Full_Name: Thibault Le Meur Version: 2.4.23-15 OS: RHEL6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (160.228.28.55) Previously on my FC13 installation (openldap-servers-2.4.21-11) the main slapd process used an X509 "server" while my syncrepl processes were using the /etc/openldap/ldap.conf client configuration file in order to connect to my LDAPs Syncrepl providers. In my new RHEL6 setup (openldap-servers-2.4.23-15.el6.x86_64) is linked to MozNSS and Syncrepl can't connect to my LDAPs providers anymore because it complains about the TLS context not beeing intitialized correctly (the server's certificate isn't accepted as a client certificate). Here is the lightly obfuscated log: ---------------------------------------------------------- ldap_connect_to_host: Trying 10.10.10.10:636 ldap_pvt_connect: fd: 21 tm: -1 async: 0 TLS: loaded CA certificate file /etc/ssl/cacerts/cacert.pem. TLS: certificate [CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR] is not valid - error -8101:Unknown code ___f 91. TLS: error: unable to set up client certificate authentication for certificate named PEM Token #0:myldap.mydom.fr-cert.pem - 0 TLS: error: unable to set up client certificate authentication using PEM Token #0:myldap.mydom.fr-cert.pem - 0 TLS: error: could not initialize moznss security context - error -8101:Unknown code ___f 91 TLS: can't create ssl handle. slap_client_connect: URI=ldaps://otherldap.mydom.fr DN="cn=myreplicationAccount,dc=mydom,dc=fr" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=125 rc -1 retrying (9 retries left) ---------------------------------------------------------- Here is my syncrepl setup: --------------------------------------------------------- syncrepl rid=125 provider=ldaps://otherldap.mydom.fr type=refreshOnly interval=00:00:03:00 retry="60 10 300 +" searchbase="dc=subranch,dc=mydom,dc=fr" filter="(objectClass=*)" scope=sub schemachecking=off bindmethod=simple binddn="cn=myreplicationAccount,dc=mydom,dc=fr" credentials="MyVerySecretPassword" --------------------------------------------------------- My setup related to TLS: --------------------------------------------------------- TLSCipherSuite HIGH TLSCertificateFile /etc/ssl/certs/myldap.mydom.fr-cert.pem TLSCertificateKeyFile /etc/ssl/keys/myldap.mydom.fr-key.pem TLSCACertificateFile /etc/ssl/cacerts/cacert.pem --------------------------------------------------------- And my /etc/openldap/ldap.conf: --------------------------------------------------------- TLS_CACERT /etc/ssl/cacerts/cacert.pem --------------------------------------------------------- Here is the obfuscated certificate: --------------------------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 221 (0xdd) Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, ST=myst, L=myloc, O=myorg, OU=myou, CN=myCA/emailAddress=myemail@mydom.fr Validity Not Before: Oct 2 16:42:15 2007 GMT Not After : Dec 14 16:42:15 2012 GMT Subject: C=FR, ST=myst, L=myloc, O=myorg, OU=myou, CN=myldap.mydom.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: TinyCA Generated Certificate X509v3 Subject Key Identifier: ... X509v3 Authority Key Identifier: keyid:... DirName:/C=FR/ST=myst/L=myloc/O=myorg/OU=myou/CN=myCA/emailAddress=thibault.lemeur@supelec.fr serial:00 X509v3 Issuer Alternative Name: <EMPTY> Netscape SSL Server Name: myldap.mydom.fr X509v3 Subject Alternative Name: DNS:ldap, DNS:ldapalias1, DNS:ldapalias2, DNS:ldapalias1.mydom.fr, DNS:ldapalias2.mydom.fr, DNS:ldap.mydom.fr, DNS:myldap, DNS:myldap.mydom.fr X509v3 Extended Key Usage: critical TLS Web Server Authentication, Code Signing Signature Algorithm: sha1WithRSAEncryption ... ---------------------------------------------------------
