[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS/SSL problems

To: openldap-software@OpenLDAP.org
Subject: TLS/SSL problems
From: Tomas Maly <malyprogservices@flashmail.com>
Date: Thu, 15 Mar 2001 22:49:06 -0800

SSL doesn't work. TLS appears to (via the -ZZ option for ldap*).

I've compiled OpenLDAP with OpenSSL and SASL support.

I run the following command to add the key and to self sign it.

openssl req -new -x509 -nodes -out tomas_mvista_com.pem -keyout
tomas_mvista_com.pem -days 999999

I add the following config options to (the global section of) slapd.conf
and restart slapd with the "-h ldap:/// ldaps:///" option. First off, is
there a slapd.conf directive I can use to allow LDAPS to run, instead of
passing the command line argument?

TLSCertificateFile
/usr/local/openldap/etc/openldap/tomas_mvista_com.pem
TLSCertificateKeyFile
/usr/local/openldap/etc/openldap/tomas_mvista_com.pem
TLSCACertificateFile
/usr/local/openldap/etc/openldap/tomas_mvista_com.pem

Secondly, when I attempt to connect via anything, whether Outlook
Express, Netscape Communicator, or ldapsearch with the
"-H ldaps:///" option, it gives me an error (usually an unknown error
"0xFFFFFFFF"). I know Communicator needs to load the certificate if it's
self signed, so I go to https://host.com:636/, and go through the dialog
of accepting the cert. I then add the host to my Address Book, enable
SSL on the client, and try to connect. It gives an error such as "Failed
to bind to  'OpenLDAP Server' due to LDAP error 'Can't connect to
LDAP server' (0x5B)".

"ldapsearch -H ldaps://hostname/ -x" just gives me a segmentation
fault. This is what I do/get.

tomas:/etc/openldap # ldapsearch -H 'ldaps://tomas.mvista.com/' -x -d
257
ldap_create
ldap_url_parse(ldaps://tomas.mvista.com/)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.0.0.154:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: tomas.mvista.com
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, subject:
/C=US/ST=California/L=Sunnyvale/O=MontaVista Software,
Inc/CN=tomas.mvista.com/Email=it@mvista.com, issuer:
/C=US/ST=California/L=Sunnyvale/O=MontaVista Software,
Inc/CN=tomas.mvista.com/Email=it@mvista.com
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
Segmentation fault

On the server side, it simply looks like:

@(#) $OpenLDAP: slapd 2.0.7-Release (Mon Jan  8 10:42:03 PST 2001) $
        root@test3:/usr/src/openldap-2.0.7/servers/slapd
daemon_init: listen on ldap:///
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open...
ldap_url_parse(ldap:///)
daemon: socket() failed errno=97 (Address family not supported by
protocol)
daemon: initialized ldap:///
ldap_url_parse(ldaps:///)
daemon: socket() failed errno=97 (Address family not supported by
protocol)
daemon: initialized ldaps:///
daemon_init: 2 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
slapd startup: initiated.
slapd starting
daemon: conn=0 fd=10 connection from IP=10.0.0.154:2964 (IP=0.0.0.0:636)
accepted.
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next on fd 10 failed errno=0 (Success)
connection_read(10): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
conn=-1 fd=10 closed
TLS trace: SSL3 alert write:warning:close notify

Any thoughts? Including a DN to bind to (with proper
authentication) doesn't help either. I also tend to get from Netscape
(when SSL is disabled) the "unknown error (0xFFFFFFFF)" when I sometimes
try to authenticate first. It's not 100%, and it seems random. It
perhaps happens when I switch from SSL to non-SSL without restarting
Netscape. Restarting seems to affect it as well (fix it, actually). Any
ideas on this?

I don't recall what Outlook does, but it's not productive either.

Anyone have ideas what I can do to check this more in depth? Such as
SSL tools to verify that the certificate is set up correctly, etc...

BTW, when replying, please reply to my "Reply-To" address
(tmaly@mvista.com). Thanks.

Follow-Ups:
- Re: TLS/SSL problems
  - From: Tomas Maly <malyprogservices@flashmail.com>
- Re: TLS/SSL problems
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: TLS/SSL problems
  - From: Norbert Klasen <klasen@zdv.uni-tuebingen.de>

Prev by Date: Re: ACLs
Next by Date: can not open libsasl.lib
Index(es):
- Chronological
- Thread