[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS headache
Does your cert7.db know about your CA?
What does it mean ? what is cert7.db ?
Thank you
Paolo
----- Original Message -----
From: "Dave Lewney" <D.M.Lewney@sussex.ac.uk>
To: "Paolo Marini" <paolom@prisma-eng.it>
Cc: <ldap@fadesa.es>; "Kent Soper" <dksoper@us.ibm.com>;
<openldap-software@OpenLDAP.org>
Sent: Tuesday, June 17, 2003 9:14 AM
Subject: Re: TLS headache
> Paolo Marini wrote:
> > I have tried the instructions in your HOWTO (very clear / thank you!),
after
> > lot
> >
> > of time and frustration trying to setting up an LDAP server with TLS,
but
> > the
> >
> > client seems not to like the server certificate. Here are my
configuration
> >
> > files for the openldap 2.1.21 on a RH8 linux box:
> >
> > /etc/openldap/slapd.conf:
> >
> > # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
20:00:31
> > kurt Exp $
> >
> > #
> >
> > # See slapd.conf(5) for details on configuration options.
> >
> > # This file should NOT be world readable.
> >
> > #
> >
> > include /etc/openldap/schema/core.schema
> >
> > include /etc/openldap/schema/cosine.schema
> >
> > include /etc/openldap/schema/inetorgperson.schema
> >
> > include /etc/openldap/schema/nis.schema
> >
> > include /etc/openldap/schema/redhat/rfc822-MailMember.schema
> >
> > include /etc/openldap/schema/redhat/autofs.schema
> >
> > #include /etc/openldap/schema/redhat/kerberosobject.schema
> >
> >
> >
> > loglevel 296
> >
> > pidfile /var/run/slapd.pid
> >
> > TLSCipherSuite HIGH:MEDIUM:+SSLv2
> >
> > TLSCACertificateFile /etc/openldap/cacert.pem
> >
> > TLSCertificateFile /etc/openldap/servercert.pem
> >
> > TLSCertificateKeyFile /etc/openldap/serverkey.pem
> >
> > TLSVerifyClient never
> >
> > access to * by read
> >
> > #######################################################################
> >
> > # ldbm database definitions
> >
> > #######################################################################
> >
> > database bdb
> >
> > suffix "dc=prisma,dc=com"
> >
> > rootdn "cn=root,dc=prisma,dc=com"
> >
> > rootpw {SSHA}vZddgTWTErSxFyNG2MC8fnp4k/9zNadi
> >
> > directory /var/lib/ldap
> >
> > index objectClass,uid,uidNumber,gidNumber,memberUid eq
> >
> > index cn,mail,surname,givenname eq,subinitial
> >
> >
> >
> > /etc/ldap.conf:
> >
> > HOST 127.0.0.1
> >
> > PORT 389
> >
> > TLS_CACERT /usr/share/ssl/misc/demoCA/cacert.pem
> >
> > TLS_CACERTDIR /usr/share/ssl/misc/demoCA
> >
> > TLS_REQCERT never
> >
> >
> >
> > This is the result of the ldapsearch with -ZZ option in the slapd log:
> >
> >
> >
> >
> >
> > conn=0 fd=12 ACCEPT from IP=127.0.0.1:32792 (IP=0.0.0.0:389)
> >
> > connection_get(12)
> >
> > connection_get(12): got connid=0
> >
> > connection_read(12): checking for input on id=0
> >
> > ber_get_next
> >
> > ldap_read: want=8, got=8
> >
> > 0000: 30 1d 02 01 01 77 18 80 0....w..
> >
> > ldap_read: want=23, got=23
> >
> > 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
> >
> > 0010: 36 2e 32 30 30 33 37 6.20037
> >
> > ber_get_next: tag 0x30 len 29 contents:
> >
> > ber_get_next
> >
> > ldap_read: want=8 error=Resource temporarily unavailable
> >
> > ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
> >
> > do_extended
> >
> > ber_scanf fmt ({m) ber:
> >
> > do_extended: oid=1.3.6.1.4.1.1466.20037
> >
> > send_ldap_extended: err=0 oid= len=0
> >
> > send_ldap_response: msgid=1 tag=120 err=0
> >
> > ber_flush: 14 bytes to sd 12
> >
> > 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
> >
> > ldap_write: want=14, written=14
> >
> > 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
> >
> > connection_get(12)
> >
> > connection_get(12): got connid=0
> >
> > connection_read(12): checking for input on id=0
> >
> > TLS trace: SSL_accept:before/accept initialization
> >
> > tls_read: want=11, got=11
> >
> > 0000: 80 7a 01 03 01 00 51 00 00 00 20 .z....Q...
> >
> > tls_read: want=113, got=113
> >
> > 0000: 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 ..............f.
> >
> > 0010: 00 05 00 00 04 03 00 80 01 00 80 08 00 80 00 00 ................
> >
> > 0020: 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60 e..d..c..b..a..`
> >
> > 0030: 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 ...........@....
> >
> > 0040: 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00 ................
> >
> > 0050: 80 d6 47 98 b5 73 99 81 d2 68 e6 97 b8 90 c1 ed ..G..s...h......
> >
> > 0060: d0 76 73 9d a7 dc 96 f8 de 66 b0 ca c1 37 c2 65 .vs......f...7.e
> >
> > 0070: 0e .
