HI

We are using Openldap 2.4.33 (Linux 64 bit  built with RSA MES 3.2.4.3 ) in our application for LDAP synchronization.
We have a customer case where the customer is using a certificate chain. They have converted the root and intermediate certificates into pem and are using the pem to connect to the lDAP server.
We are getting the below error :

TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS trace: SSL_connect:SSLv3 process tls extension
TLS trace: SSL_connect:SSL3 post/by-pass tls extension processing
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS certificate verification: depth: 0, err: 0, subject: /CN=ITSUSRANADC55.na.jnj.com, issuer: /DC=com/DC=jnj/CN=JNJ Internal Online CA C2
TLS certificate verification: depth: 1, err: 0, subject: /DC=com/DC=jnj/CN=JNJ Internal Online CA C2, issuer: /DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority
TLS certificate verification: depth: 2, err: 0, subject: /DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority, issuer: /DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority
TLS trace: SSL3 alert write:fatal:certificate unknown
TLS trace: SSL_connect:error in SSL3 certificate verify A
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (ok).
After Calling ldap_int_open_connection rc = 0
LDAP_SERVER_DOWN

The same certificate (pem) connects perfectly with openssl commands.

[dmfs4adm@itsusral00157 ldapdb]$ openssl s_client -CAfile /dmfs4/apps/documentum/dba/secure/ldapdb/INT-PROD-Root-Intermedia_0320.pem -connect ITSUSRANADC41.na.j nj.com:3269
CONNECTED(00000003)
depth=2 DC = COM, DC = JNJ, CN = JNJ Internal Root Certification Authority
verify return:1
depth=1 DC = com, DC = jnj, CN = JNJ Internal Online CA A2
verify return:1
depth=0 CN = ITSUSRANADC41.na.jnj.com
verify return:1
-
Certificate chain
0 s:/CN=ITSUSRANADC41.na.jnj.com
i:/DC=com/DC=jnj/CN=JNJ Internal Online CA A2
1 s:/DC=com/DC=jnj/CN=JNJ Internal Online CA A2
i:/DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority
-
Server certificate
----BEGIN CERTIFICATE----
MIIG0zCCBbugAwIBAgIKNPjZjAAAANPqDjANBgkqhkiG9w0BAQUFADBOMRMwEQYK
CZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDam5qMSIwIAYDVQQDExlK
TkogSW50ZXJuYWwgT25saW5lIENBIEEyMB4XDTE2MDkwNjIzMTI0M1oXDTE3MDkw
NjIzMTI0M1owIzEhMB8GA1UEAxMYSVRTVVNSQU5BREM0MS5uYS5qbmouY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlmJd7MNGtotF5zXbWJdSaezG
LDk1ty98yceBIDz6P1JIYAP84QtEMA+xO3GW7Y+oPjBtMjoEd7P1gLmCVxC9zf69
GNOgYjMsjo4QbynPcgcxMGnpwj8yHQVPLkRe7Do2qpfDz3jhVRT7cJ+u3xu+z66x
/JbhCrySeekqL9O6O96YpqMFi+897Lgg9QPphjgrvrD5VmxHfH0V7p7sc/DcIufJ
Ifjj7DGotaffcc90VZxj+vQd1iO5AchaDkIUiPLES9AsbcXei8Fau6pcFKpQBh5l
fynm73EU01FP+RN//6WpyoIVXVc5uTE9ua7q+O2nGb46FnKlegGpI3iJCh5NJwID
AQABo4ID3DCCA9gwOwYJKwYBBAGCNxUHBC4wLAYkKwYBBAGCNxUIgtGfI5rtGIad
nTSHnpIqh8HUUmmEo+JQuZUUAgFkAgEFMDMGA1UdJQQsMCoGCCsGAQUFCAICBgor
BgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMBgG
A1UdIAQRMA8wDQYLYIZIAYb4AgMCAQowQQYJKwYBBAGCNxUKBDQwMjAKBggrBgEF
BQgCAjAMBgorBgEEAYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMIGjBgNV
HREEgZswgZiCGElUU1VTUkFOQURDNDEubmEuam5qLmNvbYIKbmEuam5qLmNvbYIN
bmFkaXIuam5qLmNvbYITbmFsZWdhY3lkaXIuam5qLmNvbYITbmFuZXh0b3NkaXIu
am5qLmNvbYIQbmFpY2VkaXIuam5qLmNvbYIUbmFzcGVjaWFsZGlyLmpuai5jb22C
D25hZndkaXIuam5qLmNvbTAdBgNVHQ4EFgQU11fVbuyGZpo8ApfMelvW1TFrH3ow
HwYDVR0jBBgwFoAUhlNccpOupTSpisgGUUr+XzVQOeEwggEJBgNVHR8EggEAMIH9
MIH6oIH3oIH0hoHKbGRhcDovLy9DTj1KTkolMjBJbnRlcm5hbCUyME9ubGluZSUy
MENBJTIwQTIsQ049SVRTVVNSQUpOSkNBMyxDTj1DRFAsQ049UHVibGljJTIwS2V5
JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1qbmos
