[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4144) Strange problem in client libs with SSL connect



Hmmm. I can finally reproduce your "strange #1" log with OpenLDAP software.

$ ldapsearch -x -H "ldaps://ldap.nbcs.rutgers.edu/" -b "dc=rutgers,dc=edu" -d -1
ldap_create
ldap_url_parse_ext(ldaps://ldap.nbcs.rutgers.edu/)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.nbcs.rutgers.edu:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 128.6.72.241:636
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_perror
ldap_bind: Can't contact LDAP server (-1)


To get the above trace, I commented out both TLS_CACERT and TLS_CACERTDIR.
(I never saw it before because I usually used StartTLS, which does not
look the same.) I'd check the CA option processing. OpenLDAP's debug
options don't really show the client parsing of ldap.conf nor CAs (as you
can see above), so some quality time with a debugger or truss/{s,l}trace
might be in order.

I might also try for workarounds. For instance, I'd try putting both your
intermediate and final certs into a file and configuring it as your
TLS_CACERT. e.g., there might just be a bug with CACERTDIR processing. Not
that that shouldn't be tracked down, but at least that could get things
working in the meantime. And as you point out, there might be something
with the X.509 extensions you have. I recognize that you wouldn't want to
share your certs with the world, but if you could come up with certs or
instructions for the ever-popular Snake Oil Authority to issue the same
extensions/intermediate chain/etc., that could be a good thing.