[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL Help

To: openldap-technical@openldap.org
Subject: Re: SSL Help
From: Tony Earnshaw <tonni@hetnet.nl>
Date: Thu, 14 Feb 2008 11:02:45 +0100
In-reply-to: <OF041CC9A8.DAEA0999-ON852573EE.00741726-852573EE.00742262@faa.gov>
References: <OF041CC9A8.DAEA0999-ON852573EE.00741726-852573EE.00742262@faa.gov>
User-agent: Thunderbird 2.0.0.9 (X11/20071031)

Vinh.CTR.Hoang@faa.gov skrev, on 13-02-2008 22:08:

It seems like my ldapsearch can't find the get local issuer certificate. what configuration files tells the ldapsearch of which certificate to use? Oh, my certificate and keys and cacert files are good, I've tested them using the openssl s_server and s_client to get a basic connection. can someone help me, I don't know what else could be the problem.

I could be way out, but it seems to me from both your client and server logs that your certs haven't been generated correctly. AFAICS you've given the correct cert locations in your two OpenLDAP config files.

Your certs must be in pem format, not in der format.

Try the following on your server cert:

openssl x509 -in nameofyourcert -noout -text | less
Look for:
       X509v3 Authority Key Identifier:
       keyid:9C:47:70:97:DE:A3:FA:23:6F:58:57:C7:97:99:B7:DD:02:2E:A8:64
(This is from one of my own certs, so the keyid won't be the same)
       DirName:/C=NL/ST=Noordholland/O=Barlaeus etc.

Do the same on your CA cert and verify that you have something like:
            X509v3 Subject Key Identifier:
            9C:47:70:97:DE:A3:FA:23:6F:58:57:C7:97:99:B7:DD:02:2E:A8:64
            X509v3 Authority Key Identifier:
      keyid:9C:47:70:97:DE:A3:FA:23:6F:58:57:C7:97:99:B7:DD:02:2E:A8:64
(i.e. the same keyid as in the server cert)
            DirName:/C=NL/ST=Noordholland/O=Barlaeus etc.

This should show that the server cert has been signed by the CA for which the CA cert has been presented to both server and client.

Best,

--Tonni

--

here's the log for ldapsearch: /usr/local/bin/ldapsearch -x -LLL -ZZ -d 1 ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying ::1 389 ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_close_socket: 4 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 4 ldap_result ld 60888 msgid 1 ldap_chkResponseList ld 60888 msgid 1 all 1 ldap_chkResponseList returns ld 60888 NULL wait4msg ld 60888 msgid 1 (infinite timeout) wait4msg continue ld 60888 msgid 1 all 1 ** ld 60888 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Wed Feb 13 20:49:25 2008

** ld 60888 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 60888 Response Queue: Empty ldap_chkResponseList ld 60888 msgid 1 all 1 ldap_chkResponseList returns ld 60888 NULL ldap_int_select read1msg: ld 60888 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 60888 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 60888 0 new referrals read1msg: mark request completed, ld 60888 msgid 1 request done: ld 60888 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=ldap1.mylan/emailAddress=abc@mylan, issuer: /CN=ldap1.mylan/emailAddress=abc@mylan TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

