[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS very strange behaviour



On 10/10/2011 11:40 AM, Olivier wrote:
Hello,

I have two ldap servers, my goal is to configure them
in multimaster mode with an sasl authentication based
on certificates. With the following configurations, that
works well :


### slapd.conf for ldap1 :

syncrepl rid=121
     provider=ldap://ldap2.example.fr
     searchbase="dc=example,dc=fr"
     schemachecking=on
     type=refreshOnly
     interval=00:00:00:05
     retry="10 +"
     bindmethod=sasl
     saslmech=external
     authcid="cn=replicator,ou=system,dc=example,dc=fr"
     authzid="dn:cn=replicator,ou=system,dc=example,dc=fr"
     tls_cert=/etc/openldap/cacerts/syncrepl.crt
     tls_key=/etc/openldap/cacerts/syncrepl.key
     tls_reqcert=demand

mirrormode on

### slapd.conf for ldap1 :

syncrepl rid=121
     provider=ldap://ldap2.example.fr
     searchbase="dc=example,dc=fr"
     schemachecking=on
     type=refreshOnly
     interval=00:00:00:05
     retry="10 +"
     bindmethod=sasl
     saslmech=external
     authcid="cn=replicator,ou=system,dc=example,dc=fr"
     authzid="dn:cn=replicator,ou=system,dc=example,dc=fr"
     tls_cert=/etc/openldap/cacerts/syncrepl.crt
     tls_key=/etc/openldap/cacerts/syncrepl.key
     tls_reqcert=demand

mirrormode on

# of course I have provided the CA certificate in both files.
TLSCACertificateFile /etc/openldap/cacerts/CA.crt

# I also configured properly acl for "replicator"
# and have issued the right certificate

->   No problem, it works.

Now I also have configured certificates to be able to talk with the
servers on TLS :

### slapd.conf for ldap1 :
TLSCertificateFile /etc/openldap/cacerts/server1.crt
TLSCertificateKeyFile /etc/openldap/cacerts/server1.key
TLSCipherSuite HIGH

### slapd.conf for ldap2 :
TLSCertificateFile /etc/openldap/cacerts/server2.crt
TLSCertificateKeyFile /etc/openldap/cacerts/server2.key
TLSCipherSuite HIGH

That also works perfectly ( ldapsearch with -ZZ responds properly )

I therefore decided to try to starttls for synchronisation.

I added in syncrepl for ldap1 :

## ldap1

syncrepl
     ...
     starttls=yes
     tls_cacert=/etc/openldap/cacerts/CA.crt
     ...

And the synchronizations worked well, TLS being started when ldap1 is client.

I then added the starttls directive on server ldap2 and removed it
on server ldap1 :

## ldap2

syncrepl
     ...
     starttls=yes
     tls_cacert=/etc/openldap/cacerts/CA.crt
     ...

The synchronization also worked well, TLS being started this time when
ldap2 is client.

HERE IS THE PROBLEM :

II tried to starttls in bothe syncrepl directives on both servers
ldap1 and ldap2,
here is what I get :

ldap1 # /usr/sbin/slapd -f slapd.conf -h ldap:/// -u ldap -d Sync
...
TLS: error: accept - force handshake failure: errno 11 - moznss error -12273
TLS: can't accept: TLS error -12273:Unknown code ___P 15.
TLS: error: connect - force handshake failure: errno 0 - moznss error -12272
TLS: can't connect: TLS error -12272:Unknown code ___P 16.
slap_client_connect: URI=ldap://ldap2.example.fr Warning,
ldap_start_tls failed (-11)
slap_client_connect: URI=ldap://ldap2.example.fr
ldap_sasl_interactive_bind_s failed (-6)
do_syncrepl: rid=121 rc -6 retrying

ldap2 # /usr/sbin/slapd -f slapd.conf -h ldap:/// -u ldap -d Sync
...
TLS: error: connect - force handshake failure: errno 0 - moznss error -12272
TLS: can't connect: TLS error -12272:Unknown code ___P 16.
slap_client_connect: URI=ldap://ldap1.eaxample.fr:389 Warning,
ldap_start_tls failed (-11)
slap_client_connect: URI=ldap://ldap1.example.fr:389
ldap_sasl_interactive_bind_s failed (-6)
do_syncrepl: rid=211 rc -6 retrying
TLS: error: accept - force handshake failure: errno 11 - moznss error -12273
TLS: can't accept: TLS error -12273:Unknown code ___P 15.

Any idea ?
-12272 is SSL_ERROR_BAD_MAC_ALERT and -12273 is SSL_ERROR_BAD_MAC_READ

I've seen this when the client and server do not have the same SSL certificate signature algorithm support. Is everything running on RHEL6 and/or Fedora 14 and later?
---
Olivier