[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL problems

I also try to use the /usr/lib/ssl/misc/CA.sh script to create the CA, the
request (with the '-nodes' option to hopefully keep it unencrypted), and
the certificate itself, with the same problem.

Tomas Maly wrote:

> SSL doesn't work. TLS appears to (via the -ZZ option for ldap*).
>
> I've compiled OpenLDAP with OpenSSL and SASL support.
>
> I run the following command to add the key and to self sign it.
>
> openssl req -new -x509 -nodes -out tomas_mvista_com.pem -keyout
> tomas_mvista_com.pem -days 999999
>
> I add the following config options to (the global section of) slapd.conf
> and restart slapd with the "-h ldap:/// ldaps:///" option. First off, is
> there a slapd.conf directive I can use to allow LDAPS to run, instead of
> passing the command line argument?
>
> TLSCertificateFile
> /usr/local/openldap/etc/openldap/tomas_mvista_com.pem
> TLSCertificateKeyFile
> /usr/local/openldap/etc/openldap/tomas_mvista_com.pem
> TLSCACertificateFile
> /usr/local/openldap/etc/openldap/tomas_mvista_com.pem
>
> Secondly, when I attempt to connect via anything, whether Outlook
> Express, Netscape Communicator, or ldapsearch with the
> "-H ldaps:///" option, it gives me an error (usually an unknown error
> "0xFFFFFFFF"). I know Communicator needs to load the certificate if it's
> self signed, so I go to https://host.com:636/, and go through the dialog
> of accepting the cert. I then add the host to my Address Book, enable
> SSL on the client, and try to connect. It gives an error such as "Failed
> to bind to  'OpenLDAP Server' due to LDAP error 'Can't connect to
> LDAP server' (0x5B)".
>
> "ldapsearch -H ldaps://hostname/ -x" just gives me a segmentation
> fault. This is what I do/get.
>
> tomas:/etc/openldap # ldapsearch -H 'ldaps://tomas.mvista.com/' -x -d
> 257
> ldap_create
> ldap_url_parse(ldaps://tomas.mvista.com/)
> ldap_bind_s
> ldap_simple_bind_s
> ldap_sasl_bind_s
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 10.0.0.154:636
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> ldap_ndelay_on: 3
> ldap_is_sock_ready: 3
> ldap_ndelay_off: 3
> ldap_int_sasl_open: tomas.mvista.com
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 0, subject:
> /C=US/ST=California/L=Sunnyvale/O=MontaVista Software,
> Inc/CN=tomas.mvista.com/Email=it@mvista.com, issuer:
> /C=US/ST=California/L=Sunnyvale/O=MontaVista Software,
> Inc/CN=tomas.mvista.com/Email=it@mvista.com
> TLS trace: SSL_connect:SSLv3 read server certificate A
> TLS trace: SSL_connect:SSLv3 read server done A
> TLS trace: SSL_connect:SSLv3 write client key exchange A
> TLS trace: SSL_connect:SSLv3 write change cipher spec A
> TLS trace: SSL_connect:SSLv3 write finished A
> TLS trace: SSL_connect:SSLv3 flush data
> TLS trace: SSL_connect:SSLv3 read finished A
> Segmentation fault
>
> On the server side, it simply looks like:
>
> @(#) $OpenLDAP: slapd 2.0.7-Release (Mon Jan  8 10:42:03 PST 2001) $
>         root@test3:/usr/src/openldap-2.0.7/servers/slapd
> daemon_init: listen on ldap:///
> daemon_init: listen on ldaps:///
> daemon_init: 2 listeners to open...
> ldap_url_parse(ldap:///)
> daemon: socket() failed errno=97 (Address family not supported by
> protocol)
> daemon: initialized ldap:///
> ldap_url_parse(ldaps:///)
> daemon: socket() failed errno=97 (Address family not supported by
> protocol)
> daemon: initialized ldaps:///
> daemon_init: 2 listeners opened
> slapd init: initiated server.
> slap_sasl_init: initialized!
> slapd startup: initiated.
> slapd starting
> daemon: conn=0 fd=10 connection from IP=10.0.0.154:2964 (IP=0.0.0.0:636)
> accepted.
> connection_get(10): got connid=0
> connection_read(10): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> connection_get(10): got connid=0
> connection_read(10): checking for input on id=0
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> TLS trace: SSL_accept:SSLv3 flush data
> connection_get(10): got connid=0
> connection_read(10): checking for input on id=0
> ber_get_next
> ber_get_next on fd 10 failed errno=0 (Success)
> connection_read(10): input error=-2 id=0, closing.
> connection_closing: readying conn=0 sd=10 for close
> connection_close: conn=0 sd=10
> conn=-1 fd=10 closed
> TLS trace: SSL3 alert write:warning:close notify
>
> Any thoughts? Including a DN to bind to (with proper
> authentication) doesn't help either. I also tend to get from Netscape
> (when SSL is disabled) the "unknown error (0xFFFFFFFF)" when I sometimes
> try to authenticate first. It's not 100%, and it seems random. It
> perhaps happens when I switch from SSL to non-SSL without restarting
> Netscape. Restarting seems to affect it as well (fix it, actually). Any
> ideas on this?
>
> I don't recall what Outlook does, but it's not productive either.
>
> Anyone have ideas what I can do to check this more in depth? Such as
> SSL tools to verify that the certificate is set up correctly, etc...
>
> BTW, when replying, please reply to my "Reply-To" address
> (tmaly@mvista.com). Thanks.