>>>>>>>>>>>>END>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
and here's the server's log for that search
daemon: activity on 1 descriptor >>> slap_listener(ldap:///) daemon: listen=8, new connection on 14 daemon: added 14r (active) listener=0 daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: select: listen=10 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 14r daemon: read activity on 14 connection_get(14) connection_get(14): got connid=6 connection_read(14): checking for input on id=6 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_dump: buf=0x002094f0 ptr=0x002094f0 end=0x0020950d len=29 0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4 0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: select: listen=10 active_threads=0 tvp=NULL do_extended ber_scanf fmt ({m) ber: ber_dump: buf=0x002094f0 ptr=0x002094f3 end=0x0020950d len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 do_extended: oid=1.3.6.1.4.1.1466.20037 send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ daemon: activity on 1 descriptor daemon: activity on: 14r daemon: read activity on 14 connection_get(14) connection_get(14): got connid=6 connection_read(14): checking for input on id=6 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 7a 01 03 01 00 51 00 00 00 20 .z....Q... tls_read: want=113, got=113 0000: 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 ..9..8..5....... 0010: 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 00 00 .......3..2../.. 0020: 07 05 00 80 03 00 80 00 00 05 00 00 04 01 00 80 ................ 0030: 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 ...........@.... 0040: 00 11 00 00 08 00 00 06 04 00 80 00 00 03 02 00 ................ 0050: 80 32 4e ca 88 41 1f 3a 73 cd a1 1c 29 73 a6 81 .2N..A.:s...)s.. 0060: 8c c5 af c3 af 93 bf 13 4a c7 54 90 b7 82 d2 69 ........J.T....i 0070: 2f / TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=810, written=810 0000: 16 03 01 00 4a 02 00 00 46 03 01 47 b3 58 84 43 ....J...F..G.X.C 0010: c3 a5 64 a9 b5 7c 0b 8b 25 1c d6 e9 ce f2 1f 9b ..d..|..%....... 0020: 82 00 e0 6d 33 e7 e6 44 53 6c 52 20 7d 72 fe 41 ...m3..DSlR }r.A 0030: 17 4c 96 5c 5c 9c 6b df 32 0d c0 32 45 fe 7b bf .L.\\.k.2..2E.{. 0040: a9 5e 16 4b 62 ec 3b 11 76 6e ee ce 00 35 00 16 .^.Kb.;.vn...5.. 0050: 03 01 02 cd 0b 00 02 c9 00 02 c6 00 02 c3 30 82 ..............0. 0060: 02 bf 30 82 02 28 a0 03 02 01 02 02 01 01 30 0d ..0..(........0. 0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 30 31 ..*.H........001 0080: 14 30 12 06 03 55 04 03 13 0b 6c 64 61 70 31 2e .0...U....ldap1. 0090: 6d 79 6c 61 6e 31 18 30 16 06 09 2a 86 48 86 f7 mylan1.0...*.H.. 00a0: 0d 01 09 01 16 09 61 62 63 40 6d 79 6c 61 6e 30 ......abc@mylan0 00b0: 1e 17 0d 30 38 30 32 31 33 31 36 31 34 32 32 5a ...080213161422Z 00c0: 17 0d 31 38 30 32 31 32 31 36 31 34 32 32 5a 30 ..180212161422Z0 00d0: 30 31 14 30 12 06 03 55 04 03 13 0b 6c 64 61 70 01.0...U....ldap 00e0: 31 2e 6d 79 6c 61 6e 31 18 30 16 06 09 2a 86 48 1.mylan1.0...*.H 00f0: 86 f7 0d 01 09 01 16 09 61 62 63 40 6d 79 6c 61 ........abc@myla 0100: 6e 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 n0..0...*.H..... 0110: 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 ef 80 .......0........ 0120: 03 36 0f 1e e0 19 e7 1d 03 a9 cb 13 53 81 d6 f7 .6..........S... 0130: bf b6 e4 1c 84 38 77 bd 85 39 e6 f6 9c 50 70 82 .....8w..9...Pp. 0140: 3e 7e e0 17 e9 86 4f a3 48 8f bb 1a f1 04 92 72 >~....O.H......r 0150: bc 02 a7 dd 97 54 c1 cd 09 bd f8 d8 da 23 04 8e .....T.......#.. 0160: e7 77 de 44 f8 54 f9 5e 35 1e 05 50 71 b2 dc 25 .w.D.T.^5..Pq..% 0170: 71 7b e9 48 99 bf 93 a2 07 4e 4e 1f 1f 96 c8 b8 q{.H.....NN..... 0180: 76 21 3b fc c7 60 ab b2 4a 01 2d 8a 15 ee af e7 v!;..`..J.-..... 0190: 76 4e 50 1b 61 8f 5c a1 b3 07 4a cc 82 43 02 03 vNP.a.\...J..C.. 01a0: 01 00 01 a3 81 e8 30 81 e5 30 09 06 03 55 1d 13 ......0..0...U.. 01b0: 04 02 30 00 30 2c 06 09 60 86 48 01 86 f8 42 01 ..0.0,..`.H...B. 01c0: 0d 04 1f 16 1d 4f 70 65 6e 53 53 4c 20 47 65 6e .....OpenSSL Gen 01d0: 65 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 erated Certifica 01e0: 74 65 30 1d 06 03 55 1d 0e 04 16 04 14 18 e5 ab te0...U......... 01f0: 2a 99 96 50 78 35 71 52 a6 ad 1f 8a 53 c6 72 cd *..Px5qR....S.r. 0200: dc 30 60 06 03 55 1d 23 04 59 30 57 80 14 25 ba .0`..U.#.Y0W..%. 0210: f3 49 07 88 d2 aa 76 2f 59 fc f0 bb 08 6d b5 17 .I....v/Y....m.. 0220: f3 e8 a1 34 a4 32 30 30 31 14 30 12 06 03 55 04 ...4.2001.0...U. 0230: 03 13 0b 6c 64 61 70 31 2e 6d 79 6c 61 6e 31 18 ...ldap1.mylan1. 0240: 30 16 06 09 2a 86 48 86 f7 0d 01 09 01 16 09 61 0...*.H........a 0250: 62 63 40 6d 79 6c 61 6e 82 09 00 8e 0f 59 9d 05 bc@mylan.....Y.. 0260: 90 4f f0 30 29 06 03 55 1d 11 04 22 30 20 82 0a .O.0)..U..."0 .. 0270: 6c 64 61 70 2e 6d 79 6c 61 6e 82 12 6c 6f 61 64 ldap.mylan..load 0280: 62 61 6c 61 6e 63 65 72 2e 6d 79 6c 61 6e 30 0d balancer.mylan0. 0290: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81 81 ..*.H........... 02a0: 00 89 b9 5b c0 9e 57 39 32 c0 55 79 d6 dd cd 55 ...[..W92.Uy...U 02b0: 2f 6c a4 7e 96 96 f8 f2 51 38 85 35 f1 a9 42 45 /l.~....Q8.5..BE 02c0: b8 f7 e4 a8 68 46 43 c5 5a d8 74 3e e8 a1 f3 25 ....hFC.Z.t>...% 02d0: a7 57 2c bd 0c a2 5d f3 ae 19 57 f6 13 f1 07 2f .W,...]...W..../ 02e0: df da 39 85 bd 0f 60 7b 98 52 8b ae 5d 7a 1a c5 ..9...`{.R..]z.. 02f0: 59 b5 6f 49 74 05 87 5f a4 72 49 7d 59 79 da 97 Y.oIt.._.rI}Yy.. 0300: 5d 01 9c e2 fb b5 42 21 19 f6 9a ef 05 5e cb 8b ].....B!.....^.. 0310: e4 b3 2a 7f f2 5e 87 73 23 ed c0 31 78 53 7e 18 ..*..^.s#..1xS~. 0320: 39 16 03 01 00 04 0e 00 00 00 9......... TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 0000: 15 03 01 00 02 ..... tls_read: want=2, got=2 0000: 02 30 .0 TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053 connection_read(14): TLS accept failure error=-1 id=6, closing connection_closing: readying conn=6 sd=14 for close connection_close: conn=6 sd=14 daemon: removing 14 daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: select: listen=10 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: waked daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: select: listen=10 active_threads=0 tvp=NULL