> >
> > TLS trace: SSL_accept:SSLv3 read client hello A
> >
> > TLS trace: SSL_accept:SSLv3 write server hello A
> >
> > TLS trace: SSL_accept:SSLv3 write certificate A
> >
> > TLS trace: SSL_accept:SSLv3 write server done A
> >
> > tls_write: want=1069, written=1069
> >
> > 0000: 16 03 01 00 4a 02 00 00 46 03 01 3e ee ad 0b 74 ....J...F..>...t
> >
> > 0010: d4 44 d8 fe 96 28 8b 8c e2 e4 f2 20 82 ef d4 13 .D...(..... ....
> >
> > 0020: 17 84 8c 13 56 d0 79 bc d8 b6 55 20 16 18 66 79 ....V.y...U ..fy
> >
> > 0030: 8e 19 5c d4 52 89 73 a7 96 d8 2f 22 9b f1 8c 5c ..\.R.s.../"...\
> >
> > 0040: 3a e4 c3 9c 13 ba 32 ab 51 06 09 dc 00 0a 00 16 :.....2.Q.......
> >
> > 0050: 03 01 03 d0 0b 00 03 cc 00 03 c9 00 03 c6 30 82 ..............0.
> >
> > 0060: 03 c2 30 82 03 2b a0 03 02 01 02 02 01 01 30 0d ..0..+........0.
> >
> > 0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 94 ..*.H........0..
> >
> > 0080: 31 0b 30 09 06 03 55 04 06 13 02 49 54 31 0f 30 1.0...U....IT1.0
> >
> > 0090: 0d 06 03 55 04 08 13 06 4d 69 6c 61 6e 6f 31 0f ...U....Milano1.
> >
> > 00a0: 30 0d 06 03 55 04 07 13 06 4d 69 6c 61 6e 6f 31 0...U....Milano1
> >
> > 00b0: 1f 30 1d 06 03 55 04 0a 13 16 50 72 69 73 6d 61 .0...U....Prisma
> >
> > 00c0: 20 45 6e 67 69 6e 65 65 72 69 6e 67 20 73 72 6c Engineering srl
> >
> > 00d0: 31 0d 30 0b 06 03 55 04 0b 13 04 4c 44 41 50 31 1.0...U....LDAP1
> >
> > 00e0: 13 30 11 06 03 55 04 03 13 0a 70 72 69 73 6d 61 .0...U....prisma
> >
> > 00f0: 2e 63 6f 6d 31 1e 30 1c 06 09 2a 86 48 86 f7 0d .com1.0...*.H...
> >
> > 0100: 01 09 01 16 0f 6c 64 61 70 40 70 72 69 73 6d 61 .....ldap@prisma
> >
> > 0110: 2e 63 6f 6d 30 1e 17 0d 30 33 30 36 31 37 30 35 .com0...03061705
> >
> > 0120: 33 30 32 30 5a 17 0d 30 34 30 36 31 36 30 35 33 3020Z..040616053
> >
> > 0130: 30 32 30 5a 30 81 94 31 0b 30 09 06 03 55 04 06 020Z0..1.0...U..
> >
> > 0140: 13 02 49 54 31 0f 30 0d 06 03 55 04 08 13 06 4d ..IT1.0...U....M
> >
> > 0150: 69 6c 61 6e 6f 31 0f 30 0d 06 03 55 04 07 13 06 ilano1.0...U....
> >
> > 0160: 4d 69 6c 61 6e 6f 31 1f 30 1d 06 03 55 04 0a 13 Milano1.0...U...
> >
> > 0170: 16 50 72 69 73 6d 61 20 45 6e 67 69 6e 65 65 72 .Prisma Engineer
> >
> > 0180: 69 6e 67 20 73 72 6c 31 0d 30 0b 06 03 55 04 0b ing srl1.0...U..
> >
> > 0190: 13 04 4c 44 41 50 31 13 30 11 06 03 55 04 03 13 ..LDAP1.0...U...
> >
> > 01a0: 0a 70 72 69 73 6d 61 2e 63 6f 6d 31 1e 30 1c 06 .prisma.com1.0..
> >
> > 01b0: 09 2a 86 48 86 f7 0d 01 09 01 16 0f 6c 64 61 70 .*.H........ldap
> >
> > 01c0: 40 70 72 69 73 6d 61 2e 63 6f 6d 30 81 9f 30 0d @prisma.com0..0.
> >
> > 01d0: 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d ..*.H...........
> >
> > 01e0: 00 30 81 89 02 81 81 00 bd d9 8a d3 ce a6 89 35 .0.............5
> >
> > 01f0: c4 1d 79 3b 53 44 08 08 a7 92 2a e6 4d 5b db 35 ..y;SD....*.M[.5
> >
> > 0200: ec b7 2e ca 9b ea 4e 77 9e 98 8f de ff 67 ae d0 ......Nw.....g..
