[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLSVerifyClient => no login possible
Hello Dieter,
IT WORKS - partialy....
I have got it working from one client. The last problem was, I used host
names in certificates and ip's in /etc/ldap.conf. Because I red in
comments of ldap.conf, that server must be resolveable without ldap.
But I like to use the server as an workstation, too. So I have
configured the client part (certificates and ldap.conf) same as the
"real" client pc, but I can not perform a user login at kdm on server.
The output of "slapd -d 3..." shows an error "TLS certificate
verification: Error, unable to get local issuer certificate". Why? I use
the same "cacert" and an own client cert' which is created in same way
like the client certs of the other client. Or should I use the server
certificate as client one, too?
Here is the output during login (I cut some "hex"- lines):
slap_listener_activate(8):
>>> slap_listener(ldap://)
connection_get(24): got connid=36
connection_read(24): checking for input on id=36
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=36 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 24
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
connection_get(24): got connid=36
connection_read(24): checking for input on id=36
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 86 01 03 01 00 5d 00 00 00 20 ......]...
tls_read: want=125, got=125
0000: 00 00 39 00 00 38 00 00 35 00 00 88 00 00 87 00 ..9..8..5.......
0010: 00 84 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 ................
0020: 33 00 00 32 00 00 2f 00 00 45 00 00 44 00 00 41 3..2../..E..D..A
0030: 03 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 ................
0040: 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 .......@........
0050: 08 00 00 06 04 00 80 00 00 03 02 00 80 0b 27 96 ..............'.
0060: 15 ac 75 97 72 09 93 a8 cf f3 57 d9 a4 76 34 69 ..u.r.....W..v4i
0070: 0a a2 ae 9d cf d9 e4 10 c5 08 66 b9 26 ..........f.&
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
tls_write: want=1778, written=1778
0000: 16 03 01 00 4a 02 00 00 46 03 01 49 b0 67 40 b3 ....J...F..I.g@.
.
.
.
06f0: 00 00 ..
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(24): got connid=36
connection_read(24): checking for input on id=36
tls_read: want=5, got=5
0000: 16 03 01 05 d4 .....
tls_read: want=1492, got=1492
0000: 0b 00 05 d0 00 05 cd 00 05 ca 30 82 05 c6 30 82 ..........0...0.
.
.
.
05d0: 59 d2 29 be Y.).
TLS certificate verification: depth: 0, err: 20, subject:
/C=DE/ST=Saxony/L=Hartmannsdorf/O=LMV Landmaschinenvertrieb- und Service
GmbH/OU=Computer/CN=lmvws1/emailAddress=snr@lmv-hartmannsdorf.de,
issuer: /C=DE/ST=Saxony/L=Hartmannsdorf/O=LMV Landmaschinenvertrieb- und
Service GmbH/OU=Computer/CN=Sebastian
Reinhardt/emailAddress=snr@lmv-hartmannsdorf.de
TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned s3_srvr.c:2564
connection_read(24): TLS accept failure error=-1 id=36, closing
connection_closing: readying conn=36 sd=24 for close
connection_close: conn=36 sd=24
slap_listener_activate(8):
>>> slap_listener(ldap://)
connection_get(24): got connid=37
connection_read(24): checking for input on id=37
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=37 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 24
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
connection_get(24): got connid=37
connection_read(24): checking for input on id=37
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 86 01 03 01 00 5d 00 00 00 20 ......]...
tls_read: want=125, got=125
0000: 00 00 39 00 00 38 00 00 35 00 00 88 00 00 87 00 ..9..8..5.......
.
.
.
0070: 89 48 20 a2 5a e3 8f 57 e0 e2 3e fa a5 .H .Z..W..>..
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
tls_write: want=1778, written=1778
0000: 16 03 01 00 4a 02 00 00 46 03 01 49 b0 67 40 c4 ....J...F..I.g@.
.
.
.
06f0: 00 00 ..
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(24): got connid=37
connection_read(24): checking for input on id=37
tls_read: want=5, got=5
0000: 16 03 01 05 d4 .....
tls_read: want=1492, got=1492
0000: 0b 00 05 d0 00 05 cd 00 05 ca 30 82 05 c6 30 82 ..........0...0.
.
.
.
05d0: 59 d2 29 be Y.).
TLS certificate verification: depth: 0, err: 20, subject:
/C=DE/ST=Saxony/L=Hartmannsdorf/O=LMV Landmaschinenvertrieb- und Service
GmbH/OU=Computer/CN=lmvws1/emailAddress=snr@lmv-hartmannsdorf.de,
issuer: /C=DE/ST=Saxony/L=Hartmannsdorf/O=LMV Landmaschinenvertrieb- und
Service GmbH/OU=Computer/CN=Sebastian
Reinhardt/emailAddress=snr@lmv-hartmannsdorf.de
TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned s3_srvr.c:2564
connection_read(24): TLS accept failure error=-1 id=37, closing
connection_closing: readying conn=37 sd=24 for close
connection_close: conn=37 sd=24
slap_listener_activate(8):
>>> slap_listener(ldap://)
connection_get(24): got connid=38
connection_read(24): checking for input on id=38
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=38 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 24
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
connection_get(24): got connid=38
connection_read(24): checking for input on id=38
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 86 01 03 01 00 5d 00 00 00 20 ......]...
tls_read: want=125, got=125
0000: 00 00 39 00 00 38 00 00 35 00 00 88 00 00 87 00 ..9..8..5.......
.
.
.
0070: 10 6f b2 c4 c3 a4 52 ab 4b 08 0b d4 f5 .o....R.K....
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
tls_write: want=1778, written=1778
0000: 16 03 01 00 4a 02 00 00 46 03 01 49 b0 67 40 07 ....J...F..I.g@.
.
.
.
06f0: 00 00 ..
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(24): got connid=38
connection_read(24): checking for input on id=38
tls_read: want=5, got=5
0000: 16 03 01 05 d4 .....
tls_read: want=1492, got=1492
0000: 0b 00 05 d0 00 05 cd 00 05 ca 30 82 05 c6 30 82 ..........0...0.
.
.
.
05d0: 59 d2 29 be Y.).
TLS certificate verification: depth: 0, err: 20, subject:
/C=DE/ST=Saxony/L=Hartmannsdorf/O=LMV Landmaschinenvertrieb- und Service
GmbH/OU=Computer/CN=lmvws1/emailAddress=snr@lmv-hartmannsdorf.de,
issuer: /C=DE/ST=Saxony/L=Hartmannsdorf/O=LMV Landmaschinenvertrieb- und
Service GmbH/OU=Computer/CN=Sebastian
Reinhardt/emailAddress=snr@lmv-hartmannsdorf.de
TLS certificate verification: Error, unable to get local issuer certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned s3_srvr.c:2564
connection_read(24): TLS accept failure error=-1 id=38, closing
connection_closing: readying conn=38 sd=24 for close
connection_close: conn=38 sd=24
--
Mit freundlichen GrÃÃen
Sebastian Reinhardt