.140.136.192:636

Since LDAP SSL (port 636) has been deprecated, I don't have port 636 available anymore. I've tried to find various incantations for openssl s_client such as -starttls and -tls1_2 however none of them produce the certificate. What is the magic word to do this?


OpenSSL supports starttls for a number of protocols with s_client:

-starttls protocol
send the protocol-specific message(s) to switch to TLS for communication. protocol is a keyword for the intended protocol. Currently, the only supported keywords are "smtp", "pop3", "imap", and "ftp".

which would allow you to easily retrieve the public certificate but LDAP isn't one them, unfortunately.

Since the upgrade to TLS is protocol specific you need a tool that understands the protocol. That rules out OpenSSL.

I don't have a directory at hand but wouldn't the verbose ldapsearch -Z -v -H ldap://ldap.example.com:389 ... display the certificate as part of the debugging info?
A quick search shows that Apache Directory studio will display the certificate too.

Update:

Openssl 1.1.1 included a patch to add LDAP support (RFC 4511) to s_client and -starttls ldap is now supported. RHEL/CentOS 7 versions of openssl appear to have backported that update (and others) to the openssl 1.0.2k package they ship, as the manual now has 8 additional starttls protocols:

-starttls protocol
send the protocol-specific message(s) to switch to TLS for communication. protocol is a keyword for the intended protocol. Currently, the only supported keywords are smtp, pop3, imap, ftp, xmpp, xmpp-server, irc, postgres, lmtp, nntp, sieve and ldap.

Related

Unstable 10Gb copper links, Broadcom and Intel cards to Cisco 4900M switches
Should i disable DNS recursion?
On FreeNas what is the difference between the "Permission Type" and the "Share Type" setting?
What is reasonable storage failover time that most OS (VM) can tolerate?
Can clang format add braces to single line if statements etc
When to use a react framework such as Next or Gatsby vs Create React App [closed]
How to correctly read an Interlocked.Increment'ed int field?
Resharper: Implicitly captured closure: this
Docker on CentOS 7.2: kernel:unregister_netdevice: waiting for lo to become free. Usage count = 1
Is there a way to give promo/coupon codes for people to download your app for free?
fgetcsv fails to read line ending in mac formatted csv file, any better solution?
Why do weird things in font color attribute produce real colors? [duplicate]