Full_Name: Anitha Seshadri Version: 2.4.33 OS: LINux 64 bit URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (168.159.160.203) We are using Openldap 2.4.33 in our application for LDAP synchronization. We have a customer case where the customer is using a certificate chain. They have converted the root and intermediate certificates into pem and are using the pem to connect to the lDAP server. We are getting the below error : TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS trace: SSL_connect:SSLv3 process tls extension TLS trace: SSL_connect:SSL3 post/by-pass tls extension processing TLS trace: SSL_connect:SSLv3 read server certificate A TLS certificate verification: depth: 0, err: 0, subject: /CN=ITSUSRANADC55.na.jnj.com, issuer: /DC=com/DC=jnj/CN=JNJ Internal Online CA C2 TLS certificate verification: depth: 1, err: 0, subject: /DC=com/DC=jnj/CN=JNJ Internal Online CA C2, issuer: /DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority TLS certificate verification: depth: 2, err: 0, subject: /DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority, issuer: /DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority TLS trace: SSL3 alert write:fatal:certificate unknown TLS trace: SSL_connect:error in SSL3 certificate verify A TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (ok). After Calling ldap_int_open_connection rc = 0 LDAP_SERVER_DOWN The same certificate (pem) connects perfectly with openssl commands. [dmfs4adm@itsusral00157 ldapdb]$ openssl s_client -CAfile /dmfs4/apps/documentum/dba/secure/ldapdb/INT-PROD-Root-Intermedia_0320.pem -connect ITSUSRANADC41.na.j nj.com:3269 CONNECTED(00000003) depth=2 DC = COM, DC = JNJ, CN = JNJ Internal Root Certification Authority verify return:1 depth=1 DC = com, DC = jnj, CN = JNJ Internal Online CA A2 verify return:1 depth=0 CN = ITSUSRANADC41.na.jnj.com verify return:1 � Certificate chain 0 s:/CN=ITSUSRANADC41.na.jnj.com i:/DC=com/DC=jnj/CN=JNJ Internal Online CA A2 1 s:/DC=com/DC=jnj/CN=JNJ Internal Online CA A2 i:/DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority � Server certificate ----BEGIN CERTIFICATE---- MIIG0zCCBbugAwIBAgIKNPjZjAAAANPqDjANBgkqhkiG9w0BAQUFADBOMRMwEQYK CZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDam5qMSIwIAYDVQQDExlK TkogSW50ZXJuYWwgT25saW5lIENBIEEyMB4XDTE2MDkwNjIzMTI0M1oXDTE3MDkw NjIzMTI0M1owIzEhMB8GA1UEAxMYSVRTVVNSQU5BREM0MS5uYS5qbmouY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlmJd7MNGtotF5zXbWJdSaezG LDk1ty98yceBIDz6P1JIYAP84QtEMA+xO3GW7Y+oPjBtMjoEd7P1gLmCVxC9zf69 GNOgYjMsjo4QbynPcgcxMGnpwj8yHQVPLkRe7Do2qpfDz3jhVRT7cJ+u3xu+z66x /JbhCrySeekqL9O6O96YpqMFi+897Lgg9QPphjgrvrD5VmxHfH0V7p7sc/DcIufJ Ifjj7DGotaffcc90VZxj+vQd1iO5AchaDkIUiPLES9AsbcXei8Fau6pcFKpQBh5l fynm73EU01FP+RN//6WpyoIVXVc5uTE9ua7q+O2nGb46FnKlegGpI3iJCh5NJwID AQABo4ID3DCCA9gwOwYJKwYBBAGCNxUHBC4wLAYkKwYBBAGCNxUIgtGfI5rtGIad nTSHnpIqh8HUUmmEo+JQuZUUAgFkAgEFMDMGA1UdJQQsMCoGCCsGAQUFCAICBgor BgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMBgG A1UdIAQRMA8wDQYLYIZIAYb4AgMCAQowQQYJKwYBBAGCNxUKBDQwMjAKBggrBgEF BQgCAjAMBgorBgEEAYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMIGjBgNV HREEgZswgZiCGElUU1VTUkFOQURDNDEubmEuam5qLmNvbYIKbmEuam5qLmNvbYIN bmFkaXIuam5qLmNvbYITbmFsZWdhY3lkaXIuam5qLmNvbYITbmFuZXh0b3NkaXIu am5qLmNvbYIQbmFpY2VkaXIuam5qLmNvbYIUbmFzcGVjaWFsZGlyLmpuai5jb22C D25hZndkaXIuam5qLmNvbTAdBgNVHQ4EFgQU11fVbuyGZpo8ApfMelvW1TFrH3ow