REM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFz
cz1jUkxEaXN0cmlidXRpb25Qb2ludIYlaHR0cDovL2ludHByb2Rjcmwuam5qLmNv
bS9pbnRjYWEyLmNybDCCAQIGCCsGAQUFBwEBBIH1MIHyMIG8BggrBgEFBQcwAoaB
r2xkYXA6Ly8vQ049Sk5KJTIwSW50ZXJuYWwlMjBPbmxpbmUlMjBDQSUyMEEyLENO
PUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
b25maWd1cmF0aW9uLERDPWpuaixEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29i
amVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwMQYIKwYBBQUHMAKGJWh0
dHA6Ly9pbnRwcm9kcGtpLmpuai5jb20vaW50Y2FhMi5wN2MwDQYJKoZIhvcNAQEF
BQADggEBAE1hMzal6XiA0Rz1zsTlqAvZiXJg9urK/FcoeL4kiSGCVXQFPYZPRRG7
cwVBTkqABfNvTr2L7WTr2wqZL25HjY4hphK97I4BvCydpQLCEYPiSatY8kFN8Mpu
rDTqNlzTEKt7qId9yDrsKmOI+Gs3hHrWPri1fdOeSlkwIUN5gKCwdH/h44LYU8Z5
4tSjWAkh0hkOU0pija45i7tkBzTholXoOEmAmv7G9UlhLuk950yLzu58yW4aBda1
rev0YtUsKjpfSbTWRwcxeYhspcEq2oGYsWD47wLxQJXHUiRWcXyYuOKiQiu4gjZ7
hS9/xvPvJ3zvxHoI7qF4A8VBgF8c4lQ=
----END CERTIFICATE----
subject=/CN=ITSUSRANADC41.na.jnj.com
issuer=/DC=com/DC=jnj/CN=JNJ Internal Online CA A2
-
Acceptable client certificate CA names
/CN=ITSUSRANADC41.na.jnj.com
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Roo t
/C=US/O=JNJ/OU=JNJ Public Key Authorities/CN=JNJ 2048bit Root Certification Auth ority
/C=US/O=JNJ/OU=JNJ Public Key Authorities/CN=JNJ Root Certification Authority
/DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - Fo r authorized use only/CN=VeriSign Universal Root Certification Authority
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - Fo r authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU =(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certific ate Authority 2011
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Glob al Root
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certific ate Authority 2010
/O=Symantec Corporation/CN=Symantec Root CA
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Roo t Authority
/C=US/O=Symantec Corporation/CN=Symantec Root 2005 CA
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
-
SSL handshake has read 5700 bytes and written 619 bytes
-
New, TLSv1/SSLv3, Cipher is AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA256
Session-ID: 743C00003D9B50EAA53C45E670C3E9682DBE86BA873CEA5B35BFB16B7CE5A625
Session-ID-ctx:
Master-Key: 0DB1DB6C4E9B3BE57E6E3A38B3A68EACAF96A78650EA978B4A8860B35BBDCCB4 61DA777F8C0D83ED53CCFE82748D3F86
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1490103903
Timeout : 300 (sec)
Verify return code: 0 (ok)
-



Could you let us know what we could be missing here?

The pem contains certificates JNJ Internal Root Certification Authority and CN=JNJ Internal Online CA C2 .Are we missing  anything here?
Any help would be greatly appreciated.

Thanks
Anitha

published 8626
marked public

--On Thursday, March 30, 2017 10:14 AM +0000 anitha.seshadri@emc.com wrote:

> Could you let us know what we could be missing here?

Hello Anitha,

It is clearly noted on the ITS submission page that the ITS system is for 
bug reports only.  It is not meant for configuration and usage questions, 
such as what you have filed.  The proper forum for configuration/usage 
questions is the openldap-technical list:

<http://www.openldap.org/lists/mm/listinfo/openldap-technical>

I would additionally note that OpenLDAP 2.4.33 is closing in on 5 years 
old.  I would strongly advise upgrading.  In addition, you may wish to read 
over the documentation on certificates: 
<http://www.openldap.org/doc/admin24/tls.html>

This ITS will be closed.

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

not a bug report

changed notes
changed state Open to Closed