[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS in 2.0.8 vs 2.0.7, openssl 0.9.6, HP-UX 11, gcc

Make sure your client is not refusing the server certificate.

At 06:07 AM 5/18/01, Allan E Johannesen wrote:
>There have been some changes in TLS handling between 2.0.7 and 2.0.8.  I found
>I had to make new certificates which had a cn of the slapd hostname in order to
>satisfy the client.  That wasn't too bad.
>
>Now, I'm getting failures on TLS connect.  Using -d1 on slapd, the 2.0.7 model
>seems to have the same "errors" when reading the client certificate as 2.0.8,
>although the verify client certificate flag is off in both cases.  I put
>
>TLSVerifyClient 0
>
>in slapd.conf and put some printf's into openldap to assure myself that
>SSL_VERIFY_PEER was not being set in (LDAP *)->verify_mode.
>
>I found that if I try -d-1, for full debugging, it will occasionally succeed,
>which is disturbing.  Again, the logs below are -d1 level debugging.
>
>It could be that these lines of difference between the two logs are the key,
>but I don't know what they signify:
>
>ber_get_next on fd 7 failed errno=246 (Operation would block)
>ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
>
>Is there an openldap or openssl guru out there who can give me a clue about
>what I am doing wrong?
>
>@(#) $OpenLDAP: slapd 2.0.7-Release (Tue Apr 17 10:35:02 EDT 2001) $
>        aej@hp3com2:/tools/utilities/openldap/openldap-2.0.7/servers/slapd
>daemon_init: listen on ldap:///
>daemon_init: 1 listeners to open...
>ldap_url_parse(ldap:///)
>daemon: initialized ldap:///
>daemon_init: 1 listeners opened
>slapd init: initiated server.
>slapd startup: initiated.
>slapd starting
>connection_get(7): got connid=0
>connection_read(7): checking for input on id=0
>ber_get_next
>ber_get_next: tag 0x30 len 29 contents:
>do_extended
>ber_scanf fmt ({a) ber:
>send_ldap_extended 0: (0)
>send_ldap_response: msgid=1 tag=120 err=0
>ber_flush: 14 bytes to sd 7
>ber_get_next
>ber_get_next on fd 7 failed errno=246 (Operation would block)
>connection_get(7): got connid=0
>connection_read(7): checking for input on id=0
>TLS trace: SSL_accept:before/accept initialization
>TLS trace: SSL_accept:SSLv3 read client hello A
>TLS trace: SSL_accept:SSLv3 write server hello A
>TLS trace: SSL_accept:SSLv3 write certificate A
>TLS trace: SSL_accept:SSLv3 write server done A
>TLS trace: SSL_accept:SSLv3 flush data
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>connection_get(7): got connid=0
>connection_read(7): checking for input on id=0
>TLS trace: SSL_accept:SSLv3 read client key exchange A
>TLS trace: SSL_accept:SSLv3 read finished A
>TLS trace: SSL_accept:SSLv3 write change cipher spec A
>TLS trace: SSL_accept:SSLv3 write finished A
>TLS trace: SSL_accept:SSLv3 flush data
>connection_get(7): got connid=0
>connection_read(7): checking for input on id=0
>ber_get_next
>ber_get_next: tag 0x30 len 58 contents:
>do_bind
>
>i.e. it worked.  Trying 2.0.8,
>
>@(#) $OpenLDAP: slapd 2.0.8-Release (Thu May 17 15:08:16 EDT 2001) $
>        aej@hp3com2:/tools/utilities/openldap/openldap-2.0.8/servers/slapd
>daemon_init: listen on ldap:///
>daemon_init: 1 listeners to open...
>ldap_url_parse_ext(ldap:///)
>daemon: initialized ldap:///
>daemon_init: 1 listeners opened
>slapd init: initiated server.
>slapd startup: initiated.
>slapd starting
>connection_get(7): got connid=0
>connection_read(7): checking for input on id=0
>ber_get_next
>ber_get_next: tag 0x30 len 29 contents:
>do_extended
>ber_scanf fmt ({a) ber:
>send_ldap_extended 0: (0)
>send_ldap_response: msgid=1 tag=120 err=0
>ber_flush: 14 bytes to sd 7
>ber_get_next
>ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
>connection_get(7): got connid=0
>connection_read(7): checking for input on id=0
>TLS trace: SSL_accept:before/accept initialization
>TLS trace: SSL_accept:SSLv3 read client hello A
>TLS trace: SSL_accept:SSLv3 write server hello A
>TLS trace: SSL_accept:SSLv3 write certificate A
>TLS trace: SSL_accept:SSLv3 write server done A
>TLS trace: SSL_accept:SSLv3 flush data
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>TLS: can't accept.
>connection_read(7): TLS accept error error=-1 id=0, closing
>connection_closing: readying conn=0 sd=7 for close
>connection_close: conn=0 sd=7
>
>i.e. it failed.
>------- end of forwarded message -------