[Date Prev][Date Next] [Chronological] [Thread] [Top]
TLS client issue

To: <openldap-software@OpenLDAP.org>
Subject: TLS client issue
From: "Simon Liebold" <s.liebold@gmx.de>
Date: Thu, 19 Dec 2002 19:51:20 +0100
Importance: Normal
Hi there

I have 3 clients being served by one slapd. Two have no Problem
connecting to ldaps://ldapserver("soma" in my example), one does. Maybe
somebody has got a hint.
Client A (Java LDAP Browser/Editor2.8.2) on Win has no Problems, client
B (ldapsearch) on same host as slapd has no problems either, client C
(ldapsearch - same version as client B) on the gateway has problems.
Without TLS everything works. Port 636 is reacheable. The cn-field of
the certificate has the FQDN of the LDAP-Server set. Slapd is version
2.0.23-14 (Debian/testing). As you can see in the logs, slapd cuts the
TCP-connection when client C starts the SSL-stuff. Where else can i look
for information?

Simon,
Needs help

Here are some outputs:
Client C (the problem-child):

nagasaki:~# ldapsearch -H ldaps://soma.loge-23.ilm/ -x -b "" -s base -d
9
ldap_create
ldap_url_parse_ext(ldaps://soma.loge-23.ilm/)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: soma.loge-23.ilm
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.5.101:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=soma.loge-23.ilm
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 14 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: soma.loge-23.ilm  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Dec 19 19:13:16 2002

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next failed.
ldap_perror
ldap_bind: Can't contact LDAP server



The same on client B (same host as slapd - this one works - note that
"TLS Trace"-stuff which is missing in above output):

soma:~# ldapsearch -H ldaps://soma.loge-23.ilm/ -x -b "" -s base -d 9
ldap_create
ldap_url_parse_ext(ldaps://soma.loge-23.ilm/)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: soma.loge-23.ilm
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.5.101:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=soma.loge-23.ilm
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, subject:
/C=DE/ST=Th\xFCringen/L=Ilmenau/O=nextwerk/OU=Loge-23/CN=soma.loge-23.il
m, issuer:
/C=DE/ST=Th\xFCringen/L=Ilmenau/O=nextwerk/OU=Loge-23/CN=soma.loge-23.il
m
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 14 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: soma.loge-23.ilm  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Dec 19 19:11:11 2002

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
version: 2

#
# filter: (objectclass=*)
# requesting: ALL
#

ldap_search_ext
put_filter "(objectclass=*)"
put_filter: simple
put_simple_filter "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_flush: 39 bytes to sd 3
ldap_result msgid -1
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid -1
wait4msg continue, msgid -1, all 0
** Connections:
* host: soma.loge-23.ilm  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Dec 19 19:11:11 2002

** Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid -1, all 0
ber_get_next
ber_get_next: tag 0x30 len 48 contents:
ldap_read: message type search-entry msgid 2, original id 2
ldap_get_dn
ber_scanf fmt ({a) ber:
ldap_dn2ufn
ldap_explode_dn
ldap_explode_rdn
#
dn:
ber_scanf fmt ({xx) ber:
ldap_first_attribute
ber_scanf fmt ({xl{) ber:
ber_scanf fmt ({ax}) ber:
ldap_get_values_len
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt ([V]) ber:
objectClass: top
objectClass: OpenLDAProotDSE
ldap_next_attribute
ldap_msgfree
ldap_result msgid -1
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid -1
wait4msg continue, msgid -1, all 0
** Connections:
* host: soma.loge-23.ilm  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Dec 19 19:11:11 2002

** Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
read1msg: msgid -1, all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type search-result msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1

# search result
search: 2
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_err2string
result: 0 Success

# numResponses: 2
# numEntries: 1
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 3
ldap_free_connection: actually freed
TLS trace: SSL3 alert write:warning:close notify



Some packet-sniffing (slapd cuts the connection):

soma:~# ssldump  -r
/home3/share/temp/LDAP-PAM-ssl-nagasaki-spt_dpt636.cap
New TCP connection #1: nagasaki.loge-23.ilm(4048) <->
soma.loge-23.ilm(636)
1    0.0113 (0.0113)  S>C  TCP FIN
1    0.0340 (0.0227)  C>S  TCP FIN

There is nothing interesting in slapd's logs when i search with
nagasaki:~# ldapsearch -H ldaps://soma.loge-23.ilm/ -x -b "" -s base -d
9

Dec 19 19:29:14 soma slapd[2473]: daemon: conn=42 fd=20 connection from
IP=192.168.5.1:4291 (IP=0.0.0.0:31746) accepted.
Dec 19 19:29:14 soma slapd[2473]: conn=-1 fd=20 closed

Reverse lookup works:
nagasaki:~# host 192.168.5.101
101.5.168.192.in-addr.arpa domain name pointer soma.loge-23.ilm.
nagasaki:~# host soma.loge-23.ilm
soma.loge-23.ilm has address 192.168.5.101
Prev by Date: Re: Web based LDAP password modification
Next by Date: RE: Replication
Index(es):
- Chronological
- Thread