[Date Prev][Date Next] [Chronological] [Thread] [Top]
FW: OpenLDAP 2.3.20 + OpenSSL 0.9.8a -> SSL/TLS Segmentation fault

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: FW: OpenLDAP 2.3.20 + OpenSSL 0.9.8a -> SSL/TLS Segmentation fault
From: "Jose Angel Mendia" <JoseAngel.Mendia@esi.es>
Date: Thu, 16 Mar 2006 10:48:34 +0100
Cc: <openldap-software@OpenLDAP.org>
Content-class: urn:content-classes:message
Importance: normal
Thread-index: AcZCvZmcfYaZ0nGUQUelFew6Or+XlQGEMtHQAAOZjYA=
Thread-topic: OpenLDAP 2.3.20 + OpenSSL 0.9.8a -> SSL/TLS Segmentation fault
Hello, I'm trying to get OpenLDAP working with SSL/TLS to serve on a =
secure port (636). I've read the admin guide, as well as other howtos, =
but in last instance I have followed the admin guides directions. Is =
there any other guide that could help?
=20
- slapd is working OK if I do a ldapsearch (or other ldap operations) to =
ldap:// port (non secure) without TLS.
- I've tried openssl s_server and s_client and they work fine together.
- When I try to do a ldapsearch using ldaps:// (or ldap:// with forcing =
TLS), I get a Segmentation fault on server side.
- When not forcing (but trying) TLS over ldap:// port 389, TLS fails and =
the server tries a simple connection (without TLS) and asks for the ldap =
password. When I intro the password the client can't follow because the =
server has given a Segmentation fault. =20
- All permisions to the files seem to be right.=20
- Same error with OpenLDAP 2.3.19.
=20
=20
Any help would really be very welcome. Thanks in advance.
=20
=20
I attach some debugging info. If it is not enough, please tell me and I =
could send any other info you need to help me.   (I have trimmed the =
message to fit the lists rules)=20

	The OS is Red Hat Enterprise Linux 4 ES Update2=20
	I'm not using the OpenSSL, SASL, OpenLDAP from OS, but built from =
source.
	OpenLDAP is installed in /usr/local
	OpenSSL 0.9.8a is installed in /usr/local/ssl
	SASL 2.1.21 is installed in /usr/local

=20
Here is how I configured it:
=20
$ SASL_PATH=3D/usr/local/sasl/lib/sasl2; export SASL_PATH=20

$ =
LD_LIBRARY_PATH=3D/usr/local/ssl/lib:/usr/local/BerkeleyDB.4.4/lib:/usr/l=
ocal/lib; export LD_LIBRARY_PATH

$ LDFLAGS=3D"-L/usr/local/lib/sasl2 -L/usr/local/BerkeleyDB.4.4/lib =
-L/usr/local/ssl/lib -L/usr/local/lib" =
CPPFLAGS=3D"-I/usr/local/include/sasl =
-I/usr/local/BerkeleyDB.4.4/include -I/usr/local/ssl/include/openssl" =
./configure --with-tls--with-cyrus-sasl --enable-ldbm =
--enable-ldbm-api=3Dberkeley --enable-spasswd --enable-crypt =
--enable-slurpd

$ make depend

$ make

$ make test

$ su -c "make install"

=20
All tests ok.
=20
Library paths and links seem to be OK.=20
      # ldd /usr/local/libexec/slapd      =20

# ldd /usr/local/ssl/bin/openssl=20

=20

LDAP.CONF
=20

	# See ldap.conf(5) for details
	# This file should be world readable but not world writable.
	=20
	BASE dc=3Desi, dc=3Des
	URI ldap://thor.esi.es:389 <ldap://thor.esi.es:389/>  =
ldaps://thor.esi.es:636 <ldaps://thor.esi.es:636/>=20
	=20
	TLS_CACERT /usr/local/etc/openldap/cacert.pem
	TLS_REQCERT try
	=20

SLAPD.CONF

	# CA signed certificate and server cert entries:
	TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv3:+SSLv2=20
	TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
	TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
	TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem=20

=20
 Here is the trace:=20
=20
(En mis intentos por instalar OpenLDAP con SSL/TLS, hasta aqu=ED he =
llegado. He conseguido eliminar los problemas que suelen achacar a SSL, =
y  creo que  estoy en la situaci=F3n que exigen para poder enviar correo =
a las listas de OpenLDAP.=20
=20
Esta es la traza del server y el cliente openldap con SSL. Se puede ver =
que al haber una petici=F3n por ldaps:// se produce un Segmentation =
fault en el server. Si se hacen peticiones a ldap:// sin SSL/TLS todo va =
bien. )=20
=20
SERVER=20
 [root@thor thorCA]# /usr/local/libexec/slapd -u slapd -g slapd =
-h"ldap:/// <ldap:///>  ldaps:/// <ldaps:///> " =
-f/usr/local/etc/openldap/slapd.conf -d3 =20

