[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: debugging tls (apache2 mod_ldap)
* Kurt D. Zeilenga <Kurt@OpenLDAP.org> [0704 16:04]:
> At 04:57 AM 7/13/2004, Dick Davies wrote:
> >* Dick Davies <rasputnik@hellooperator.net> [0721 15:21]:
> >> * Kurt D. Zeilenga <Kurt@OpenLDAP.org> [0709 22:09]:
> >
> >Sorry to reply to my own post, but I've just been reading
> >
> >http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#7.0
> This (independently authored) article uses the terms TLS and
> SSL in a confusing manner. I've been meaning to ask Kent
> to revise it.
Ah, ok. I just assumed it was authoratative since it's on the site -
and of course by definition your responses are authoratative too :)
> >>>Do I have an option to just do SSL without TLS,
> >What I think is happening is mod_auth_ldap
> >is trying to do both - presumably that works fine with many configurations, but
> >no mine. I need to have an SSL tunnel and not worry about TLS.
>
> SSL and TLS are same thing.
The point I'm trying (badly) to make is that I wanted to check mod_ldap isn't trying
to do what the 'ldapsearch -ZZ -H 'ldaps.........' command is - I know it's an error,
Snipping as much irrelevant code as I can, it does the following operations to init
the connection:
ldc->ldap = ldap_init(ldc->host, ldc->port);
if (NULL != ldc->ldap)
{
int SSLmode = LDAP_OPT_X_TLS_HARD;
result = ldap_set_option(ldc->ldap, LDAP_OPT_X_TLS, &SSLmode);
}
[ ldc->ldap is the cached LDAP connection, which gets reused by apache,
the arguments to ldap_init are 'ldaphost.domain' and the ldaps port (636) ]
The ldap_set_option call handles both SSL initialization and startTLS, right ?
If so, I don't think mod_ldap is at fault - it works fine on our other servers.
What I *have* found (with 'openssl s_client', recommended by the url at top, thanks)
is that the CN on the certificate doesn't match the hostname, though there is a
'subject alternate name' set to the correct hostname in there too.
Does that sound like something that would cause the ldap_set_option() call to fail?
The client API is openldap 2.1.30, the server is some Novell directory thing.
> >[user@server httpd-2.0.49]$ /opt/bin/ldapsearch -x -H 'ldaps://ldaphost.domain/o=org' uid=user
> This (ldaps://) initiates TLS upon establishment of the TCP stream (on port 636).
> >[user@server httpd-2.0.49]$ /opt/bin/ldapsearch -ZZ -x -H 'ldaps://ldaphost.domain/o=org' uid=user
> This asks that TLS be established upon establish of the TCP
> stream (on port 636) and subsequently request TLS be established
> (again) via use of the LDAP Start TLS operation.
right, so the ldaps:// prefix specifies to start TLS, rather than to do startTLS
(you can see where the confusion comes in, cant' you)? Gotcha.
> >Does that make any sense?
> >Maybe we're getting startTLS and TLS confused here?
>
> Maybe. TLS (SSL) is a security layer. StartTLS is a mechanism
> for starting TLS. ldaps:// is another mechanism for starting TLS.
Thanks, Kurt, that clarifies it well.
--
Finagle's Creed:
Science is true. Don't be misled by facts.
Rasputin :: Jack of All Trades - Master of Nuns