> >
> > 0210: f8 17 45 95 02 55 86 34 7a 2b a9 1f 23 3a cc 5e ..E..U.4z+..#:.^
> >
> > 0220: d9 5b 76 df 51 e6 07 fe b9 24 15 66 f8 9f 6d 29 .[v.Q....$.f..m)
> >
> > 0230: ea 96 21 66 a3 72 ef 20 d7 e7 6a fa f6 55 18 35 ..!f.r. ..j..U.5
> >
> > 0240: af c9 54 cf 84 f1 76 55 38 e5 5e 0f 95 53 b4 fd ..T...vU8.^..S..
> >
> > 0250: 1f 0a 3c 48 3b b4 cb 01 e1 ab 04 a6 70 a8 65 63 ..<H;.......p.ec
> >
> > 0260: 5f 8e 28 79 ff ca d1 61 02 03 01 00 01 a3 82 01 _.(y...a........
> >
> > 0270: 20 30 82 01 1c 30 09 06 03 55 1d 13 04 02 30 00 0...0...U....0.
> >
> > 0280: 30 2c 06 09 60 86 48 01 86 f8 42 01 0d 04 1f 16 0,..`.H...B.....
> >
> > 0290: 1d 4f 70 65 6e 53 53 4c 20 47 65 6e 65 72 61 74 .OpenSSL Generat
> >
> > 02a0: 65 64 20 43 65 72 74 69 66 69 63 61 74 65 30 1d ed Certificate0.
> >
> > 02b0: 06 03 55 1d 0e 04 16 04 14 24 59 e5 47 7e b2 95 ..U......$Y.G~..
> >
> > 02c0: c0 2c 62 ec 73 56 c1 ae b1 b1 77 f0 df 30 81 c1 .,b.sV....w..0..
> >
> > 02d0: 06 03 55 1d 23 04 81 b9 30 81 b6 80 14 1f 83 c3 ..U.#...0.......
> >
> > 02e0: e4 b0 f7 f9 eb bf de 5e 79 90 3d 73 64 18 c3 84 .......^y.=sd...
> >
> > 02f0: dd a1 81 9a a4 81 97 30 81 94 31 0b 30 09 06 03 .......0..1.0...
> >
> > 0300: 55 04 06 13 02 49 54 31 0f 30 0d 06 03 55 04 08 U....IT1.0...U..
> >
> > 0310: 13 06 4d 69 6c 61 6e 6f 31 0f 30 0d 06 03 55 04 ..Milano1.0...U.
> >
> > 0320: 07 13 06 4d 69 6c 61 6e 6f 31 1f 30 1d 06 03 55 ...Milano1.0...U
> >
> > 0330: 04 0a 13 16 50 72 69 73 6d 61 20 45 6e 67 69 6e ....Prisma Engin
> >
> > 0340: 65 65 72 69 6e 67 20 73 72 6c 31 0d 30 0b 06 03 eering srl1.0...
> >
> > 0350: 55 04 0b 13 04 4c 44 41 50 31 13 30 11 06 03 55 U....LDAP1.0...U
> >
> > 0360: 04 03 13 0a 70 72 69 73 6d 61 2e 63 6f 6d 31 1e ....prisma.com1.
> >
> > 0370: 30 1c 06 09 2a 86 48 86 f7 0d 01 09 01 16 0f 6c 0...*.H........l
> >
> > 0380: 64 61 70 40 70 72 69 73 6d 61 2e 63 6f 6d 82 01 dap@prisma.com..
> >
> > 0390: 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 .0...*.H........
> >
> > 03a0: 03 81 81 00 2d fb 74 28 0a 76 f5 b9 a3 cb ef 8c ....-.t(.v......
> >
> > 03b0: 0a df dd 67 8b 12 a3 7a b4 a6 28 83 6e 70 98 7b ...g...z..(.np.{
> >
> > 03c0: 7c 0c 68 4f d4 f4 f9 67 67 56 c9 e9 16 3a 28 8f |.hO...ggV...:(.
> >
> > 03d0: 37 fa 35 67 ae 1a a2 d5 82 c2 74 f6 a9 c0 cf f2 7.5g......t.....
> >
> > 03e0: 24 24 a0 fa bd bf 6e aa 15 e8 a6 8a 91 50 cd 18 $$....n......P..
> >
> > 03f0: 44 cc 4f be dd 69 e4 86 51 13 b2 68 66 a0 74 15 D.O..i..Q..hf.t.
> >
> > 0400: 7e 91 18 b4 36 33 97 d1 15 72 9c 1e 90 1b 72 5d ~...63...r....r]
> >
> > 0410: 80 43 d3 70 55 f0 b9 0c 46 99 2e 85 65 12 db 21 .C.pU...F...e..!
> >
> > 0420: 64 4b b3 c5 16 03 01 00 04 0e 00 00 00 dK...........
> >
> > TLS trace: SSL_accept:SSLv3 flush data
> >
> > tls_read: want=5, got=5
> >
> > 0000: 15 03 01 00 02 .....
> >
> > tls_read: want=2, got=2
> >
> > 0000: 02 30 .0
> >
> > TLS trace: SSL3 alert read:fatal:unknown
> >
> > TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> >
> > TLS: can't accept.
> >
> > TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> > s3_pkt.c:1002
> >
> > connection_read(12): TLS accept error error=-1 id=0, closing
> >
> > connection_closing: readying conn=0 sd=12 for close
> >
> > connection_close: conn=0 sd=12
> >
> > conn=0 fd=12 closed
> >
> >
> >
> > Needless to say, without TLS ldapsearch is OK and returns the correct
> > search.