HwYDVR0jBBgwFoAUhlNccpOupTSpisgGUUr+XzVQOeEwggEJBgNVHR8EggEAMIH9 MIH6oIH3oIH0hoHKbGRhcDovLy9DTj1KTkolMjBJbnRlcm5hbCUyME9ubGluZSUy MENBJTIwQTIsQ049SVRTVVNSQUpOSkNBMyxDTj1DRFAsQ049UHVibGljJTIwS2V5 JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1qbmos REM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFz cz1jUkxEaXN0cmlidXRpb25Qb2ludIYlaHR0cDovL2ludHByb2Rjcmwuam5qLmNv bS9pbnRjYWEyLmNybDCCAQIGCCsGAQUFBwEBBIH1MIHyMIG8BggrBgEFBQcwAoaB r2xkYXA6Ly8vQ049Sk5KJTIwSW50ZXJuYWwlMjBPbmxpbmUlMjBDQSUyMEEyLENO PUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D b25maWd1cmF0aW9uLERDPWpuaixEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29i amVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwMQYIKwYBBQUHMAKGJWh0 dHA6Ly9pbnRwcm9kcGtpLmpuai5jb20vaW50Y2FhMi5wN2MwDQYJKoZIhvcNAQEF BQADggEBAE1hMzal6XiA0Rz1zsTlqAvZiXJg9urK/FcoeL4kiSGCVXQFPYZPRRG7 cwVBTkqABfNvTr2L7WTr2wqZL25HjY4hphK97I4BvCydpQLCEYPiSatY8kFN8Mpu rDTqNlzTEKt7qId9yDrsKmOI+Gs3hHrWPri1fdOeSlkwIUN5gKCwdH/h44LYU8Z5 4tSjWAkh0hkOU0pija45i7tkBzTholXoOEmAmv7G9UlhLuk950yLzu58yW4aBda1 rev0YtUsKjpfSbTWRwcxeYhspcEq2oGYsWD47wLxQJXHUiRWcXyYuOKiQiu4gjZ7 hS9/xvPvJ3zvxHoI7qF4A8VBgF8c4lQ= ----END CERTIFICATE---- subject=/CN=ITSUSRANADC41.na.jnj.com issuer=/DC=com/DC=jnj/CN=JNJ Internal Online CA A2 � Acceptable client certificate CA names /CN=ITSUSRANADC41.na.jnj.com /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Roo t /C=US/O=JNJ/OU=JNJ Public Key Authorities/CN=JNJ 2048bit Root Certification Auth ority /C=US/O=JNJ/OU=JNJ Public Key Authorities/CN=JNJ Root Certification Authority /DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - Fo r authorized use only/CN=VeriSign Universal Root Certification Authority /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - Fo r authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU =(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certific ate Authority 2011 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Glob al Root /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certific ate Authority 2010 /O=Symantec Corporation/CN=Symantec Root CA /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Roo t Authority /C=US/O=Symantec Corporation/CN=Symantec Root 2005 CA /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority /CN=NT AUTHORITY � SSL handshake has read 5700 bytes and written 619 bytes � New, TLSv1/SSLv3, Cipher is AES128-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES128-SHA256 Session-ID: 743C00003D9B50EAA53C45E670C3E9682DBE86BA873CEA5B35BFB16B7CE5A625 Session-ID-ctx: Master-Key: 0DB1DB6C4E9B3BE57E6E3A38B3A68EACAF96A78650EA978B4A8860B35BBDCCB4 61DA777F8C0D83ED53CCFE82748D3F86 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1490103903 Timeout : 300 (sec) Verify return code: 0 (ok) � Could you let us know what we could be missing here? The pem contains certificates JNJ Internal Root Certification Authority and CN=JNJ Internal Online CA C2 .Are we missing anything here? Any help would be greatly appreciated. Thanks Anitha
