[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS errors on valid certs (ITS#1934)



Full_Name: Quanah Gibson-Mount
Version: HEAD
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (171.64.13.58)


Hello,

I am running openldap from HEAD pulled June 26th.  I have a valid cert from
Verisign installed for the ldap server.  However, when I try to make a SSL
connection, it complains that the cert is a self-signed cert.  In slapd.conf, I
point TLSCACertificateFile to /usr/local/openssl/certs/vsignss.pem.  I get the
following error:

ldap4:~> ldapsearch -d 65535 -H ldaps://ldap4.Stanford.EDU/ -x -b "" -s base
-LLL supportedSASLMechanisms
ldap_create
ldap_url_parse_ext(ldaps://ldap4.Stanford.EDU/)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldap4.Stanford.EDU:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 171.64.14.183:636
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=ldap4.Stanford.EDU
TLS trace: SSL_connect:before/connect initialization
tls_write: want=130, written=130
  0000:  80 80 01 03 01 00 57 00  00 00 20 00 00 16 00 00   ......W... .....
  0010:  13 00 00 0a 07 00 c0 00  00 66 00 00 07 00 00 05   .........f......
  0020:  00 00 04 05 00 80 03 00  80 01 00 80 08 00 80 00   ................
  0030:  00 65 00 00 64 00 00 63  00 00 62 00 00 61 00 00   .e..d..c..b..a..
  0040:  60 00 00 15 00 00 12 00  00 09 06 00 40 00 00 14   `...........@...
  0050:  00 00 11 00 00 08 00 00  06 00 00 03 04 00 80 02   ................
  0060:  00 80 cb 2f fe 41 11 7b  0c 06 12 0b 93 21 07 b3   .../.A.{.....!..
  0070:  b8 dd 01 57 8c 46 99 9b  48 0e 5e bf fc 84 75 0d   ...W.F..H.^...u.
  0080:  fc c8                                              ..
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
  0000:  16 03 01 00 4a 02 00                               ....J..
tls_read: want=72, got=72
  0000:  00 46 03 01 3d 2c cd ae  15 54 1f bf 32 2f d6 bb   .F..=,...T..2/..
  0010:  56 2d 80 a3 9b 2f 13 b0  12 9b 0d f4 c3 b1 16 15   V-.../..........
  0020:  9a b3 9d b5 20 e9 bc be  32 a9 c8 a0 da 86 45 93   .... ...2.....E.
  0030:  1b 48 d8 c1 8f 2d f6 85  9d 63 f0 75 91 43 6a 47   .H...-...c.u.CjG
  0040:  4f 5b 69 70 dc 00 0a 00                            O[ip....
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
  0000:  16 03 01 04 a1                                     .....
tls_read: want=1185, got=1185
  0000:  0b 00 04 9d 00 04 9a 00  02 5c 30 82 02 58 30 82   .........\0..X0.
  0010:  01 c5 02 10 1d a8 33 02  53 85 82 23 16 a3 55 2d   ......3.S..#..U-
  0020:  0b 33 c4 ef 30 0d 06 09  2a 86 48 86 f7 0d 01 01   .3..0...*.H.....
  0030:  04 05 00 30 5f 31 0b 30  09 06 03 55 04 06 13 02   ...0_1.0...U....
  0040:  55 53 31 20 30 1e 06 03  55 04 0a 13 17 52 53 41   US1 0...U....RSA
  0050:  20 44 61 74 61 20 53 65  63 75 72 69 74 79 2c 20    Data Security,
  0060:  49 6e 63 2e 31 2e 30 2c  06 03 55 04 0b 13 25 53   Inc.1.0,..U...%S
  0070:  65 63 75 72 65 20 53 65  72 76 65 72 20 43 65 72   ecure Server Cer
  0080:  74 69 66 69 63 61 74 69  6f 6e 20 41 75 74 68 6f   tification Autho
  0090:  72 69 74 79 30 1e 17 0d  30 32 30 37 31 30 30 30   rity0...02071000
  00a0:  30 30 30 30 5a 17 0d 30  33 30 37 31 30 32 33 35   0000Z..030710235
  00b0:  39 35 39 5a 30 7f 31 0b  30 09 06 03 55 04 06 13   959Z0.1.0...U...
