[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS problem




--On Wednesday, July 07, 2010 10:08 PM +0200 Cédric Jeanneret <cedric.jeanneret@camptocamp.com> wrote:

Hello,

Hm, using debian etch 64b - maybe a 64b story ? For now, I just cannot
manage to make it work - errors have changed, but still no way to
connect to the server -.-.

I'll post tomorrow the new config and its error messages.

Thank you for those who tried to help me.




Debian uses GnuTLS instead of OpenSSL to build OpenLDAP. GnuTLS has a number of interesting behaviors. I advise building your own OpenLDAP with OpenSSL instead.


Regards,

C.

On Wed, Jul 7, 2010 at 9:40 PM, Bryan Boone <v_1bboon@yahoo.com> wrote:
Hi Cedric.  I have the same problems.  I am using Opensuse 11.2 64-bit
edition.  Other people have the same problem.  I think this must be a
bug in opensuse anyway.  I wonder if you are experiencing the same
issue.  I switched over to SLES 10 and I don't have any problems.

________________________________
From: Cedric Jeanneret <cedric.jeanneret@camptocamp.com>
To: openldap-technical@openldap.org
Sent: Wed, July 7, 2010 3:17:27 AM
Subject: TLS problem

Hello,

I'm trying to configure an openldap with TLS so that all connections are
encrypted.

Here's the revelent part of my slapd.conf:

TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSVerifyClient never
TLSCertificateFile /etc/ldap/ssl/server.crt
TLSCertificateKeyFile /etc/ldap/ssl/server.key

Here's my ldap.conf:

URI ldaps://my.server.ltd
BASE dc=my,dc=server,dc=ltd
LDAP_VERSION 3

# SIZELIMIT      12
# TIMELIMIT      15
# DEREF          never
ssl start_tls
ssl on
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3


While starting slapd with:
slapd -h 'ldaps:///' -g openldap -u openldap  -d 16383

and trying to connect to it with:
ldapsearch -Z -d 16383 -LLL -b cn=admin,dc=my,dc=server,dc=ltd -w
"foo.bar" -S cn -h my.server.ltd -p 636 cn

I have these logs :
[slapd]

daemon: activity on 1 descriptor
slap_listener(ldaps:///)daemon: listen=7, new connection on 11
ldap_pvt_gethostbyname_a: host=my, r=0
daemon: added 11r (active) listener=(nil)
conn=0 fd=11 ACCEPT from IP=xx.yy.zz.aa:38806 (IP=0.0.0.0:636)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 11r
daemon: read activity on 11
connection_get(11)
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
  0000:  30 3e 02 01 01 63 39 04  00 0a 01                 
0>...c9.... TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:562
connection_read(11): TLS accept failure error=-1 id=0, closing
connection_closing: readying conn=0 sd=11 for close
connection_close: conn=0 sd=11
daemon: removing 11
conn=0 fd=11 closed (TLS negotiation failure)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: waked
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL

[ldapsearch]

ldap_create
ldap_url_parse_ext(ldap://my.server.ltd:636)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS: supportedSASLMechanisms
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP my.server.ltd:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying xx.yy.zz.aa:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0xb92b6d68 ptr=0xb92b6d68 end=0xb92b6da8 len=64
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02 
0>...c9.........   0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65
63 74  ..........object   0020:  63 6c 61 73 73 30 19 04  17 73 75
70 70 6f 72 74  class0...support   0030:  65 64 53 41 53 4c 4d 65 
63 68 61 6e 69 73 6d 73  edSASLMechanisms ber_scanf fmt ({) ber:
ber_dump: buf=0xb92b6d68 ptr=0xb92b6d6d end=0xb92b6da8 len=59
  0000:  63 39 04 00 0a 01 00 0a  01 00 02 01 00 02 01 00 
c9..............   0010:  01 01 00 87 0b 6f 62 6a  65 63 74 63 6c 61
73 73  .....objectclass   0020:  30 19 04 17 73 75 70 70  6f 72 74
65 64 53 41 53  0...supportedSAS   0030:  4c 4d 65 63 68 61 6e 69 
73 6d 73                  LMechanisms ber_flush2: 64 bytes to
sd 3
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02 
0>...c9.........   0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65
63 74  ..........object   0020:  63 6c 61 73 73 30 19 04  17 73 75
70 70 6f 72 74  class0...support   0030:  65 64 53 41 53 4c 4d 65 
63 68 61 6e 69 73 6d 73  edSASLMechanisms ldap_write: want=64,
written=64
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02 
0>...c9.........   0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65
63 74  ..........object   0020:  63 6c 61 73 73 30 19 04  17 73 75
70 70 6f 72 74  class0...support   0030:  65 64 53 41 53 4c 4d 65 
63 68 61 6e 69 73 6d 73  edSASLMechanisms ldap_result ld 0xb92ae158
msgid 1
wait4msg ld 0xb92ae158 msgid 1 (infinite timeout)
wait4msg continue ld 0xb92ae158 msgid 1 all 1
** ld 0xb92ae158 Connections:
* host: my.server.ltd  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Wed Jul  7 12:11:03 2010


** ld 0xb92ae158 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
  outstanding referrals 0, parent count 0
  ld 0xb92ae158 request count 1 (abandoned 0)
** ld 0xb92ae158 Response Queue:
  Empty
  ld 0xb92ae158 response count 0
ldap_chkResponseList ld 0xb92ae158 msgid 1 all 1
ldap_chkResponseList returns ld 0xb92ae158 NULL
ldap_int_select
read1msg: ld 0xb92ae158 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=0

ber_get_next failed.
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

I really don't know what to do. My certificates are correct I guess, as
we're using them in apache for https... For information, they are
self-signed.

Any help would be great.

Thank you!

Best regards,

C.


--
Cédric Jeanneret                |  System Administrator
021 619 10 32                    |  Camptocamp SA
cedric.jeanneret@camptocamp.com  |  PSE-A / EPFL





--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration