[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem with clientside TLS

To: openldap-software@OpenLDAP.org
Subject: problem with clientside TLS
From: Guillaume Rousse <rousse@ccr.jussieu.fr>
Date: Wed, 24 Nov 2004 23:34:47 +0100
User-agent: Mozilla Thunderbird 0.9 (X11/20041105)

I'm trying to setup clientside TLS with openldap 2.1.29.

Serverside works OK. I've just generated a client cert, signed it with the same CA as the server cert, and added TLSVerifyClient demand in slapd.conf

However, it doesn't work anymore
guillomovitch@katu:~$ ldapsearch -x -H ldaps://ldap.zarb.org
ldap_bind: Can't contact LDAP server (81)

guillomovitch@katu:~$ ldapsearch -x -H ldaps://ldap.zarb.org -d 9 ldap_create ldap_url_parse_ext(ldaps://ldap.zarb.org) ldap_bind_s ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP ldap.zarb.org:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 212.85.153.250:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_int_sasl_open: host=katu3 TLS certificate verification: depth: 0, err: 0, subject: C=, ST=, L=, O=zarb.org, OU=ldap server, CN=ldap.zarb.org/Email=ldapmaster@zarb.org, issuer: C=, ST=Some-State, L=, O=zarb.org, OU=certification authority, CN=ca.zarb.org/Email=camaster@zarb.org ldap_open_defconn: successful ldap_send_server_request ber_flush: 14 bytes to sd 3 ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: ldap.zarb.org port: 636 (default) refcnt: 2 status: Connected last used: Wed Nov 24 23:27:35 2004

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next failed.
ldap_perror
ldap_bind: Can't contact LDAP server (81)

Here is my .ldaprc:
TLS_CACERT      /etc/ssl/crt/ca.pem
TLS_REQCERT     demand
TLS_CERT        /etc/ssl/client.crt
TLS_KEY         /etc/ssl/client.key

Following http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.2, I tested with openssl_client:

guillomovitch@katu:~$ openssl s_client -connect ldap.zarb.org:636 -showcerts -state -CAfile /etc/ssl/crt/ca.pem -cert /etc/ssl/client.crt -key /etc/ssl/client.key CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=FR/ST=Some-State/O=zarb.org/OU=certification authority/CN=ca.zarb.org/Email=camaster@zarb.org verify return:1 depth=0 /C=FR/O=zarb.org/OU=ldap server/CN=ldap.zarb.org/Email=ldapmaster@zarb.org verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=FR/O=zarb.org/OU=ldap server/CN=ldap.zarb.org/Email=ldapmaster@zarb.org i:/C=FR/ST=Some-State/O=zarb.org/OU=certification authority/CN=ca.zarb.org/Email=camaster@zarb.org -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- --- Server certificate subject=/C=FR/O=zarb.org/OU=ldap server/CN=ldap.zarb.org/Email=ldapmaster@zarb.org issuer=/C=FR/ST=Some-State/O=zarb.org/OU=certification authority/CN=ca.zarb.org/Email=camaster@zarb.org --- No client certificate CA names sent --- SSL handshake has read 1681 bytes and written 282 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 2048 bit SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 12E58010D2F0364E7965C3DD2974012903B37756661955B8730129E1CBADEE69 Session-ID-ctx: Master-Key: D7F2483CFF8C438B17D6D9278100770E413666AE9F71CDE5C64834D6431242928F381236DCABFB5866F9FAB516BA372B Key-Arg : None Start Time: 1101335314 Timeout : 300 (sec) Verify return code: 0 (ok) --- read:errno=0 SSL3 alert write:warning:close notify

Note that I still have the infamous "No client certificate CA names sent" line, and my SSL handshake trace is slightly different from the one exposed in the document: no "SSL_connect:SSLv3 read server certificate request A", but "SSL_connect:SSLv3 read server key exchange A"

my openssl_client version is 0.9.6c, while ldap is linked against libopenssl 0.9.7c, which could explain part of the problem. -- Why is it when two planes almost hit each other it is called a "near miss"? Shouldn't it be called a "near hit"? -- Why Why Why n°43

Prev by Date: RE: OpenLDAP as an enterprise level LDAP provider
Next by Date: Foreign Key Attributes w/ LDAP
Index(es):
- Chronological
- Thread