> >
> > Sorry for the long mail, but I think this problem affects a lot of
people.
> >
> > Does it have to do with server name, CA names ? Documentation states
that
> > the DN
> >
> > of a server certificate must use the CN attribute to name the server,
and
> > the CN
> >
> > must carry the servers fully qualified domain name. What does it mean ?
> >
> > Thank you
> >
> > Paolo
> >
> > ----- Original Message -----
> > From: "Kent Soper" <dksoper@us.ibm.com>
> > To: <ldap@fadesa.es>
> > Cc: <openldap-software@OpenLDAP.org>
> > Sent: Monday, June 16, 2003 9:25 PM
> > Subject: Re: TLS headache
> >
> >
> >
> >>
> >>
> >>
> >>Hi Jose,
> >>
> >>I'm not sure whether you're trying to get server side TLS or server side
> >>TLS with client side authentication working. If you are only setting up
> >>server side TLS, then you don't need the TLSVerifyClient line in
> >
> > slapd.conf
> >
> >>or much of the ldap.conf file.
> >>
> >>If you are trying to setup client authentication, then your user
(client)
> >>will also need the TLS_CERT and TLS_KEY entries moved from ldap.conf to
> >>either a file called ldaprc or .ldaprc in the user's home directory or
> >>current directory.
> >>
> >>Please see the new doc
> >>http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html for various
> >>TLS/SSL issues. It's full of examples too. Well written (tongue firmly
> >
> > in
> >
> >>cheek!!).
> >>
> >>Cheers,
> >>Kent Soper
> >>
> >>"You don't stop playing because you grow old ...
> >> you grow old because you stop playing."
> >>
> >>Linux Technology Center, Linux Security
> >>phone: 1-512-838-9216
> >>e-mail: dksoper@us.ibm.com
> >>
> >>
> >>
> >>
> >>
> >> "José M. Fandiño"
> >> <ldap@fadesa.es> To:
> >
> > openldap-software@OpenLDAP.org
> >
> >> Sent by: cc:
> >> owner-openldap-software@O Subject: TLS
> >
> > headache
> >
> >> penLDAP.org
> >>
> >>
> >> 06/16/2003 06:56 AM
> >> Please respond to ldap
> >>
> >>
> >>
> >>
> >>
> >>
> >>Hello,
> >>
> >>I'm trying to make a TLS conection work between ldap clients and slapd
> >>but I always get a ssl error. The configuration can't be simpler
> >>I'm using a self-issued certificate.
> >>
> >>please, can anyone tellme what's wrong with my configuration?
> >>
> >>thanks,
> >>
> >>/usr/local/openldap/libexec/slapd -4 -h "ldap:// ldaps://"
> >>
> >>Active Internet connections (servers and established)
> >>Proto Recv-Q Send-Q Local Address Foreign Address
State
> >>tcp 0 0 *:ldap *:*
LISTEN
> >>tcp 0 0 *:ldaps *:*
LISTEN
> >>
> >>slapd.conf excerpt
> >>==================
> >>TLSVerifyClient true
> >>TLSCipherSuite HIGH
> >>TLSCertificateKeyFile /usr/local/openldap/etc/openldap/slapd.key
> >>TLSCertificateFile /usr/local/openldap/etc/openldap/slapd.pem
> >>TLSCACertificateFile /usr/local/openldap/etc/openldap/slapd.pem
> >>
> >>ldap.conf excerpt
> >>==================
> >>TLS_CACERT /usr/local/openldap/etc/openldap/slapd.pem
> >>TLS_CERT /usr/local/openldap/etc/openldap/slapd.pem
> >>TLS_KEY /usr/local/openldap/etc/openldap/slapd.key
> >>TLS_REQCERT allow
> >>
> >>filemon:/usr/local/openldap/etc/openldap # openssl x509 -in slapd.pem
> >>-noout -text
> >>Certificate:
> >> Data:
> >> Version: 3 (0x2)
> >> Serial Number: 0 (0x0)
> >> Signature Algorithm: md5WithRSAEncryption
> >> Issuer: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
> >>OU=informatica, CN=openldap/Email=none@fffff.ff
> >> Validity
> >> Not Before: Jun 16 11:09:22 2003 GMT
> >> Not After : Jun 14 11:09:22 2008 GMT
> >> Subject: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
> >>OU=informatica, CN=openldap/Email=none@fffff.ff
> >> Subject Public Key Info:
> >> Public Key Algorithm: rsaEncryption
> >> RSA Public Key: (2048 bit)
> >> Modulus (2048 bit):
> >> 00:d7:38:ea:8e:a2:1d:56:de:38:05:c1:41:1f:c5:
> >> e1:06:27:28:1b:b6:86:56:7a:b2:bf:48:67:80:ab:
> >> 15:89:61:0c:f9:c5:26:1b:f9:07:da:cc:da:c9:f1:
> >> 64:0a:81:09:c3:6c:1d:26:1b:b9:35:0c:83:a6:0a:
> >> 08:ef:02:ef:a5:9e:6f:17:23:20:72:0f:e3:62:88:
> >> 40:f8:55:55:c2:75:7b:1d:b3:d8:bf:f2:50:f1:f9:
> >> 45:d9:fa:ca:b5:df:b2:ed:8a:f9:8a:29:c2:48:b5:
> >> ad:4e:c2:d9:54:55:cf:5a:54:d8:3b:f9:3c:ea:d2:
> >> 8d:eb:8d:d1:45:4c:c5:1e:87:9d:35:2a:d9:94:fd:
> >> a9:0d:17:3f:ca:15:8d:f6:48:80:1b:31:4b:46:99:
> >> cd:e7:93:cb:92:9c:25:22:f5:ab:9a:01:90:20:c6:
> >> 70:6b:8d:d1:dd:3b:73:f1:7a:9f:d8:31:fc:b4:4d:
> >> e8:d9:53:1b:45:87:6d:51:4e:40:48:bd:0d:b1:a4:
> >> 3f:51:37:0a:f1:0b:bb:18:be:02:69:a5:ce:67:85:
> >> 91:25:3a:44:85:bf:6f:ee:cb:cc:44:71:6c:57:99:
> >> 74:0a:15:ef:7b:e7:29:79:8a:5a:3b:6e:61:ba:09:
> >> 7f:73:33:da:31:3d:e0:05:da:32:c9:0c:12:64:1a:
> >> a1:87
> >> Exponent: 65537 (0x10001)
> >> X509v3 extensions:
> >> X509v3 Subject Key Identifier:
> >>
> >
> > 25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
> >
> >> X509v3 Authority Key Identifier:
> >>
> >>keyid:25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
> >> DirName:/C=ES/ST=La Coru\xF1a/L=La
> >>Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
> >> serial:00
> >>
> >> X509v3 Basic Constraints:
> >> CA:TRUE
> >> Signature Algorithm: md5WithRSAEncryption
> >> 90:81:6e:b2:72:4c:70:2f:c4:5a:41:90:70:0b:0c:77:d0:18:
> >> af:e2:a5:13:4f:4b:41:23:87:05:a2:6c:f1:d5:8d:84:34:a6:
> >> fd:5a:c0:93:9f:b2:a4:4d:0b:d6:fd:7b:28:45:f4:35:b4:a9:
> >> 2c:29:1f:6a:c4:5e:87:d2:59:e1:75:1d:9f:2b:3d:69:cd:d9:
> >> da:b7:15:03:0d:2c:b4:1d:c2:8e:a2:45:47:a9:e7:2a:3d:28:
> >> 22:2b:41:49:25:0e:38:ee:0c:84:b9:e4:1b:f8:07:e8:3b:1a:
> >> 4c:de:68:50:20:fb:2e:f0:74:a2:db:c2:96:95:65:c1:de:e8:
> >> a2:3d:f6:a9:48:9e:1f:e4:67:ba:59:e5:9a:cb:d6:79:34:7f:
> >> 4d:9a:8e:4a:66:68:d4:59:6f:d7:86:ac:32:8c:3c:f4:e4:60:
> >> a0:3c:6a:e3:0c:e6:b8:46:b6:1e:c6:25:20:04:5a:93:4f:c2:
> >> 90:3c:b6:7f:88:08:d1:09:59:e7:a1:a7:b4:04:53:28:5b:b2:
> >> 8f:4d:08:58:d2:c2:37:ee:56:ee:23:15:e3:c7:e5:e0:f2:77:
> >> cb:d9:58:43:53:be:18:1a:f3:8a:19:5b:36:30:49:3c:a4:cb:
> >> 58:78:fc:9f:92:c1:1d:f0:5e:d4:e3:da:8f:0c:5a:74:18:27:
> >> 30:8d:20:cc
> >>
> >> /------/
> >>
> >>ldapsearch -ZZ -d -1 -b "dc=fadesa"
> >>ldap_create
> >>ldap_extended_operation_s
> >>ldap_extended_operation
> >>ldap_send_initial_request
> >>ldap_new_connection
> >>ldap_int_open_connection
> >>ldap_connect_to_host: TCP localhost:389
> >>ldap_new_socket: -1
> >>ldap_new_socket: 3
> >>ldap_prepare_socket: 3
> >>ldap_connect_to_host: Trying 127.0.0.1:389
> >>ldap_connect_timeout: fd: 3 tm: -1 async: 0
> >>ldap_ndelay_on: 3
> >>ldap_is_sock_ready: 3
> >>ldap_ndelay_off: 3
> >>ldap_int_sasl_open: host=filemon.servidores.fadesa
> >>ldap_open_defconn: successful
> >>ldap_send_server_request
> >>ber_flush: 31 bytes to sd 3
> >> 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
> >>0....w...1.3.6.1
> >> 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
> >
> > .4.1.1466.20037
> >
> >>ldap_write: want=31, written=31
> >> 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
> >>0....w...1.3.6.1
> >> 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
> >
> > .4.1.1466.20037
> >
> >>ldap_result msgid 1
> >>ldap_chkResponseList for msgid=1, all=1
> >>ldap_chkResponseList returns NULL
> >>wait4msg (infinite timeout), msgid 1
> >>wait4msg continue, msgid 1, all 1
> >>** Connections:
> >>* host: localhost port: 389 (default)
> >> refcnt: 2 status: Connected
> >> last used: Mon Jun 16 13:54:07 2003
> >>
> >>** Outstanding Requests:
> >> * msgid 1, origid 1, status InProgress
> >> outstanding referrals 0, parent count 0
> >>** Response Queue:
> >> Empty
> >>ldap_chkResponseList for msgid=1, all=1
> >>ldap_chkResponseList returns NULL
> >>ldap_int_select
> >>read1msg: msgid 1, all 1
> >>ber_get_next
> >>ldap_read: want=9, got=9
> >> 0000: 30 0c 02 01 01 78 07 0a 01 0....x...