  00c0:  02 55 53 31 13 30 11 06  03 55 04 08 13 0a 43 61   .US1.0...U....Ca
  00d0:  6c 69 66 6f 72 6e 69 61  31 11 30 0f 06 03 55 04   lifornia1.0...U.
  00e0:  07 14 08 53 74 61 6e 66  6f 72 64 31 1c 30 1a 06   ...Stanford1.0..
  00f0:  03 55 04 0a 14 13 53 74  61 6e 66 6f 72 64 20 55   .U....Stanford U
  0100:  6e 69 76 65 72 73 69 74  79 31 0d 30 0b 06 03 55   niversity1.0...U
  0110:  04 0b 14 04 49 54 53 53  31 1b 30 19 06 03 55 04   ....ITSS1.0...U.
  0120:  03 14 12 6c 64 61 70 34  2e 53 74 61 6e 66 6f 72   ...ldap4.Stanfor
  0130:  64 2e 45 44 55 30 81 9f  30 0d 06 09 2a 86 48 86   d.EDU0..0...*.H.
  0140:  f7 0d 01 01 01 05 00 03  81 8d 00 30 81 89 02 81   ...........0....
  0150:  81 00 c0 12 64 10 03 15  ea 26 ba 98 99 90 87 b9   ....d....&......
  0160:  a6 95 5c 7c 53 e7 5b 10  0a 3f c3 3a be 23 7b 54   ..\|S.[..?.:.#{T
  0170:  4b 9f b2 43 5a ef 7d e1  50 a6 b3 6a bd 91 9c e7   K..CZ.}.P..j....
  0180:  44 8e c1 1c 43 bb b4 2d  ea 4f 61 73 01 14 12 67   D...C..-.Oas...g
  0190:  f2 48 cc f7 f4 03 7f 44  f0 c3 fd ce fc 0e 22 e0   .H.....D......".
  01a0:  1d 6d f0 24 68 d9 63 a1  06 8b 0a cc 3a 04 a6 d6   .m.$h.c.....:...
  01b0:  21 57 6a 1b 07 6f 6a ea  d3 d4 b0 48 66 ed 2e 4b   !Wj..oj....Hf..K
  01c0:  2c a2 4e 9e b8 67 99 5d  56 42 56 87 5e d8 6a 6e   ,.N..g.]VBV.^.jn
  01d0:  b1 13 02 03 01 00 01 30  0d 06 09 2a 86 48 86 f7   .......0...*.H..
  01e0:  0d 01 01 04 05 00 03 7e  00 44 e9 15 4b 09 d0 a6   .......~.D..K...
  01f0:  19 f4 d8 31 c7 26 81 f6  ac e4 19 be 5b 2b 00 0e   ...1.&......[+..
  0200:  93 93 68 68 a4 a8 e8 ae  e9 4d 92 94 1b c3 50 79   ..hh.....M....Py
  0210:  c4 e5 98 4d df f2 e8 3d  29 d5 5d 12 96 c9 68 7a   ...M...=).]...hz
  0220:  de 40 0e 39 72 d3 81 f7  5a 5f 77 ac 95 77 42 b7   .@.9r...Z_w..wB.
  0230:  9f 46 e2 53 01 cf bc b3  6d 01 f1 94 78 16 3c af   .F.S....m...x.<.
  0240:  70 86 03 75 ac d3 1c 33  71 32 86 36 3d 66 b8 1d   p..u...3q2.6=f..
  0250:  b3 f2 87 68 5a 64 1b 54  05 a5 58 10 2c ce cf e6   ...hZd.T..X.,...
  0260:  aa 07 bc 85 25 26 00 02  38 30 82 02 34 30 82 01   ....%&..80..40..
  0270:  a1 02 10 02 ad 66 7e 4e  45 fe 5e 57 6f 3c 98 19   .....f~NE.^Wo<..
  0280:  5e dd c0 30 0d 06 09 2a  86 48 86 f7 0d 01 01 02   ^..0...*.H......
