|
Greetings all,
I have been doing a bit of experimenting and have
come up with the following regarding ldapsearch under openldap-2.0.11. It
appears that there could be a problem with the 2.0.11 ldapsearch binary when
doing TLS queries. I ran the following tests:
Patched open.c to stop core dumps over TLS on
ldapsearch
Built and installed OpenLDAP-2.0.7 with
TLS
Queried the server with the 2.0.7 ldapsearch
binary
Received results back
Built OpenLDAP-2.0.11 with TLS (didn't
install)
Ran ./clients/tools/ldapsearch in 2.0.11 build over
TLS against running 2.0.7 slapd
Could not bind - connection_read(10): input
error=-2 id=0, closing.
Also received 'TLS trace: SSL_accept:error in
SSLv3 read client certificate A'
Installed OpenLDAP-2.0.11
Restarted slapd (this time, the 2.0.11
version)
Ran ldapsearch (2.0.11) over TLS against 2.0.11
slapd
Could not bind - connection_read(10): input
error=-2 id=0, closing.
I then tried to connect to our Novell NDS which is running LDAP over SSL,
and it could not bind. The 2.0.7 ldapsearch can bind to NDS over SSL
without any problems.
Here is the output of 2.0.11 slapd in -d-1 mode:
************************************************************************************ daemon: activity on 1 descriptors
daemon: new connection on 10 daemon: conn=10 fd=10 connection from IP=142.200.49.113:1888 (IP=0.0.0.0:31746) accepted. daemon: added 10r daemon: activity on: daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 10r daemon: read activity on 10 connection_get(10) connection_get(10): got connid=10 connection_read(10): checking for input on id=10 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 80 01 03 01 00 57 00 00 00 20 ......W... tls_read: want=119, got=119 0000: 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 ..............f. 0010: 00 07 00 00 05 00 00 04 05 00 80 03 00 80 01 00 ................ 0020: 80 08 00 80 00 00 65 00 00 64 00 00 63 00 00 62 ......e..d..c..b 0030: 00 00 61 00 00 60 00 00 15 00 00 12 00 00 09 06 ..a..`.......... 0040: 00 40 00 00 14 00 00 11 00 00 08 00 00 06 00 00 .@.............. 0050: 03 04 00 80 02 00 80 31 3f 33 15 2a 23 78 24 14 .......1?3.*#x$. 0060: 0e 08 c6 57 88 ab b0 21 b6 9c 36 2b 76 be e0 ee ...W...!..6+v... 0070: a5 10 09 9d db 65 22 .....e" TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A tls_write: want=1024, written=1024 0000: 16 03 01 00 4a 02 00 00 46 03 01 3b 44 6e bb 28 ....J...F..;Dn.( 0010: ac 85 88 58 c5 06 10 df 06 1a e1 3a 0e 04 a7 a0 ...X.......:.... 0020: b5 89 a0 ea 3f 31 89 27 d6 e1 b8 20 a2 5e 1c ee ....?1.'... .^.. 0030: 40 15 f8 eb 60 a6 5a 30 68 ba f4 2e b4 9c d2 9d @...`.Z0h....... 0040: fb 4f 64 c9 9a a7 4f 63 8a 0e 9a 2c 00 0a 00 16 .Od...Oc...,.... 0050: 03 01 04 0e 0b 00 04 0a 00 04 07 00 04 04 30 82 ..............0. 0060: 04 00 30 82 03 69 a0 03 02 01 02 02 01 00 30 0d ..0..i........0. 0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 b7 ..*.H........0.. 0080: 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 11 30 1.0...U....CA1.0 0090: 0f 06 03 55 04 08 13 08 4d 61 6e 69 74 6f 62 61 ...U....Manitoba 00a0: 31 11 30 0f 06 03 55 04 07 13 08 57 69 6e 6e 69 1.0...U....Winni 00b0: 70 65 67 31 25 30 23 06 03 55 04 0a 14 1c 53 74 peg1%0#..U....St 00c0: 7e 42 6f 6e 69 66 61 63 65 20 47 65 6e 65 72 61 ~Boniface Genera 00d0: 6c 20 48 6f 73 70 69 74 61 6c 31 1d 30 1b 06 03 l Hospital1.0... 00e0: 55 04 0b 13 14 49 6e 66 6f 72 6d 61 74 69 6f 6e U....Information 00f0: 20 53 65 72 76 69 63 65 73 31 1a 30 18 06 03 55 Services1.0...U 0100: 04 03 13 11 67 65 6e 65 76 61 2e 73 62 67 68 2e ....geneva.sbgh. 0110: 6d 62 2e 63 61 31 20 30 1e 06 09 2a 86 48 86 f7 mb.ca1 0...*.H.. 0120: 0d 01 09 01 16 11 6a 6d 6f 77 61 74 40 73 62 67 ......jmowat@sbg 0130: 68 2e 6d 62 2e 63 61 30 1e 17 0d 30 31 30 37 30 h.mb.ca0...01070 0140: 34 31 38 31 36 32 39 5a 17 0d 30 32 30 37 30 34 4181629Z..020704 0150: 31 38 31 36 32 39 5a 30 81 b7 31 0b 30 09 06 03 181629Z0..1.0... 0160: 55 04 06 13 02 43 41 31 11 30 0f 06 03 55 04 08 U....CA1.0...U.. 0170: 13 08 4d 61 6e 69 74 6f 62 61 31 11 30 0f 06 03 ..Manitoba1.0... 0180: 55 04 07 13 08 57 69 6e 6e 69 70 65 67 31 25 30 U....Winnipeg1%0 0190: 23 06 03 55 04 0a 14 1c 53 74 7e 42 6f 6e 69 66 #..U....St~Bonif 01a0: 61 63 65 20 47 65 6e 65 72 61 6c 20 48 6f 73 70 ace General Hosp 01b0: 69 74 61 6c 31 1d 30 1b 06 03 55 04 0b 13 14 49 ital1.0...U....I 01c0: 6e 66 6f 72 6d 61 74 69 6f 6e 20 53 65 72 76 69 nformation Servi 01d0: 63 65 73 31 1a 30 18 06 03 55 04 03 13 11 67 65 ces1.0...U....ge 01e0: 6e 65 76 61 2e 73 62 67 68 2e 6d 62 2e 63 61 31 neva.sbgh.mb.ca1 01f0: 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 0...*.H........ 0200: 6a 6d 6f 77 61 74 40 73 62 67 68 2e 6d 62 2e 63 jmowat@sbgh.mb.c 0210: 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 a0..0...*.H..... 0220: 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 9e 45 .......0.......E 0230: 31 e5 fe 42 73 6c c4 77 16 98 27 6a 5c 7e 5f b6 1..Bsl.w..'j\~_. 0240: 36 b8 fa f7 66 93 91 98 ce 44 55 3e da a8 72 ff 6...f....DU>..r. 0250: 8c 26 8b cd 0f fc ac 3b c8 84 78 ea 85 78 4f 6f .&.....;..x..xOo 0260: 89 98 03 6a ae fb c3 6f d2 37 d8 26 94 8e 92 a8 ...j...o.7.&.... 0270: d5 25 48 67 9e b1 29 76 de 46 b5 2b 9a 9b 4a b2 .%Hg..)v.F.+..J. 0280: d4 bb 56 ff bb 89 80 4e 94 8b af 68 9a 23 ab 4b ..V....N...h.#.K 0290: 94 d3 70 bb df f3 c2 6c 0d 87 52 c8 88 2c 2c 7f ..p....l..R..,,. 02a0: a2 62 b1 5a 23 a7 f1 e8 e2 1a 37 da 68 43 02 03 .b.Z#.....7.hC.. 02b0: 01 00 01 a3 82 01 18 30 82 01 14 30 1d 06 03 55 .......0...0...U 02c0: 1d 0e 04 16 04 14 23 0b 96 ae 40 e4 d9 b3 5d 30 ......#...@...]0 02d0: b7 1d b6 34 2a e5 00 af da a9 30 81 e4 06 03 55 ...4*.....0....U 02e0: 1d 23 04 81 dc 30 81 d9 80 14 23 0b 96 ae 40 e4 .#...0....#...@. 02f0: d9 b3 5d 30 b7 1d b6 34 2a e5 00 af da a9 a1 81 ..]0...4*....... 0300: bd a4 81 ba 30 81 b7 31 0b 30 09 06 03 55 04 06 ....0..1.0...U.. 0310: 13 02 43 41 31 11 30 0f 06 03 55 04 08 13 08 4d ..CA1.0...U....M 0320: 61 6e 69 74 6f 62 61 31 11 30 0f 06 03 55 04 07 anitoba1.0...U.. 0330: 13 08 57 69 6e 6e 69 70 65 67 31 25 30 23 06 03 ..Winnipeg1%0#.. 0340: 55 04 0a 14 1c 53 74 7e 42 6f 6e 69 66 61 63 65 U....St~Boniface 0350: 20 47 65 6e 65 72 61 6c 20 48 6f 73 70 69 74 61 General Hospita 0360: 6c 31 1d 30 1b 06 03 55 04 0b 13 14 49 6e 66 6f l1.0...U....Info 0370: 72 6d 61 74 69 6f 6e 20 53 65 72 76 69 63 65 73 rmation Services 0380: 31 1a 30 18 06 03 55 04 03 13 11 67 65 6e 65 76 1.0...U....genev 0390: 61 2e 73 62 67 68 2e 6d 62 2e 63 61 31 20 30 1e a.sbgh.mb.ca1 0. 03a0: 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 6a 6d 6f ..*.H........jmo 03b0: 77 61 74 40 73 62 67 68 2e 6d 62 2e 63 61 82 01 wat@sbgh.mb.ca.. 03c0: 00 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30 .0...U....0....0 03d0: 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81 ...*.H.......... 03e0: 81 00 1f b3 c7 79 98 65 c3 48 fa 02 dc 3c 37 1d .....y.e.H...<7. 03f0: 96 63 4d 4d 99 11 bb 7f b0 16 27 a6 e9 2d 1d 5e .cMM......'..-.^ TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=107, written=107 0000: b3 65 8a 95 d9 48 d9 b1 f4 96 39 1d ac 5f b4 fa .e...H....9.._.. 0010: ee 21 8a 65 9c a4 3b 70 63 18 35 15 22 10 33 6c .!.e..;pc.5.".3l 0020: 14 c9 50 8a b7 66 40 f6 de 8f 98 9e b3 e7 28 5e ..P..f@.......