	@(#) $OpenLDAP: slapd 2.3.20 (Mar  6 2006 13:16:59) $
	        =
root@thor.esi.es:/home/Software/openldap/openldap-2.3.20/servers/slapd =
<mailto:root@thor.esi.es:/home/Software/openldap/openldap-2.3.20/servers/=
slapd>=20
	daemon_init: listen on ldap:/// <ldap:///>=20
	daemon_init: listen on ldaps:/// <ldaps:///>=20
	daemon_init: 2 listeners to open...
	ldap_url_parse_ext(ldap:/// <ldap:///> )
	daemon: listener initialized ldap:/// <ldap:///>=20
	ldap_url_parse_ext(ldaps:/// <ldaps:///> )
	daemon: listener initialized ldaps:/// <ldaps:///>=20
	daemon_init: 4 listeners opened
	slapd init: initiated server.
	slap_sasl_init: initialized!
	bdb_back_initialize: initialize BDB backend
	bdb_back_initialize: Sleepycat Software: Berkeley DB 4.4.20: (January =
10, 2006)
	hdb_back_initialize: initialize HDB backend
	hdb_back_initialize: Sleepycat Software: Berkeley DB 4.4.20: (January =
10, 2006)
	...=20
	bdb_db_open: dbenv_open(/usr/local/var/openldap-data)
	slapd starting
	ldap_pvt_gethostbyname_a: host=3Dthor.esi.es, r=3D0
	connection_get(15): got connid=3D0
	connection_read(15): checking for input on id=3D0
	tls_read: want=3D11, got=3D11
	  0000:  80 92 01 03 01 00 69 00  00 00 20                  ......i...
	tls_read: want=3D137, got=3D137
	  0000:  00 00 39 00 00 38 00 00  35 00 00 16 00 00 13 00   =
..9..8..5.......
	...
	  0080:  5c 0d ab 07 4c 16 90 52  33                        \...L..R3
	Segmentation fault
=09

CLIENT
[root@thor openldap]# /usr/local/bin/ldapsearch -x -b 'dc=3Desi,dc=3Des' =
-D "cn=3DManager,dc=3Desi,dc=3Des" '(objectclass=3D*)' -H =
ldaps://thor.esi.es:636 <ldaps://thor.esi.es:636>  -W -ZZ -d3=20

	ldap_create
	ldap_url_parse_ext(ldaps://thor.esi.es:636 <ldaps://thor.esi.es:636> )
	ldap_extended_operation_s
	ldap_extended_operation
	ldap_send_initial_request
	ldap_new_connection 1 1 0
	ldap_int_open_connection
	ldap_connect_to_host: TCP thor.esi.es:636
	ldap_new_socket: 3
	ldap_prepare_socket: 3
	ldap_connect_to_host: Trying 192.168.1.51:636
	ldap_connect_timeout: fd: 3 tm: -1 async: 0
	tls_write: want=3D148, written=3D148
	  0000:  80 92 01 03 01 00 69 00  00 00 20 00 00 39 00 00   ......i... =
..9..
	...
	  0090:  16 90 52 33                                        ..R3
	tls_read: want=3D7, got=3D0=20
	...
	TLS: can't connect.
	ldap_perror
	ldap_start_tls: Can't contact LDAP server (-1)
=09

OPENSSL TEST: I've tried TLSv1, SSLv2 and SSLv3. All seems right:=20
Para buscar el origen del problema he usado el server y cliente de =
openssl (por defecto hace TLSv1/SSLv3). Funcionan correctamente:=20
=20
SERVER
[root@thor ~]# /usr/local/ssl/bin/openssl s_server -accept 636 -cert =
/usr/local/etc/openldap/servercrt.pem -key =
/usr/local/etc/openldap/serverkey.pem -debug
     =20
CLIENT
TLSv1=20
  # /usr/local/ssl/bin/openssl s_client -state -CAfile =
/usr/local/etc/openldap/cacert.pem -connect thor.esi.es:636 -showcerts =
-tls1
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=3D1 /C=3DES/ST=3DVizcaya/O=3DEuropean Software Institute/OU=3DESI =
CA/CN=3Dca.esi.es
verify return:1
depth=3D0 /C=3DES/ST=3DVizcaya/L=3DBilbao/O=3DEuropean Software =
Institute/OU=3DESI LDAP/CN=3Dthor.esi.es
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
 ...=20
No client certificate CA names sent
---
SSL handshake has read 1170 bytes and written 236 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA=20
...=20
    Verify return code: 0 (ok)
---                               =20
=20
There is connection using openssl s_server with ldapsearch    -> it goes =
OK=20
Una prueba que aproxima m=E1s hacia el problema es usar el server de =
openssl y hacer una petici=F3n ldapsearch contra =E9l, el server se =
comunica usando SSL, pero obviamente no puede servir la petici=F3n ldap.
=20
[root@thor ~]# /usr/local/ssl/bin/openssl s_server -accept 636 -cert =
/usr/local/etc/openldap/servercrt.pem -key =
/usr/local/etc/openldap/serverkey.pem -debug
[root@thor openldap]# /usr/local/bin/ldapsearch -x -b 'dc=3Desi,dc=3Des' =
-D "cn=3DManager,dc=3Desi,dc=3Des" '(objectclass=3D*)' -H =
ldaps://thor.esi.es:636 <ldaps://thor.esi.es:636>  -W -ZZ -d3
=20
=20
SSLv2 returns OK=20
# /usr/local/ssl/bin/openssl s_client -state -CAfile =
/usr/local/etc/openldap/cacert.pem -connect thor.esi.es:636 -showcerts =
-ssl2
=20
But SSLv3 (or TLSv1)  both give same error=20
 =20
 # /usr/local/ssl/bin/openssl s_client -state -CAfile =
/usr/local/etc/openldap/cacert.pem -connect thor.esi.es:636 -showcerts =
-ssl3=20