  0290:  05 00 30 5f 31 0b 30 09  06 03 55 04 06 13 02 55   ..0_1.0...U....U
  02a0:  53 31 20 30 1e 06 03 55  04 0a 13 17 52 53 41 20   S1 0...U....RSA
  02b0:  44 61 74 61 20 53 65 63  75 72 69 74 79 2c 20 49   Data Security, I
  02c0:  6e 63 2e 31 2e 30 2c 06  03 55 04 0b 13 25 53 65   nc.1.0,..U...%Se
  02d0:  63 75 72 65 20 53 65 72  76 65 72 20 43 65 72 74   cure Server Cert
  02e0:  69 66 69 63 61 74 69 6f  6e 20 41 75 74 68 6f 72   ification Author
  02f0:  69 74 79 30 1e 17 0d 39  34 31 31 30 39 30 30 30   ity0...941109000
  0300:  30 30 30 5a 17 0d 31 30  30 31 30 37 32 33 35 39   000Z..1001072359
  0310:  35 39 5a 30 5f 31 0b 30  09 06 03 55 04 06 13 02   59Z0_1.0...U....
  0320:  55 53 31 20 30 1e 06 03  55 04 0a 13 17 52 53 41   US1 0...U....RSA
  0330:  20 44 61 74 61 20 53 65  63 75 72 69 74 79 2c 20    Data Security,
  0340:  49 6e 63 2e 31 2e 30 2c  06 03 55 04 0b 13 25 53   Inc.1.0,..U...%S
  0350:  65 63 75 72 65 20 53 65  72 76 65 72 20 43 65 72   ecure Server Cer
  0360:  74 69 66 69 63 61 74 69  6f 6e 20 41 75 74 68 6f   tification Autho
  0370:  72 69 74 79 30 81 9b 30  0d 06 09 2a 86 48 86 f7   rity0..0...*.H..
  0380:  0d 01 01 01 05 00 03 81  89 00 30 81 85 02 7e 00   ..........0...~.
  0390:  92 ce 7a c1 ae 83 3e 5a  aa 89 83 57 ac 25 01 76   ..z...>Z...W.%.v
  03a0:  0c ad ae 8e 2c 37 ce eb  35 78 64 54 03 e5 84 40   ....,7..5xdT...@
  03b0:  51 c9 bf 8f 08 e2 8a 82  08 d2 16 86 37 55 e9 b1   Q...........7U..
  03c0:  21 02 ad 76 68 81 9a 05  a2 4b c9 4b 25 66 22 56   !..vh....K.K%f"V
  03d0:  6c 88 07 8f f7 81 59 6d  84 07 65 70 13 71 76 3e   l.....Ym..ep.qv>
  03e0:  9b 77 4c e3 50 89 56 98  48 b9 1d a7 29 1a 13 2e   .wL.P.V.H...)...
  03f0:  4a 11 59 9c 1e 15 d5 49  54 2c 73 3a 69 82 b1 97   J.Y....IT,s:i...
  0400:  39 9c 6d 70 67 48 e5 dd  2d d6 c8 1e 7b 02 03 01   9.mpgH..-...{...
  0410:  00 01 30 0d 06 09 2a 86  48 86 f7 0d 01 01 02 05   ..0...*.H.......
  0420:  00 03 7e 00 65 dd 7e e1  b2 ec b0 e2 3a e0 ec 71   ..~.e.~.....:..q
  0430:  46 9a 19 11 b8 d3 c7 a0  b4 03 40 26 02 3e 09 9c   F.........@&.>..
  0440:  e1 12 b3 d1 5a f6 37 a5  b7 61 03 b6 5b 16 69 3b   ....Z.7..a..[.i;
  0450:  c6 44 08 0c 88 53 0c 6b  97 49 c7 3e 35 dc 6c b9   .D...S.k.I.>5.l.
  0460:  bb aa df 5c bb 3a 2f 93  60 b6 a9 4b 4d f2 20 f7   ...\.:/.`..KM. .
  0470:  cd 5f 7f 64 7b 8e dc 00  5c d7 fa 77 ca 39 16 59   ._.d{...\..w.9.Y
  0480:  6f 0e ea d3 b5 83 7f 4d  4d 42 56 76 b4 c9 5f 04   o......MMBVv.._.
  0490:  f8 38 f8 eb d2 5f 75 5f  cd 7b fc e5 8e 80 7c fc   .8..._u_.{....|.
  04a0:  50                                                 P
TLS certificate verification: depth: 1, err: 19, subject: /C=US/O=RSA Data
Security, Inc./OU=Secure Server Certification Authority, issuer: /C=US/O=RSA
Data Security, Inc./OU=Secure Server Certification Authority
TLS certificate verification: Error, self signed certificate in certificate
chain
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (81)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed