[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS handshake failure

On 11-08-09 11:21 AM, Rich Megginson wrote:

On 08/09/2011 09:07 AM, Daniel Qian wrote:

On 11-08-09 10:49 AM, Rich Megginson wrote:

On 08/09/2011 08:33 AM, Daniel Qian wrote:

Hi,
I have slapd 2.4.24 and everything works without TLS. but if I add a -Z option to the ldapsearch command I get this:
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config 
ldap_start_tls: Connect error (-11)
ldap_result: Can't contact LDAP server (-1)
slapd.log shows something like this : connection_read(16): TLS accept failure error=-1 id=1006, closing 

Output from openssl debug:
[root@ldaprov1 cacerts]# openssl s_client -connect hostname:389 -showcerts -state -CAfile cacert.pem 
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: 
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 113 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
The configurations are as follow (same command as above but without the -Z option):
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config 
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf
olcConfigDir: /etc/openldap/slapd.d
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcLogLevel: 9
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem
olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt
olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0
I verified the ldap user can read all the TLS files and they are setup fine
[root@ldaprov1 cacerts]# openssl verify -purpose sslserver -CAfile cacert.pem ldaprov1.crt 
ldaprov1.crt: OK


Anyone can tell me what I am missing here?

No, but we're missing
1) platform
2) tls implementation (openssl, moznss, gnutls)
3) output of ldapsearch -x -d 1 -Z ...... rest of arguments .....



Its Fedora 15

ldd /usr/sbin/slapd
        linux-vdso.so.1 =>  (0x00007fff76fff000)
        libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f0f29fcd000)
        libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000)
        libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f0f29a38000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f0f29801000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f0f295e6000)
        libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000)
        libsmime3.so => /usr/lib64/libsmime3.so (0x00007f0f29183000)
        libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000)
        libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f0f28c2b000)
        libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000)
        libplc4.so => /lib64/libplc4.so (0x00007f0f28824000)
        libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0f283cb000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007f0f27bcc000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000)


the ldapsearch -d 1 option tells me a lot more:
.....
ldap_msgfree
TLS: file ldaprov1.crt does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file cacert.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file ldaprov1.key does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. 
.....
I tell slapd to look for specific files but how come it is still checking in a directory?
I don't know. What does /etc/openldap/ldap.conf say? Do you have a ~/.ldaprc or ~/ldaprc for the user "ldap"?
So even for slapd the setting TLS_CACERTDIR in /etc/openldap/ldap.conf takes precedence over olcTLSCACertificateFile in cn=config? I set /etc/openldap/ldap.conf for client only and did not mean it for slapd.
Now after I removed it from /etc/openldap/ldap.conf, ldapsearch -d 1 is indicating the CA certificate not valid:
TLS: certificate [CA certificate details omitted here...] is not valid - error -8172:Unknown code ___f 20. 
error -8172:Unknown code ___f 20.
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS: error: connect - force handshake failure: errno 21 - moznss error -8172
TLS: can't connect: TLS error -8172:Unknown code ___f 20.
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: TLS error -8172:Unknown code ___f 20
Does this mean all the certificates I created on the same server with openssl can not be used by modnss in slapd? I never delt with modnss before 

Thanks,
Daniel