> >>ldap_read: want=5, got=5
> >> 0000: 00 04 00 04 00 .....
> >>ber_get_next: tag 0x30 len 12 contents:
> >>ber_dump: buf=0x0807df08 ptr=0x0807df08 end=0x0807df14 len=12
> >> 0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........
> >>ldap_read: message type extended-result msgid 1, original id 1
> >>ber_scanf fmt ({iaa) ber:
> >>ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
> >> 0000: 78 07 0a 01 00 04 00 04 00 x........
> >>read1msg: 0 new referrals
> >>read1msg: mark request completed, id = 1
> >>request 1 done
> >>res_errno: 0, res_error: <>, res_matched: <>
> >>ldap_free_request (origid 1, msgid 1)
> >>ldap_free_connection
> >>ldap_free_connection: refcnt 1
> >>ldap_parse_extended_result
> >>ber_scanf fmt ({iaa) ber:
> >>ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
> >> 0000: 78 07 0a 01 00 04 00 04 00 x........
> >>ldap_parse_result
> >>ber_scanf fmt ({iaa) ber:
> >>ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
> >> 0000: 78 07 0a 01 00 04 00 04 00 x........
> >>ber_scanf fmt (}) ber:
> >>ber_dump: buf=0x0807df08 ptr=0x0807df14 end=0x0807df14 len=0
> >>
> >>ldap_msgfree
> >>TLS trace: SSL_connect:before/connect initialization
> >>tls_write: want=124, written=124
> >> 0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 16 00 00 .z....Q...
> >>.....
> >> 0010: 13 00 00 0a 07 00 c0 00 00 66 00 00 05 00 00 04
> >>.........f......
> >> 0020: 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00
> >>...........e..d.
> >> 0030: 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00
> >>.c..b..a..`.....
> >> 0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08
> >>......@.........
> >> 0050: 00 00 06 00 00 03 04 00 80 02 00 80 39 13 8b a0
> >>............9...
> >> 0060: 72 49 06 d9 a2 aa 96 66 d6 a7 cc a6 5b f3 c8 52
> >>rI.....f....[..R
> >> 0070: b0 98 c2 d9 ea f4 d7 68 fb 1a 74 07 .......h..t.
> >>TLS trace: SSL_connect:SSLv2/v3 write client hello A
> >>tls_read: want=7, got=7
> >> 0000: 16 03 01 00 4a 02 00 ....J..
> >>tls_read: want=72, got=72
> >> 0000: 00 46 03 01 3e ed af df ac 36 d2 53 17 d5 a0 12
> >>.F..>....6.S....
> >> 0010: d3 ed 59 a0 c1 76 d2 06 64 e6 06 8e 52 8e d9 85
> >>..Y..v..d...R...
> >> 0020: 80 ce 6d 47 20 8c 89 00 18 6a 0c 2b d9 ff c5 44 ..mG
> >>....j.+...D
> >> 0030: d5 65 79 1a 7a f8 26 99 b4 6a e3 fa c4 9c 49 10
> >>.ey.z.&..j....I.
> >> 0040: 9f d1 77 2b 09 00 0a 00 ..w+....
> >>TLS trace: SSL_connect:SSLv3 read server hello A
> >>tls_read: want=5, got=5
> >> 0000: 16 03 01 04 93 .....
> >>tls_read: want=1171, got=1171
> >> 0000: 0b 00 04 8f 00 04 8c 00 04 89 30 82 04 85 30 82
> >>..........0...0.
> >> 0010: 03 6d a0 03 02 01 02 02 01 00 30 0d 06 09 2a 86
> >>.m........0...*.
> >> 0020: 48 86 f7 0d 01 01 04 05 00 30 81 8d 31 0b 30 09
> >>H........0..1.0.
> >> 0030: 06 03 55 04 06 13 02 45 53 31 12 30 10 06 03 55
> >>..U....ES1.0...U
> >> 0040: 04 08 14 09 4c 61 20 43 6f 72 75 f1 61 31 12 30 ....La
> >>Coru.a1.0
> >> 0050: 10 06 03 55 04 07 14 09 4c 61 20 43 6f 72 75 f1 ...U....La
> >>Coru.
> >> 0060: 61 31 0f 30 0d 06 03 55 04 0a 13 06 46 61 64 65
> >>a1.0...U....Fade
> >> 0070: 73 61 31 14 30 12 06 03 55 04 0b 13 0b 69 6e 66
> >>sa1.0...U....inf
> >> 0080: 6f 72 6d 61 74 69 63 61 31 11 30 0f 06 03 55 04
> >>ormatica1.0...U.
> >> 0090: 03 13 08 6f 70 65 6e 6c 64 61 70 31 1c 30 1a 06
> >>...openldap1.0..
