[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problem with SSL/TLS

To: Howard Chu <hyc@symas.com>, Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Subject: RE: Problem with SSL/TLS
From: Lynn York <lynn.york@mavenwire.com>
Date: Mon, 12 Apr 2010 14:20:55 -0400
Cc: openldap-technical@openldap.org
In-reply-to: <4BC361AC.2070503@symas.com>
References: <6C447584419BFE4E83D46E88F8131486323996274C@EXCH07-05.apollogrp.edu> <4BC361AC.2070503@symas.com>
Thread-index: AcraaznTbD2uPT2eQnKPPtAghBCP4wAAQxYQ

OK... So I think I made some progress on this issue....

Here is my /etc/ldap.conf file:

cat /etc/ldap.conf
#host 127.0.0.1
base cn=users,dc=testing,dc=com
uri ldaps://localhost
binddn cn=manager,dc=testing,dc=com
bindpw password
scope sub
timelimit 120
bind_policy soft
bind_timelimit 120
idle_timelimit 3600
ssl on
tls_cacert /etc/openldap/cacerts/ca.key
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no
tls_reqcert allow
nss_base_group          cn=groups,dc=testing,dc=com?sub
pam_password md5

When I use "tcpdump" to actually view the packets, everything appears to be
encrypted and I get the results I am looking for when I issue the "getent
passwd" command... However, when I change "tls_checkpeer" to "yes" or
comment it out from the config, I do not get the expected results from
'getent passwd'.... also, here is the output from the ldapsearch debug..

ldapsearch -d1 -x -H ldaps://localhost:636/
ldap_create
ldap_url_parse_ext(ldaps://localhost:636/)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject:
/C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire,
LLC/OU=Support/CN=testing.com/emailAddress=mw-hosting-sysadmin@testing.com,
issuer: /C=US/ST=Pennsylvania/L=King of Prussia/O=MavenWire,
LLC/OU=Support/CN=testing.com/emailAddress=mw-hosting-sysadmin@testing.com
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


When I issue a search using just ldap://localhost it works, but the data is
not encrypted, how does it encrypt the data, if it can't verify the
certificate?

-Lynn

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Monday, April 12, 2010 2:09 PM
To: Chris Jacobs
Cc: 'lynn.york@mavenwire.com'; 'openldap-technical@openldap.org'
Subject: Re: Problem with SSL/TLS

Chris Jacobs wrote:
> /etc/ldap.conf is used by nss tools and the ilk.
>
> /etc/openldap/ldap.conf would be used by openldap tools - like ldapsearch.

Actually it's used by libldap, which means everything that uses libldap
(including nss_ldap). But of course the converse is not true, /etc/ldap.conf
only affects nss_ldap and pam_ldap, not anything else.

> I have the same setting there for tls_checkpeer - but in the latter
> ldap.conf
> (under openldap).

tls_checkpeer is not a valid OpenLDAP ldap.conf keyword.

> FWIW: there's apparently no real different format for the two files; while
> one
> would only be setup on ldap servers, mine are identical and things work
> with a

If they are identical and things work, it's by sheer luck. Read the
ldap.conf(5) manpage. Relying on anything not documented there would be a
mistake.

To the original poster: use the ldapsearch debug flag. OpenSSL s_client is
not
a reliable indicator of anything.

> mirror master, both setup behind a VIP (fail over, not load balanced) and
> a
> plethora of slaves in different subdomains.
>
> - chris
>
> PS: I'd forgotten to 'reply-to-all' earlier. :)
>
> Chris Jacobs, Systems Administrator
> Apollo Group | Apollo Marketing | Aptimus
> 2001 6th Ave Ste 3200 | Seattle, WA 98121
> phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
> email: chris.jacobs@apollogrp.edu
>
> ------------------------------------------------------------------------------
> *From*: Lynn York
> *To*: Chris Jacobs
> *Sent*: Mon Apr 12 10:29:19 2010
> *Subject*: RE: Problem with SSL/TLS
>
> Here is my /etc/ldap.conf:
>
> #host 127.0.0.1
>
> base cn=users,dc=testing,dc=com
>
> uri ldap://localhost:636
>
> binddn cn=manager,dc=testing,dc=com
>
> bindpw password
>
> scope sub
>
> timelimit 120
>
> bind_policy soft
>
> bind_timelimit 120
>
> idle_timelimit 3600
>
> ssl on
>
> tls_cacert /etc/openldap/cacerts/servercrt.pem
>
> tls_cacertdir /etc/openldap/cacerts
>
> tls_checkpeer no
>
> nss_base_group cn=groups,dc=testing,dc=com?sub
>
> pam_password md5
>
> I have tried it with and without “tls_checkpeer”…. I am sort of at a loss
> as
> to what it can be. I also tested it using openssl client.. and here is the
> output:

> *From*: openldap-technical-bounces+chris.jacobs=apollogrp.edu
> <http://apollogrp.edu>@OpenLDAP.org
> *To*: openldap-technical@openldap.org
> <mailto:openldap-technical@openldap.org>
> *Sent*: Mon Apr 12 08:13:39 2010
> *Subject*: Problem with SSL/TLS
>
> I have created a cert. on the server and openldap starts without any
> issues,
> however when I attempt to connect via ldaps I keep getting the following
> error:
>
> ??
>
> ??
>
> ldapsearch -x -H ldaps://localhost:636 -D
> "cn=Manager,dc=testing,dc=com" -W -b
> "dc=testing,dc=com" "(objectClass=top)"
>
> Enter LDAP Password:
>
> ldap_bind: Can't contact LDAP server (-1)
>
> ?????????????? additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> ??
>
> I can???t quite pin point what the problem might be.??
>

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
MavenWire - We DELIVER
http://www.mavenwire.com

This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient.  Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message.  Please contact the sender by reply e-mail and delete all copies of this message.

Follow-Ups:
- RE: Problem with SSL/TLS
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- Re: Problem with SSL/TLS
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
- Re: Problem with SSL/TLS
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Problem with SSL/TLS
Next by Date: RE: Problem with SSL/TLS
Index(es):
- Chronological
- Thread