[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: TLSVerifyClient no

To: openldap-devel@OpenLDAP.org
Subject: Re: TLSVerifyClient no
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 31 Aug 2000 10:37:46 -0700
In-reply-to: <4.3.2.7.0.20000830153122.00b06100@router.boolean.net>
At 03:34 PM 8/30/00 -0700, Kurt D. Zeilenga wrote:
>Can someone enlighten me on how to get SLAPD not to
>require a client certificate?  TLSVerifyClient no/yes
>appears not to matter...

Additional info...

A StartTLS request (ldapsearch -ZZ) results in the following
server log:

do_extended: oid=1.3.6.1.4.1.1466.20037
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 10
daemon: select: listen=8 active_threads=1 tvp=NULL
daemon: select: listen=9 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL3 alert read:fatal:unknown
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:956
connection_read(10): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10

where ldapsearch -x -H ldaps://ldap  results in:

daemon: activity on 1 descriptors
daemon: new connection on 10
daemon: added 10r
daemon: activity on:
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=2
connection_read(10): checking for input on id=2
ber_get_next
ber_get_next on fd 10 failed errno=34 (Result too large)
connection_read(10): input error=-2 id=2, closing.
connection_closing: readying conn=2 sd=10 for close
connection_close: conn=2 sd=10
daemon: removing 10
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL

NO TLS! I assume the client didn't connect on the
right port (this is obviously a bug)

And:
% openssl s_client -connect ldap.openldap.org:636
CONNECTED(00000003)
depth=0 /C=US/O=OpenLDAP Project/CN=www.openldap.org/Email=dirman@www.openldap.org
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/O=OpenLDAP Project/CN=www.openldap.org/Email=dirman@www.openldap.org
verify return:1
---
Certificate chain
 0 s:/C=US/O=OpenLDAP Project/CN=www.openldap.org/Email=dirman@www.openldap.org
   i:/C=US/O=OpenLDAP Project/CN=www.openldap.org/Email=dirman@www.openldap.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDFTCCAn6gAwIBAgIBADANBgkqhkiG9w0BAQQFADBrMQswCQYDVQQGEwJVUzEZ
MBcGA1UEChMQT3BlbkxEQVAgUHJvamVjdDEZMBcGA1UEAxMQd3d3Lm9wZW5sZGFw
Lm9yZzEmMCQGCSqGSIb3DQEJARYXZGlybWFuQHd3dy5vcGVubGRhcC5vcmcwHhcN
MDAwODMwMTkzMjAxWhcNMDEwODMwMTkzMjAxWjBrMQswCQYDVQQGEwJVUzEZMBcG
A1UEChMQT3BlbkxEQVAgUHJvamVjdDEZMBcGA1UEAxMQd3d3Lm9wZW5sZGFwLm9y
ZzEmMCQGCSqGSIb3DQEJARYXZGlybWFuQHd3dy5vcGVubGRhcC5vcmcwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBALsbYkH0f5uSBJEqK3/jwKJ0Yokd5hvcd2Zl
y6d6tz5bgRSjnPrRnCrWt36lh7pP817AmxeslEVq2crWCiDQj+hw+avOWtavb17b
A46XqRHmISxDxQmiEcWrmlT8VFjO7eVV56MXTDP4tk5VDCxMvOOuiDGWrc9S1uKL
GSiIsitXAgMBAAGjgcgwgcUwHQYDVR0OBBYEFMw4uJ89YOnEolSGtWdNAz+fEULA
MIGVBgNVHSMEgY0wgYqAFMw4uJ89YOnEolSGtWdNAz+fEULAoW+kbTBrMQswCQYD
VQQGEwJVUzEZMBcGA1UEChMQT3BlbkxEQVAgUHJvamVjdDEZMBcGA1UEAxMQd3d3
Lm9wZW5sZGFwLm9yZzEmMCQGCSqGSIb3DQEJARYXZGlybWFuQHd3dy5vcGVubGRh
cC5vcmeCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQACLy0SgKnl
4dehgvLSMsCagqbiL/5qazaTwKAGP+V8i25Byzs0wwHp0XLUCqsem2d+gglc3lBw
LKMq7GWPq8Z/o4wXmuGSA/o3EiA6NRiKMimL3R70K8YV7vwwmjxwYy8fbwuwDqpk
HVi+i0rJwdCD1wEZPYumoAavsJn4mZViPQ==
-----END CERTIFICATE-----
subject=/C=US/O=OpenLDAP Project/CN=www.openldap.org/Email=dirman@www.openldap.org
issuer=/C=US/O=OpenLDAP Project/CN=www.openldap.org/Email=dirman@www.openldap.org
---
No client certificate CA names sent
---
SSL handshake has read 956 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID: CA347F51BB973DDC3A44F3DDD4D0EE95A8F674F573CA3EA47A122CC56B0C1E2E
    Session-ID-ctx: 
    Master-Key: 817C616F144C226A2CA2BBFDCA6FAB98BEFBA4E9C6E149C25362877D3AFABE084130FF1A5E114D75CA79F3C76F648D1E
    Key-Arg   : None
    Start Time: 967743431
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
^D
DONE

daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=4
connection_read(10): checking for input on id=4
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=4
connection_read(10): checking for input on id=4
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 10 failed errno=0 (Undefined error: 0)
connection_read(10): input error=-2 id=4, closing.
connection_closing: readying conn=4 sd=10 for close
connection_close: conn=4 sd=10
daemon: removing 10
TLS trace: SSL3 alert write:warning:close notify
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
References:
- TLSVerifyClient no
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Prev by Date: Re: Development snapshot tarball?
Next by Date: Re: Development snapshot tarball?
Index(es):
- Chronological
- Thread