> >> 00a0: 09 2a 86 48 86 f7 0d 01 09 01 16 0d 6e 6f 6e 65
> >>.*.H........none
> >> 00b0: 40 66 66 66 66 66 2e 66 66 30 1e 17 0d 30 33 30
> >>@fffff.ff0...030
> >> 00c0: 36 31 36 31 31 30 39 32 32 5a 17 0d 30 38 30 36
> >>616110922Z..0806
> >> 00d0: 31 34 31 31 30 39 32 32 5a 30 81 8d 31 0b 30 09
> >>14110922Z0..1.0.
> >> 00e0: 06 03 55 04 06 13 02 45 53 31 12 30 10 06 03 55
> >>..U....ES1.0...U
> >> 00f0: 04 08 14 09 4c 61 20 43 6f 72 75 f1 61 31 12 30 ....La
> >>Coru.a1.0
> >> 0100: 10 06 03 55 04 07 14 09 4c 61 20 43 6f 72 75 f1 ...U....La
> >>Coru.
> >> 0110: 61 31 0f 30 0d 06 03 55 04 0a 13 06 46 61 64 65
> >>a1.0...U....Fade
> >> 0120: 73 61 31 14 30 12 06 03 55 04 0b 13 0b 69 6e 66
> >>sa1.0...U....inf
> >> 0130: 6f 72 6d 61 74 69 63 61 31 11 30 0f 06 03 55 04
> >>ormatica1.0...U.
> >> 0140: 03 13 08 6f 70 65 6e 6c 64 61 70 31 1c 30 1a 06
> >>...openldap1.0..
> >> 0150: 09 2a 86 48 86 f7 0d 01 09 01 16 0d 6e 6f 6e 65
> >>.*.H........none
> >> 0160: 40 66 66 66 66 66 2e 66 66 30 82 01 22 30 0d 06
> >>@fffff.ff0.."0..
> >> 0170: 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f
> >>.*.H............
> >> 0180: 00 30 82 01 0a 02 82 01 01 00 d7 38 ea 8e a2 1d
> >>.0.........8....
> >> 0190: 56 de 38 05 c1 41 1f c5 e1 06 27 28 1b b6 86 56
> >>V.8..A....'(...V
> >> 01a0: 7a b2 bf 48 67 80 ab 15 89 61 0c f9 c5 26 1b f9
> >>z..Hg....a...&..
> >> 01b0: 07 da cc da c9 f1 64 0a 81 09 c3 6c 1d 26 1b b9
> >>......d....l.&..
> >> 01c0: 35 0c 83 a6 0a 08 ef 02 ef a5 9e 6f 17 23 20 72
5..........o.#
> >>r
> >> 01d0: 0f e3 62 88 40 f8 55 55 c2 75 7b 1d b3 d8 bf f2
> >>..b.@.UU.u{.....
> >> 01e0: 50 f1 f9 45 d9 fa ca b5 df b2 ed 8a f9 8a 29 c2
> >>P..E..........).
> >> 01f0: 48 b5 ad 4e c2 d9 54 55 cf 5a 54 d8 3b f9 3c ea
> >>H..N..TU.ZT.;.<.
> >> 0200: d2 8d eb 8d d1 45 4c c5 1e 87 9d 35 2a d9 94 fd
> >>.....EL....5*...
> >> 0210: a9 0d 17 3f ca 15 8d f6 48 80 1b 31 4b 46 99 cd
> >>...?....H..1KF..
> >> 0220: e7 93 cb 92 9c 25 22 f5 ab 9a 01 90 20 c6 70 6b .....%".....
> >>.pk
> >> 0230: 8d d1 dd 3b 73 f1 7a 9f d8 31 fc b4 4d e8 d9 53
> >>...;s.z..1..M..S
> >> 0240: 1b 45 87 6d 51 4e 40 48 bd 0d b1 a4 3f 51 37 0a
> >>.E.mQN@H....?Q7.
> >> 0250: f1 0b bb 18 be 02 69 a5 ce 67 85 91 25 3a 44 85
> >>......i..g..%:D.
> >> 0260: bf 6f ee cb cc 44 71 6c 57 99 74 0a 15 ef 7b e7
> >>.o...DqlW.t...{.
> >> 0270: 29 79 8a 5a 3b 6e 61 ba 09 7f 73 33 da 31 3d e0
> >>)y.Z;na...s3.1=.
> >> 0280: 05 da 32 c9 0c 12 64 1a a1 87 02 03 01 00 01 a3
> >>..2...d.........
> >> 0290: 81 ed 30 81 ea 30 1d 06 03 55 1d 0e 04 16 04 14
> >>..0..0...U......
> >> 02a0: 25 18 ef 9a 09 20 44 11 fc 3a b7 6c 67 7e 80 b4 %....
> >>D..:.lg~..
> >> 02b0: 3c 21 ef 64 30 81 ba 06 03 55 1d 23 04 81 b2 30
> >><!.d0....U.#...0
> >> 02c0: 81 af 80 14 25 18 ef 9a 09 20 44 11 fc 3a b7 6c ....%....
> >>D..:.l
> >> 02d0: 67 7e 80 b4 3c 21 ef 64 a1 81 93 a4 81 90 30 81
> >>g~..<!.d......0.
