[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS - Help Please



When generating your ssl/tls certs, does your CN match the hostname you are calling?

i.e.
"Common Name (eg, your name or your server's hostname) []:"

So if you wanted to connect to your ldap server as "host.domain.tld" with tls/ssl, you would have to give that as the the CN for the ssl cert.  (i.e. ldapsearch -x -H ldaps://host.domain.tld -b "dc=your,dc=org")


Just a suggestion, I knew I had similiar problems and it took me a couple days and a lot of digging to find that out.

Hope this helps,

 -- Cy
>
>
>
> Date: Wed, 28 Jan 2004 17:11:21 +0000
> From: Miguel Baptista <miguel@ccom.uminho.pt>
> To: openldap-software@OpenLDAP.org
> Subject: Re: SSL/TLS - Help Please
>
> Hi,
>
> Firts off all, i want to thank you Siva, for trying to help me.
>
> Here is the whole debug (it doesn't give more information about the
> problem):
>
> daemon: activity on 1 descriptors
> daemon: new connection on 13
> conn=1 fd=13 ACCEPT from IP=127.0.0.1:33901 (IP=0.0.0.0:636)
> daemon: added 13r
> daemon: activity on:
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 13r
> daemon: read activity on 13
> connection_get(13)
> connection_get(13): got connid=1
> connection_read(13): checking for input on id=1
> TLS trace: SSL_accept:before/accept initialization
> tls_read: want=11, got=0
>
> TLS: can't accept.
> connection_read(13): TLS accept error error=-1 id=1, closing
> connection_closing: readying conn=1 sd=13 for close
> connection_close: conn=1 sd=13
> daemon: removing 13
> conn=1 fd=13 closed
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
>
>
>
> I tried this command (in the slapd.conf i put:   TLSVerifyClient    never)
>   > openssl s_client -connect estagio:636 -showcerts -state -CAfile
> /var/myca/cacert.pem
>
> and everything is ok.
>
>
> Then i tried this one (in the slapd.conf i put: TLSVerifyClient   demand)
>  > openssl s_client -connect estagio:636 -showcerts -state -CAfile
> /var/myca/cacert.pem -cert /home/miguel/client.pem
>                       -key /home/miguel/Client.key.pem
>
> and everything is ok.
>
> I think the error should be in my clients configuration. But don't know
> exacly where
>
> Here is, one more time, my clients configuration files:
>
> My ldap.conf (in /etc/openldap):
> ...
> HOST estagio
> PORT 636
> TLS_CACERT  /var/myca/cacert.pem
>
>
> My .ldaprc (in my user's home)
> ...
> TLS_CERT /home/miguel/client.pem
> TLS_KEY /home/miguel/client.key.pem
> TLS_REQCERT demand
>
>
> Don't know what to do. Any ideas?
>
>
> Siva Kollipara wrote:
>
> >>tls_read: want=11, got=0
> >>
> >>
> >indicates that TLS was expecting 11 bytes but instead got 0 bytes.
> >can u include the whole debug trace ?
> >
> >Siva
> >
> >On Mon, 26 Jan 2004, Miguel Baptista wrote:
> >
> >
> >
> >>Hi,
> >>
> >>I tried start my server with the "-d -1" option.
> >>
> >>In the cliente i got this message:
> >>    ?ldap_start_tls: Can't contact LDAP server (81)?
> >>
> >>
> >>This is the error message i got in the server:
> >>
> >>?TLS trace: SSL_accept:before/accept initialization
> >>tls_read: want=11, got=0
> >>
> >>TLS: can't accept.
> >>connection_read(13): TLS accept error error=-1 id=1, closing
> >>connection_closing: readying conn=1 sd=13 for close
> >>connection_close: conn=1 sd=13
> >>daemon: removing 13
> >>conn=1 fd=13 closed?
> >>
> >>It looks like TLS is expeting the value 11 and is getting the value 0.
> >>
> >>I looked in the OpenLDAP archive and in google but i don't know what may
> >>be causing this error.
> >>
> >>Any idea? Can someone help me? or give some directions.
> >>
> >>Best Regards
> >>
> >>
> >>Siva Kollipara wrote:
> >>
> >>
> >>
> >>>On Fri, 23 Jan 2004, Miguel Baptista wrote:
> >>>can u give more detail on the error information.
> >>>
> >>>try using -d -1 on ur ldapsearch that should more detailed info.
> >>>
> >>>i assume u have installed ldap with ssl support (and the correct path to
> >>>ssl libraries) also check if ur server permission to read
> >>>the CA certs (server as root shuld b ok)
> >>>
> >>>best bet try with -d -1 and that should b sufficient to find out the
> >>>reason.
> >>>
> >>>lemme know if this helps,
> >>>siva
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>I'm using Openldap v.2.1.22 and openSSL 0.9.7b
> >>>>
> >>>>I start my server with this command line:
> >>>>/usr/local/libexec/slapd -d9 -h "ldap:/// ldaps:///"
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>>PORT 636
> >>>>                          TLS_CACERT  /var/myca/estagio/cacert.pem
> >>>>TLS_REQCERT demand
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>My .ldaprc (in my user's home)
> >>>>
> >>>>TLS_REQCERT demand
> >>>>
> >>>>                                         # client authentication
> >>>>TLS_CERT /home/miguel/client.pem
> >>>>TLS_KEY /home/miguel/client.key.pem
> >>>>
> >>>>
> >>>>When i try this:
> >>>>ldapsearch -x  -D "cn=Manager,dc=uminho,dc=pt" '(objectclass=*)' -H
> >>>>ldaps://estagio  -W
> >>>>
> >>>>I got this error (in ldap server ):
> >>>>TLS trace: SSL_accept:before/accept initialization
> >>>>TLS: can't accept.
> >>>>connection_read(13): TLS accept error error=-1 id=4, closing
> >>>>
> >>>>
> >>>>and with this:
> >>>>ldapsearch -x -D "cn=Manager,dc=uminho,dc=pt" '(objectclass=*)'  -H
> >>>>ldaps://estagio -w "secret" -ZZ
> >>>>
> >>>>i got the same error
> >>>>
> >>>>
> >>>>I tried the testing commands (from the how to, and everything seams ok):
> >>>>openssl s_client -connect myserver.com:636 ...
> >>>>
> >>>>
> >>>>Can anyone help? I'm forgeting something? I've read something about the
> >>>> environment variable LDAPNOINIT, is this necessary?
> >>>>
> >>>>Best Regards
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >>
>
>