(^ 0030: 3b 6a a7 90 3e 0c d6 64 81 a2 fc 10 e7 b3 e0 45 ;j..>..d.......E 0040: a0 93 0e 2e 7d e8 40 d8 8e 64 59 7a e2 6d 6d aa ....}.@..dYz.mm. 0050: 99 78 15 10 56 1f e7 f1 43 96 df af 76 e6 b7 ba .x..V...C...v... 0060: 87 ca 16 03 01 00 04 0e 00 00 00 ........... TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5 error=Resource temporarily unavailable TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 10r daemon: read activity on 10 connection_get(10) connection_get(10): got connid=10 connection_read(10): checking for input on id=10 tls_read: want=5, got=5 0000: 16 03 01 00 86 ..... tls_read: want=134, got=134 0000: 10 00 00 82 00 80 4c df 8f ac 43 57 7c 09 db 3f ......L...CW|..? 0010: 87 4c 02 68 ef 0a e3 28 a3 bc a7 8a 85 d9 76 19 .L.h...(......v. 0020: 70 1a 8a 7d 82 5a fc 28 fb c6 e4 60 eb 24 5b f4 p..}.Z.(...`.$[. 0030: b2 eb 73 23 28 8d a5 e7 11 1d f1 f9 6b 04 ff 68 ..s#(.......k..h 0040: 67 2d 8b 3d 9d 15 6f 84 a3 02 14 59 6e 85 12 32 g-.=..o....Yn..2 0050: d3 f9 a1 99 32 ba 34 7a 5f 2a 0c da 00 6f cc 9c ....2.4z_*...o.. 0060: 87 ce f3 5d db 0c fc 45 8d 81 39 0c 9c a6 0e 7e ...]...E..9....~ 0070: a1 fb 89 d4 e2 23 5d f5 c9 a7 c9 dc a6 a0 45 be .....#].......E. 0080: 7a 35 b0 83 7f ae z5.... TLS trace: SSL_accept:SSLv3 read client key exchange A tls_read: want=5, got=5 0000: 14 03 01 00 01 ..... tls_read: want=1, got=1 0000: 01 . tls_read: want=5, got=5 0000: 16 03 01 00 28 ....( tls_read: want=40, got=40 0000: d1 40 fc 1a 0c 42 1a 83 ff ac 59 1b 3c 53 1d 6d .@...B....Y.<S.m 0010: 9c 57 a5 1d 0e 2e 30 1c 62 89 5f b3 bb 4b d2 29 .W....0.b._..K.) 0020: 3a e0 15 3e 15 95 5f c7 :..>.._. TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A tls_write: want=51, written=51 0000: 14 03 01 00 01 01 16 03 01 00 28 a9 ad 95 74 f5 ..........(...t. 0010: 8a 4c 99 e3 31 23 df 1d b0 ab ae 21 8d 3f 7b 7e .L..1#.....!.?{~ 0020: 2d 81 9f 71 1c b9 e0 23 73 66 b2 a7 24 13 e1 f7 -..q...#sf..$... 0030: e9 8a 42 ..B TLS trace: SSL_accept:SSLv3 flush data daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 10r daemon: read activity on 10 connection_get(10) connection_get(10): got connid=10 connection_read(10): checking for input on id=10 ber_get_next tls_read: want=5, got=0 ldap_read: want=1, got=0
ber_get_next on fd 10 failed errno=0 (Success)
connection_read(10): input error=-2 id=10, closing. connection_closing: readying conn=10 sd=10 for close connection_close: conn=10 sd=10 daemon: removing 10 conn=-1 fd=10 closed tls_write: want=29, written=29 0000: 15 03 01 00 18 49 f4 f4 9e 03 34 81 12 a3 17 d3 .....I....4..... 0010: b2 03 0f e4 75 4f 74 80 6d 08 1c 1a c0 ....uOt.m.... TLS trace: SSL3 alert write:warning:close notify daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL ************************************************************************************
The most suspicious looking output is as follows:
************************************************************************************ connection_read(10): checking for input on
id=10
ber_get_next tls_read: want=5, got=0 ldap_read: want=1, got=0
ber_get_next on fd 10 failed errno=0 (Success) connection_read(10): input error=-2 id=10, closing. ************************************************************************************ It appears that it wants 5, but is getting 0 in TLS read. I don't
know what this implies, except that it doesn't work.
Is there any fixes? Has anyone got ldapsearch under 2.0.11 to
actually work over SSL? I'm curious and hopeful in getting this issue
resolved.
Cheers,
Jason |