On 07/11/2011 10:44 AM, thibault.lemeur@supelec.fr wrote: > Full_Name: Thibault Le Meur > Version: 2.4.23-15 > OS: RHEL6 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (160.228.28.55) > > > Previously on my FC13 installation (openldap-servers-2.4.21-11) the main slapd > process used an X509 "server" while my syncrepl processes were using the > /etc/openldap/ldap.conf client configuration file in order to connect to my > LDAPs Syncrepl providers. > > In my new RHEL6 setup (openldap-servers-2.4.23-15.el6.x86_64) is linked to > MozNSS and Syncrepl can't connect to my LDAPs providers anymore because it > complains about the TLS context not beeing intitialized correctly (the server's > certificate isn't accepted as a client certificate). > > Here is the lightly obfuscated log: > > ---------------------------------------------------------- > ldap_connect_to_host: Trying 10.10.10.10:636 > ldap_pvt_connect: fd: 21 tm: -1 async: 0 > TLS: loaded CA certificate file /etc/ssl/cacerts/cacert.pem. > TLS: certificate [CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR] is > not valid - error -8101:Unknown code ___f 91. > TLS: error: unable to set up client certificate authentication for certificate > named PEM Token #0:myldap.mydom.fr-cert.pem - 0 > TLS: error: unable to set up client certificate authentication using PEM Token > #0:myldap.mydom.fr-cert.pem - 0 > TLS: error: could not initialize moznss security context - error -8101:Unknown > code ___f 91 > TLS: can't create ssl handle. > slap_client_connect: URI=ldaps://otherldap.mydom.fr > DN="cn=myreplicationAccount,dc=mydom,dc=fr" ldap_sasl_bind_s failed (-1) > do_syncrepl: rid=125 rc -1 retrying (9 retries left) > ---------------------------------------------------------- > > Here is my syncrepl setup: > --------------------------------------------------------- > syncrepl rid=125 > provider=ldaps://otherldap.mydom.fr > type=refreshOnly > interval=00:00:03:00 > retry="60 10 300 +" > searchbase="dc=subranch,dc=mydom,dc=fr" > filter="(objectClass=*)" > scope=sub > schemachecking=off > bindmethod=simple > binddn="cn=myreplicationAccount,dc=mydom,dc=fr" > credentials="MyVerySecretPassword" > --------------------------------------------------------- > > My setup related to TLS: > --------------------------------------------------------- > TLSCipherSuite HIGH > TLSCertificateFile /etc/ssl/certs/myldap.mydom.fr-cert.pem > TLSCertificateKeyFile /etc/ssl/keys/myldap.mydom.fr-key.pem > TLSCACertificateFile /etc/ssl/cacerts/cacert.pem > --------------------------------------------------------- > > And my /etc/openldap/ldap.conf: > --------------------------------------------------------- > TLS_CACERT /etc/ssl/cacerts/cacert.pem > --------------------------------------------------------- > > Here is the obfuscated certificate: > --------------------------------------------------------- > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 221 (0xdd) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=FR, ST=myst, L=myloc, O=myorg, OU=myou, > CN=myCA/emailAddress=myemail@mydom.fr > Validity > Not Before: Oct 2 16:42:15 2007 GMT > Not After : Dec 14 16:42:15 2012 GMT > Subject: C=FR, ST=myst, L=myloc, O=myorg, OU=myou, CN=myldap.mydom.fr > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > ... > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Cert Type: > SSL Server > Netscape Comment: > TinyCA Generated Certificate > X509v3 Subject Key Identifier: > ... > X509v3 Authority Key Identifier: > keyid:... > DirName:/C=FR/ST=myst/L=myloc/O=myorg/OU=myou/CN=myCA/emailAddress=thibault.lemeur@supelec.fr > serial:00 > > X509v3 Issuer Alternative Name: > <EMPTY> > > Netscape SSL Server Name: > myldap.mydom.fr > X509v3 Subject Alternative Name: > DNS:ldap, DNS:ldapalias1, DNS:ldapalias2, > DNS:ldapalias1.mydom.fr, DNS:ldapalias2.mydom.fr, DNS:ldap.mydom.fr, DNS:myldap, > DNS:myldap.mydom.fr > X509v3 Extended Key Usage: critical > TLS Web Server Authentication, Code Signing > Signature Algorithm: sha1WithRSAEncryption > ... > --------------------------------------------------------- I think this ITS is superseded by http://www.openldap.org/its/index.cgi?findid=7001 and http://www.openldap.org/its/index.cgi?findid=7002 Note that even with openldap built with openssl (ol 2.4.latest and openssl 1.0.x), the syncrepl tls context is inherited from the main server context, and the server cert is sent as the client cert. If the server sets TLSVerifyClient to never or allow, syncrepl will work, because the server will ignore the problems with the client cert. But if TLSVerifyClient is set to "try", "demand", or "hard", syncrepl will fail because the server always sends the server cert as the client cert, and since the server cert cannot also be used as a client cert, the server will correctly reject it.
changed notes
dupe #7042, see 7042 for patch.
changed notes changed state Open to Closed moved from Incoming to Software Bugs