=09
	CONNECTED(00000003)
	SSL_connect:before/connect initialization
	SSL_connect:SSLv3 write client hello A
	SSL_connect:failed in SSLv3 read server hello A
	7018:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake =
failure:s3_pkt.c:534: =20

 # /usr/local/libexec/slapd -u slapd -g slapd -h "ldap:/// <ldap:///>  =
ldaps:/// <ldaps:///> " -f/usr/local/etc/openldap/config_ssl/slapd.conf =
-d3=20

	@(#) $OpenLDAP: slapd 2.3.20 (Mar  6 2006 13:16:59) $
	        =
root@thor.esi.es:/home/Software/openldap/openldap-2.3.20/servers/slapd =
<mailto:root@thor.esi.es:/home/Software/openldap/openldap-2.3.20/servers/=
slapd>=20
	daemon_init: listen on ldap:/// <ldap:///>=20
	daemon_init: listen on ldaps:/// <ldaps:///>=20
	daemon_init: 2 listeners to open...
	ldap_url_parse_ext(ldap:/// <ldap:///> )
	daemon: listener initialized ldap:/// <ldap:///>=20
	ldap_url_parse_ext(ldaps:/// <ldaps:///> )
	daemon: listener initialized ldaps:/// <ldaps:///>=20
	daemon_init: 4 listeners opened
	slapd init: initiated server.
	slap_sasl_init: initialized!
	bdb_back_initialize: initialize BDB backend
	bdb_back_initialize: Sleepycat Software: Berkeley DB 4.4.20: (January =
10, 2006)
	hdb_back_initialize: initialize HDB backend
	hdb_back_initialize: Sleepycat Software: Berkeley DB 4.4.20: (January =
10, 2006)
	...=20
	slapd starting
	ldap_pvt_gethostbyname_a: host=3Dthor.esi.es, r=3D0
	connection_get(14): got connid=3D0
	connection_read(14): checking for input on id=3D0
	tls_read: want=3D11, got=3D11
	  0000:  16 03 00 00 61 01 00 00  5d 03 00                  ....a...]..
	tls_read: want=3D91, got=3D91
	  0000:  44 19 22 d9 ba c0 77 75  d3 d9 5f 77 39 19 93 e1   =
D."...wu.._w9...
	  0010:  7f 7f 6d a0 75 87 32 3e  2c af df a2 62 be 7c be   =
..m.u.2>,...b.|.
	  0020:  00 00 36 00 39 00 38 00  35 00 16 00 13 00 0a 00   =
..6.9.8.5.......
	  0030:  33 00 32 00 2f 00 07 00  66 00 05 00 04 00 63 00   =
3.2./...f.....c.
	  0040:  62 00 61 00 15 00 12 00  09 00 65 00 64 00 60 00   =
b.a.......e.d.`.
	  0050:  14 00 11 00 08 00 06 00  03 01 00                  ...........
	Segmentation fault
	=20


**********************************  DISCLAIMER =
*******************************

This message may contain confidential, proprietary or legally privileged =
information.=20
If you are not the intended recipient of this message, please notify it =
to the sender and delete without resending or backing it, as it is =
legally prohibited.

**********************************  AVISO LEGAL =
******************************

Este mensaje puede contener informaci=F3n confidencial, en propiedad o =
legalmente protegida.
Si usted no es el destinatario, le rogamos lo comunique al remitente y =
proceda a borrarlo, sin reenviarlo ni conservarlo, ya que su uso no =
autorizado est=E1 prohibido legalmente.
=20
*************************************************************************=
*****
Follow-Ups:
- Re: FW: OpenLDAP 2.3.20 + OpenSSL 0.9.8a -> SSL/TLS Segmentation fault
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
Prev by Date: Running Openldap in windows
Next by Date: Re: Need some help setting up replication.
Index(es):
- Chronological
- Thread