> >> 02e0: 8d 31 0b 30 09 06 03 55 04 06 13 02 45 53 31 12
> >>.1.0...U....ES1.
> >> 02f0: 30 10 06 03 55 04 08 14 09 4c 61 20 43 6f 72 75 0...U....La
> >>Coru
> >> 0300: f1 61 31 12 30 10 06 03 55 04 07 14 09 4c 61 20
> >
> > .a1.0...U....La
> >
> >> 0310: 43 6f 72 75 f1 61 31 0f 30 0d 06 03 55 04 0a 13
> >>Coru.a1.0...U...
> >> 0320: 06 46 61 64 65 73 61 31 14 30 12 06 03 55 04 0b
> >>.Fadesa1.0...U..
> >> 0330: 13 0b 69 6e 66 6f 72 6d 61 74 69 63 61 31 11 30
> >>..informatica1.0
> >> 0340: 0f 06 03 55 04 03 13 08 6f 70 65 6e 6c 64 61 70
> >>...U....openldap
> >> 0350: 31 1c 30 1a 06 09 2a 86 48 86 f7 0d 01 09 01 16
> >>1.0...*.H.......
> >> 0360: 0d 6e 6f 6e 65 40 66 66 66 66 66 2e 66 66 82 01
> >>.none@fffff.ff..
> >> 0370: 00 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30
> >>.0...U....0....0
> >> 0380: 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 82
> >>...*.H..........
> >> 0390: 01 01 00 90 81 6e b2 72 4c 70 2f c4 5a 41 90 70
> >>.....n.rLp/.ZA.p
> >> 03a0: 0b 0c 77 d0 18 af e2 a5 13 4f 4b 41 23 87 05 a2
> >>..w......OKA#...
> >> 03b0: 6c f1 d5 8d 84 34 a6 fd 5a c0 93 9f b2 a4 4d 0b
> >>l....4..Z.....M.
> >> 03c0: d6 fd 7b 28 45 f4 35 b4 a9 2c 29 1f 6a c4 5e 87
> >>..{(E.5..,).j.^.
> >> 03d0: d2 59 e1 75 1d 9f 2b 3d 69 cd d9 da b7 15 03 0d
> >>.Y.u..+=i.......
> >> 03e0: 2c b4 1d c2 8e a2 45 47 a9 e7 2a 3d 28 22 2b 41
> >>,.....EG..*=("+A
> >> 03f0: 49 25 0e 38 ee 0c 84 b9 e4 1b f8 07 e8 3b 1a 4c
> >>I%.8.........;.L
> >> 0400: de 68 50 20 fb 2e f0 74 a2 db c2 96 95 65 c1 de .hP
> >>...t.....e..
> >> 0410: e8 a2 3d f6 a9 48 9e 1f e4 67 ba 59 e5 9a cb d6
> >>..=..H...g.Y....
> >> 0420: 79 34 7f 4d 9a 8e 4a 66 68 d4 59 6f d7 86 ac 32
> >>y4.M..Jfh.Yo...2
> >> 0430: 8c 3c f4 e4 60 a0 3c 6a e3 0c e6 b8 46 b6 1e c6
> >>.<..`.<j....F...
> >> 0440: 25 20 04 5a 93 4f c2 90 3c b6 7f 88 08 d1 09 59 %
> >>.Z.O..<......Y
> >> 0450: e7 a1 a7 b4 04 53 28 5b b2 8f 4d 08 58 d2 c2 37
> >>.....S([..M.X..7
> >> 0460: ee 56 ee 23 15 e3 c7 e5 e0 f2 77 cb d9 58 43 53
> >>.V.#......w..XCS
> >> 0470: be 18 1a f3 8a 19 5b 36 30 49 3c a4 cb 58 78 fc
> >>......[60I<..Xx.
> >> 0480: 9f 92 c1 1d f0 5e d4 e3 da 8f 0c 5a 74 18 27 30
> >>.....^.....Zt.'0
> >> 0490: 8d 20 cc . .
> >>TLS certificate verification: depth: 0, err: 18, subject: /C=ES/ST=La
> >>Coru\xF1a/L=La
> >>Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff,
issuer:
> >>/C=ES/ST=La Coru\xF1a/L=La
> >>Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
> >>TLS certificate verification: Error, self signed certificate
> >>tls_write: want=7, written=7
> >> 0000: 15 03 01 00 02 02 30 ......0
> >>TLS trace: SSL3 alert write:fatal:unknown CA
> >>TLS trace: SSL_connect:error in SSLv3 read server certificate B
> >>TLS trace: SSL_connect:error in SSLv3 read server certificate B
> >>TLS: can't connect.
> >>ldap_perror
> >>ldap_start_tls: Connect error (91)
> >> additional info: error:14090086:SSL
> >>routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> >>--
> >>-----BEGIN GEEK CODE BLOCK-----
> >>Version: 3.1
> >>GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
> >>O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
> >>G++ e- h+(++) !r !z
> >>------END GEEK CODE BLOCK------
> >>
> >>
> >>
> >>
> >
> >>
> >
>
> Does your cert7.db know about your CA?
>
> --
> Dave
> --
> Dave Lewney
> Principal Systems Programmer, Computing Service
> University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273
271956
>
>
>
>