[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSL/TLS - Help Please
> >>>>ldapsearch -x -D "cn=Manager,dc=uminho,dc=pt" '(objectclass=*)' -H
> >>>>ldaps://estagio -W
your ldapsearch command indicates that ur using ldaps://estagio, but
how is your certificate created ? it should be having CN=FQDN (and
subjectAltName extension=FQDN ?), this FQDN should exactly match how you
are going to call ldap*utils or libldap.
if your not having CN at all, the you should include that for the
certificates as CN=FQDN and use ldaps://FQDN. (if you are only going to
use ldaps or tls on it locally, then you can use FQDN as estagio, but if
you want it to be accept ldaps or tls connections from across your
network, then you should have the FQDN as estagio.yourdomain.com
Siva
On Wed, 28 Jan 2004, Miguel Baptista wrote:
> Hi,
>
> Firts off all, i want to thank you Siva, for trying to help me.
>
> Here is the whole debug (it doesn't give more information about the
> problem):
>
> daemon: activity on 1 descriptors
> daemon: new connection on 13
> conn=1 fd=13 ACCEPT from IP=127.0.0.1:33901 (IP=0.0.0.0:636)
> daemon: added 13r
> daemon: activity on:
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 13r
> daemon: read activity on 13
> connection_get(13)
> connection_get(13): got connid=1
> connection_read(13): checking for input on id=1
> TLS trace: SSL_accept:before/accept initialization
> tls_read: want=11, got=0
>
> TLS: can't accept.
> connection_read(13): TLS accept error error=-1 id=1, closing
> connection_closing: readying conn=1 sd=13 for close
> connection_close: conn=1 sd=13
> daemon: removing 13
> conn=1 fd=13 closed
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
>
>
>
> I tried this command (in the slapd.conf i put: TLSVerifyClient never)
> > openssl s_client -connect estagio:636 -showcerts -state -CAfile
> /var/myca/cacert.pem
>
> and everything is ok.
>
>
> Then i tried this one (in the slapd.conf i put: TLSVerifyClient demand)
> > openssl s_client -connect estagio:636 -showcerts -state -CAfile
> /var/myca/cacert.pem -cert /home/miguel/client.pem
> -key /home/miguel/Client.key.pem
>
> and everything is ok.
>
> I think the error should be in my clients configuration. But don't know
> exacly where
>
> Here is, one more time, my clients configuration files:
>
> My ldap.conf (in /etc/openldap):
> ...
> HOST estagio
> PORT 636
> TLS_CACERT /var/myca/cacert.pem
>
>
> My .ldaprc (in my user's home)
> ...
> TLS_CERT /home/miguel/client.pem
> TLS_KEY /home/miguel/client.key.pem
> TLS_REQCERT demand
>
>
> Don't know what to do. Any ideas?
>
>
> Siva Kollipara wrote:
>
> >>tls_read: want=11, got=0
> >>
> >>
> >indicates that TLS was expecting 11 bytes but instead got 0 bytes.
> >can u include the whole debug trace ?
> >
> >Siva
> >
> >On Mon, 26 Jan 2004, Miguel Baptista wrote:
> >
> >
> >
> >>Hi,
> >>
> >>I tried start my server with the "-d -1" option.
> >>
> >>In the cliente i got this message:
> >> ?ldap_start_tls: Can't contact LDAP server (81)?
> >>
> >>
> >>This is the error message i got in the server:
> >>
> >>?TLS trace: SSL_accept:before/accept initialization
> >>tls_read: want=11, got=0
> >>
> >>TLS: can't accept.
> >>connection_read(13): TLS accept error error=-1 id=1, closing
> >>connection_closing: readying conn=1 sd=13 for close
> >>connection_close: conn=1 sd=13
> >>daemon: removing 13
> >>conn=1 fd=13 closed?
> >>
> >>It looks like TLS is expeting the value 11 and is getting the value 0.
> >>
> >>I looked in the OpenLDAP archive and in google but i don't know what may
> >>be causing this error.
> >>
> >>Any idea? Can someone help me? or give some directions.
> >>
> >>Best Regards
> >>
> >>
> >>Siva Kollipara wrote:
> >>
> >>
> >>
> >>>On Fri, 23 Jan 2004, Miguel Baptista wrote:
> >>>can u give more detail on the error information.
> >>>
> >>>try using -d -1 on ur ldapsearch that should more detailed info.
> >>>
> >>>i assume u have installed ldap with ssl support (and the correct path to
> >>>ssl libraries) also check if ur server permission to read
> >>>the CA certs (server as root shuld b ok)
> >>>
> >>>best bet try with -d -1 and that should b sufficient to find out the
> >>>reason.
> >>>
> >>>lemme know if this helps,
> >>>siva
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>I'm using Openldap v.2.1.22 and openSSL 0.9.7b
> >>>>
> >>>>I start my server with this command line:
> >>>>/usr/local/libexec/slapd -d9 -h "ldap:/// ldaps:///"
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>>PORT 636
> >>>> TLS_CACERT /var/myca/estagio/cacert.pem
> >>>>TLS_REQCERT demand
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>My .ldaprc (in my user's home)
> >>>>
> >>>>TLS_REQCERT demand
> >>>>
> >>>> # client authentication
> >>>>TLS_CERT /home/miguel/client.pem
> >>>>TLS_KEY /home/miguel/client.key.pem
> >>>>
> >>>>
> >>>>When i try this:
> >>>>ldapsearch -x -D "cn=Manager,dc=uminho,dc=pt" '(objectclass=*)' -H
> >>>>ldaps://estagio -W
> >>>>
> >>>>I got this error (in ldap server ):
> >>>>TLS trace: SSL_accept:before/accept initialization
> >>>>TLS: can't accept.
> >>>>connection_read(13): TLS accept error error=-1 id=4, closing
> >>>>
> >>>>
> >>>>and with this: ldapsearch -x -D "cn=Manager,dc=uminho,dc=pt"
> >>>>'(objectclass=*)' -H ldaps://estagio -w "secret" -ZZ
> >>>>
> >>>>i got the same error
> >>>>
> >>>>
> >>>>I tried the testing commands (from the how to, and everything seams ok):
> >>>>openssl s_client -connect myserver.com:636 ...
> >>>>
> >>>>
> >>>>Can anyone help? I'm forgeting something? I've read something about the
> >>>> environment variable LDAPNOINIT, is this necessary?
> >>>>
> >>>>Best Regards
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>
> >>
>
>