[Date Prev][Date Next] [Chronological] [Thread] [Top]
TLS not encrypting with Netscape but does with Perl-Ldap LDAPS (ITS#1269)

To: openldap-its@OpenLDAP.org
Subject: TLS not encrypting with Netscape but does with Perl-Ldap LDAPS (ITS#1269)
From: jimd@dutton3.it.siu.edu
Date: Wed, 1 Aug 2001 22:58:56 GMT
Full_Name: Jim Dutton
Version: 2.0.11
OS: FreeBSD, NetBSD, Solaris
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (131.230.6.142)


Running with appropriate certificates for SLAPD and CA for client, LDAPS
connection from Netscape browser V4.5.1 obtains data using LDAP URL, but
the session is never encrypted.

Using Perl-Ldap V0.24 LDAPS module, the same search and certificates not
only return the same data, but it is encrypted.

The CA certificate of the server certificate used by OpenLDAP is in
the Netscape browser's "signers" security list, and is "fully accepted".
This same certificate is pointed to by Perl-Ldap (LDAPS) program. The
fingerprints match.

It would appear that Netscape browser V4.5.1 and OpenLDAP-2.0.11 +
OpenSSL-0.9.6b do not properly negotiate the SSL "handshake". No client
certificate verification is requested.




=========== Netscape V4.5.1 Browser LDAPS URL - SLAPD trace =========
@(#) $OpenLDAP: slapd 2.0.11-Release (Mon Jul 30 10:17:59 CDT 2001) $
/var/stage/openldap-2.0.11/servers/slapd
daemon_init: listen on ldaps://:637/
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldaps://:637/)
daemon: initialized ldaps://:637/
daemon_init: 1 listeners opened
slapd init: initiated server.
Enter PEM pass phrase:
slapd startup: initiated.
slapd starting
daemon: added 6r
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: new connection on 7
daemon: added 7r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 7r
daemon: read activity on 7
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write key exchange A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 7r
daemon: read activity on 7
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:error in SSLv3 read certificate verify A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 7r
daemon: read activity on 7
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 7r
daemon: read activity on 7
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ber_get_next
ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({iat) ber:
ber_scanf fmt (o}) ber:
do_bind: version=2 dn="" method=128
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=1 tvp=NULL
send_ldap_result: conn=0 op=0 p=2
send_ldap_response: msgid=2 tag=97 err=0
ber_flush: 14 bytes to sd 7
do_bind: v2 anonymous bind
daemon: activity on 1 descriptors
daemon: activity on: 7r
daemon: read activity on 7
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 58 contents:
ber_get_next
ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
do_search
ber_scanf fmt ({aiiiib) ber:
ber_scanf fmt ({oo}) ber:
ber_scanf fmt ({v}}) ber:
=> ldbm_back_search
dn2entry_r: dn: "O=xxxx,C=xx"
=> dn2id( "O=xxxx,C=xx" )
=> ldbm_cache_open( "/usr/local/var/openldap-ldbm/dn2id.dbb", 7, 600



================= Perl-Ldap V0.24 LDAPS - SLAPD trace ===============
@(#) $OpenLDAP: slapd 2.0.11-Release (Mon Jul 30 10:17:59 CDT 2001) $
/var/stage/openldap-2.0.11/servers/slapd
daemon_init: listen on ldaps://:637/
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldaps://:637/)
daemon: initialized ldaps://:637/
daemon_init: 1 listeners opened
slapd init: initiated server.
Enter PEM pass phrase:
slapd startup: initiated.
slapd starting
daemon: added 6r
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: new connection on 7
daemon: added 7r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 7r
daemon: read activity on 7
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 7r
daemon: read activity on 7
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 7r
daemon: read activity on 7
connection_get(7): got connid=0
connection_read(7): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 58 contents:
do_search
ber_scanf fmt ({aiiiib) ber:
ber_scanf fmt ({oo}) ber:
ber_scanf fmt ({v}}) ber:
=> ldbm_back_search
dn2entry_r: dn: "O=xxxx,C=xx"
=> dn2id( "O=xxxx,C=xx" )
=> ldbm_cache_open( "/usr/local/var/openldap-ldbm/dn2id.dbb", 7, 600 )
Prev by Date: TLSProtocol values not defined (ITS#1268)
Next by Date: Re: REL_ENG_2 not starting with TLS enabled (ITS#1262)
Index(es):
- Chronological
- Thread