>>>>>>>>>>>>>>>>>>>>END>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Thanks,
Vinh
*Vinh CTR Hoang/ACT/CNTR/FAA@FAA*
Sent by: openldap-technical-bounces+vinh.ctr.hoang=faa.gov@OpenLDAP.org
02/12/2008 05:27 PM
	
To
	openldap-technical@openldap.org
cc
	
Subject
	SSL Help
	
Hi, I'm having some troubles with openldap w/ TLS. I can't seem to do a ldapsearch -x -LLL -ZZ, as it is giving be back "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" On the server side log I'm getting: TLS trace: SSL3 alert read: fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053

I've tried and tested my ssl connection using: openssl s_client -connect ldap1.mylan:636 -showcerts -state -CAfile /usr/local/etc/openldap/cacert.pem and that works, althought if I use "TLSVerifyClient demand" in slapd.conf, the server will reject the connection saying that the client didn't send the certificate. I also tried the client authentication ssl test and the works w/ and w/o the TLSVerifyClient demand option: openssl s_client -connect ldap1.mylan:636 -state \ -CAfile /usr/local/etc/openldap/cacert.pem \ -cert /usr/local/etc/openldap/slapd-cert-ldap1.pem \ -key /usr/local/etc/openldap/slapd-key-ldap1.pem
Does any know what i'm doing wrong?
Here are the tls part of my configs:
slapd.conf
....
#TLS SSL keys
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:SSLv3
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem
#TLSVerifyClient demand
....
ldap.conf
BASE        dc=mylan
HOST        ldap1.mylan
#URI        ldaps://127.0.0.1:636
TLS_CACERT        /usr/local/etc/openldap/cacert.pem
.....
/etc/ldap.conf
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1
# The distinguished name of the search base.
#base dc=caplan,dc=org
base dc=mylan
# Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. host ldap1.mylan #uri ldap://127.0.0.1/ #uri ldap://127.0.0.1/ ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=NonAnon,dc=caplan,dc=org
# The credentials to bind with.
# Optional: default is no credential.
#bindpw SeCrEt
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=root,dc=padl,dc=com
# The port.
# Optional: default is 389.
port 389
..
...
..
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
tls_cacertfile /usr/local/etc/openldap/cacert.pem
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
Thanks,
Vinh

--
Tony Earnshaw
Email: tonni at hetnet dot nl

Follow-Ups:
- Re: SSL Help
  - From: Vinh.CTR.Hoang@faa.gov

References:
- RE: SSL Help
  - From: Vinh.CTR.Hoang@faa.gov

Prev by Date: Re: Question concerning the dynlist overlay and single valued attributes
Next by Date: RE: LDAP Auth
Index(es):
- Chronological
- Thread