HI We are using Openldap 2.4.33 (Linux 64 bit built with RSA MES 3.2.4.3 ) in our application for LDAP synchronization. We have a customer case where the customer is using a certificate chain. They have converted the root and intermediate certificates into pem and are using the pem to connect to the lDAP server. We are getting the below error : TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS trace: SSL_connect:SSLv3 process tls extension TLS trace: SSL_connect:SSL3 post/by-pass tls extension processing TLS trace: SSL_connect:SSLv3 read server certificate A TLS certificate verification: depth: 0, err: 0, subject: /CN=ITSUSRANADC55.na.jnj.com, issuer: /DC=com/DC=jnj/CN=JNJ Internal Online CA C2 TLS certificate verification: depth: 1, err: 0, subject: /DC=com/DC=jnj/CN=JNJ Internal Online CA C2, issuer: /DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority TLS certificate verification: depth: 2, err: 0, subject: /DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority, issuer: /DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority TLS trace: SSL3 alert write:fatal:certificate unknown TLS trace: SSL_connect:error in SSL3 certificate verify A TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (ok). After Calling ldap_int_open_connection rc = 0 LDAP_SERVER_DOWN The same certificate (pem) connects perfectly with openssl commands. [dmfs4adm@itsusral00157 ldapdb]$ openssl s_client -CAfile /dmfs4/apps/documentum/dba/secure/ldapdb/INT-PROD-Root-Intermedia_0320.pem -connect ITSUSRANADC41.na.j nj.com:3269 CONNECTED(00000003) depth=2 DC = COM, DC = JNJ, CN = JNJ Internal Root Certification Authority verify return:1 depth=1 DC = com, DC = jnj, CN = JNJ Internal Online CA A2 verify return:1 depth=0 CN = ITSUSRANADC41.na.jnj.com verify return:1 - Certificate chain 0 s:/CN=ITSUSRANADC41.na.jnj.com i:/DC=com/DC=jnj/CN=JNJ Internal Online CA A2 1 s:/DC=com/DC=jnj/CN=JNJ Internal Online CA A2 i:/DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority - Server certificate ----BEGIN CERTIFICATE---- MIIG0zCCBbugAwIBAgIKNPjZjAAAANPqDjANBgkqhkiG9w0BAQUFADBOMRMwEQYK CZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDam5qMSIwIAYDVQQDExlK TkogSW50ZXJuYWwgT25saW5lIENBIEEyMB4XDTE2MDkwNjIzMTI0M1oXDTE3MDkw NjIzMTI0M1owIzEhMB8GA1UEAxMYSVRTVVNSQU5BREM0MS5uYS5qbmouY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlmJd7MNGtotF5zXbWJdSaezG LDk1ty98yceBIDz6P1JIYAP84QtEMA+xO3GW7Y+oPjBtMjoEd7P1gLmCVxC9zf69 GNOgYjMsjo4QbynPcgcxMGnpwj8yHQVPLkRe7Do2qpfDz3jhVRT7cJ+u3xu+z66x /JbhCrySeekqL9O6O96YpqMFi+897Lgg9QPphjgrvrD5VmxHfH0V7p7sc/DcIufJ Ifjj7DGotaffcc90VZxj+vQd1iO5AchaDkIUiPLES9AsbcXei8Fau6pcFKpQBh5l fynm73EU01FP+RN//6WpyoIVXVc5uTE9ua7q+O2nGb46FnKlegGpI3iJCh5NJwID AQABo4ID3DCCA9gwOwYJKwYBBAGCNxUHBC4wLAYkKwYBBAGCNxUIgtGfI5rtGIad nTSHnpIqh8HUUmmEo+JQuZUUAgFkAgEFMDMGA1UdJQQsMCoGCCsGAQUFCAICBgor BgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMBgG A1UdIAQRMA8wDQYLYIZIAYb4AgMCAQowQQYJKwYBBAGCNxUKBDQwMjAKBggrBgEF BQgCAjAMBgorBgEEAYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMIGjBgNV HREEgZswgZiCGElUU1VTUkFOQURDNDEubmEuam5qLmNvbYIKbmEuam5qLmNvbYIN bmFkaXIuam5qLmNvbYITbmFsZWdhY3lkaXIuam5qLmNvbYITbmFuZXh0b3NkaXIu am5qLmNvbYIQbmFpY2VkaXIuam5qLmNvbYIUbmFzcGVjaWFsZGlyLmpuai5jb22C D25hZndkaXIuam5qLmNvbTAdBgNVHQ4EFgQU11fVbuyGZpo8ApfMelvW1TFrH3ow HwYDVR0jBBgwFoAUhlNccpOupTSpisgGUUr+XzVQOeEwggEJBgNVHR8EggEAMIH9 MIH6oIH3oIH0hoHKbGRhcDovLy9DTj1KTkolMjBJbnRlcm5hbCUyME9ubGluZSUy MENBJTIwQTIsQ049SVRTVVNSQUpOSkNBMyxDTj1DRFAsQ049UHVibGljJTIwS2V5 JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1qbmos REM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFz cz1jUkxEaXN0cmlidXRpb25Qb2ludIYlaHR0cDovL2ludHByb2Rjcmwuam5qLmNv bS9pbnRjYWEyLmNybDCCAQIGCCsGAQUFBwEBBIH1MIHyMIG8BggrBgEFBQcwAoaB r2xkYXA6Ly8vQ049Sk5KJTIwSW50ZXJuYWwlMjBPbmxpbmUlMjBDQSUyMEEyLENO PUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D b25maWd1cmF0aW9uLERDPWpuaixEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29i amVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwMQYIKwYBBQUHMAKGJWh0 dHA6Ly9pbnRwcm9kcGtpLmpuai5jb20vaW50Y2FhMi5wN2MwDQYJKoZIhvcNAQEF BQADggEBAE1hMzal6XiA0Rz1zsTlqAvZiXJg9urK/FcoeL4kiSGCVXQFPYZPRRG7 cwVBTkqABfNvTr2L7WTr2wqZL25HjY4hphK97I4BvCydpQLCEYPiSatY8kFN8Mpu rDTqNlzTEKt7qId9yDrsKmOI+Gs3hHrWPri1fdOeSlkwIUN5gKCwdH/h44LYU8Z5 4tSjWAkh0hkOU0pija45i7tkBzTholXoOEmAmv7G9UlhLuk950yLzu58yW4aBda1 rev0YtUsKjpfSbTWRwcxeYhspcEq2oGYsWD47wLxQJXHUiRWcXyYuOKiQiu4gjZ7 hS9/xvPvJ3zvxHoI7qF4A8VBgF8c4lQ= ----END CERTIFICATE---- subject=/CN=ITSUSRANADC41.na.jnj.com issuer=/DC=com/DC=jnj/CN=JNJ Internal Online CA A2 - Acceptable client certificate CA names /CN=ITSUSRANADC41.na.jnj.com /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Roo t /C=US/O=JNJ/OU=JNJ Public Key Authorities/CN=JNJ 2048bit Root Certification Auth ority /C=US/O=JNJ/OU=JNJ Public Key Authorities/CN=JNJ Root Certification Authority /DC=COM/DC=JNJ/CN=JNJ Internal Root Certification Authority /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - Fo r authorized use only/CN=VeriSign Universal Root Certification Authority /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - Fo r authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU =(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certific ate Authority 2011 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Glob al Root /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certific ate Authority 2010 /O=Symantec Corporation/CN=Symantec Root CA /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Roo t Authority /C=US/O=Symantec Corporation/CN=Symantec Root 2005 CA /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority /CN=NT AUTHORITY - SSL handshake has read 5700 bytes and written 619 bytes - New, TLSv1/SSLv3, Cipher is AES128-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES128-SHA256 Session-ID: 743C00003D9B50EAA53C45E670C3E9682DBE86BA873CEA5B35BFB16B7CE5A625 Session-ID-ctx: Master-Key: 0DB1DB6C4E9B3BE57E6E3A38B3A68EACAF96A78650EA978B4A8860B35BBDCCB4 61DA777F8C0D83ED53CCFE82748D3F86 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1490103903 Timeout : 300 (sec) Verify return code: 0 (ok) - Could you let us know what we could be missing here? The pem contains certificates JNJ Internal Root Certification Authority and CN=JNJ Internal Online CA C2 .Are we missing anything here? Any help would be greatly appreciated. Thanks Anitha
published 8626 marked public
--On Thursday, March 30, 2017 10:14 AM +0000 anitha.seshadri@emc.com wrote: > Could you let us know what we could be missing here? Hello Anitha, It is clearly noted on the ITS submission page that the ITS system is for bug reports only. It is not meant for configuration and usage questions, such as what you have filed. The proper forum for configuration/usage questions is the openldap-technical list: <http://www.openldap.org/lists/mm/listinfo/openldap-technical> I would additionally note that OpenLDAP 2.4.33 is closing in on 5 years old. I would strongly advise upgrading. In addition, you may wish to read over the documentation on certificates: <http://www.openldap.org/doc/admin24/tls.html> This ITS will be closed. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>
not a bug report
changed notes changed state Open to Closed