[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: unknown CA

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: unknown CA
From: thierryW <thierryw@libertysurf.fr>
Date: Mon, 17 Jun 2002 17:24:44 +0200
Cc: openldap-software@OpenLDAP.org
References: <NMEFLNHODBAOPDKNNJALOEEHDBAA.hyc@highlandsun.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc1) Gecko/20020417

thierryW wrote : thanks for reply. command line ldapsearch,add,etc.. have this error but work.. i use openldap+sasl in conjunction with qmail-ldap and courier-imap with a apache-php front-end for clients and it's when i log with php-ldapAPI or with mod-authldap (maybe 2.1 no compatible) that it's not working (it's work fine with openldap 2.0.23..) ? sample : do_extended: oid=1.3.6.1.4.1.1466.20037 send_ldap_extended err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ daemon: select: listen=6 active_threads=1 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 14r daemon: read activity on 14 connection_get(14) connection_get(14): got connid=24 connection_read(14): checking for input on id=24 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 80 01 03 01 00 57 00 00 00 20 ......W... tls_read: want=119, got=119 0000: 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 ..............f. 0010: 00 07 00 00 05 00 00 04 05 00 80 03 00 80 01 00 ................ 0020: 80 08 00 80 00 00 65 00 00 64 00 00 63 00 00 62 ......e..d..c..b 0030: 00 00 61 00 00 60 00 00 15 00 00 12 00 00 09 06 ..a..`.......... 0040: 00 40 00 00 14 00 00 11 00 00 08 00 00 06 00 00 .@.............. 0050: 03 04 00 80 02 00 80 79 75 ea 94 64 9d 4c f8 d7 .......yu..d.L.. 0060: b9 fa 1d 6e 95 b6 47 25 42 86 77 ad 30 8b 0d 47 ...n..G%B.w.0..G 0070: 51 10 bd df a7 79 f2 Q....y. TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=1061, written=1061 0000: 16 03 01 00 4a 02 00 00 46 03 01 3d 0d fd f2 01 ....J...F..=.... 0010: 2e 7f 01 78 07 5b ad 64 c5 b5 08 d1 bb 0a ad 68 ...x.[.d.......h 0020: 06 b3 68 ee 11 42 16 f5 8c 50 e1 20 0d 87 71 e6 ..h..B...P. ..q. 0030: 87 82 4b 41 8b 6c 78 90 8b 91 60 b3 8f e2 18 28 ..KA.lx...`....( 0040: 63 5a b6 f4 64 15 c2 33 79 48 78 70 00 0a 00 16 cZ..d..3yHxp.... 0050: 03 01 03 c8 0b 00 03 c4 00 03 c1 00 03 be 30 82 ..............0. 0060: 03 ba 30 82 03 23 a0 03 02 01 02 02 01 00 30 0d ..0..#........0. 0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 a0 ..*.H........0.. 0080: 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 1.0...U....FR1.0 0090: 0d 06 03 55 04 08 13 06 46 52 41 4e 43 45 31 11 ...U....FRANCE1. 00a0: 30 0f 06 03 55 04 07 13 08 4d 4f 52 41 4e 47 49 0...U....MORANGI 00b0: 53 31 0f 30 0d 06 03 55 04 0a 13 06 4d 41 49 52 S1.0...U....MAIR 00c0: 49 45 31 15 30 13 06 03 55 04 0b 13 0c 49 4e 46 IE1.0...U....INF 00d0: 4f 52 4d 41 54 49 51 55 45 31 1d 30 1b 06 03 55 ORMATIQUE1.0...U 00e0: 04 03 13 14 6f 70 65 6e 6d 61 69 6c 2e 69 6e 74 ....openmail.int 00f0: 72 61 6e 65 74 2e 66 72 31 26 30 24 06 09 2a 86 ranet.fr1&0$..*. 0100: 48 86 f7 0d 01 09 01 16 17 6d 6f 72 61 6e 67 69 H........morangi 0110: 73 40 6d 6f 72 61 6e 67 69 73 39 31 2e 63 6f 6d s@morangis91.com 0120: 30 1e 17 0d 30 32 30 35 32 37 31 34 31 31 34 38 0...020527141148 0130: 5a 17 0d 30 32 30 36 32 36 31 34 31 31 34 38 5a Z..020626141148Z 0140: 30 81 a0 31 0b 30 09 06 03 55 04 06 13 02 46 52 0..1.0...U....FR 0150: 31 0f 30 0d 06 03 55 04 08 13 06 46 52 41 4e 43 1.0...U....FRANC 0160: 45 31 11 30 0f 06 03 55 04 07 13 08 4d 4f 52 41 E1.0...U....MORA 0170: 4e 47 49 53 31 0f 30 0d 06 03 55 04 0a 13 06 4d NGIS1.0...U....M 0180: 41 49 52 49 45 31 15 30 13 06 03 55 04 0b 13 0c AIRIE1.0...U.... 0190: 49 4e 46 4f 52 4d 41 54 49 51 55 45 31 1d 30 1b INFORMATIQUE1.0. 01a0: 06 03 55 04 03 13 14 6f 70 65 6e 6d 61 69 6c 2e ..U....openmail. 01b0: 69 6e 74 72 61 6e 65 74 2e 66 72 31 26 30 24 06 intranet.fr1&0$. 01c0: 09 2a 86 48 86 f7 0d 01 09 01 16 17 6d 6f 72 61 .*.H........mora 01d0: 6e 67 69 73 40 6d 6f 72 61 6e 67 69 73 39 31 2e ngis@morangis91. 01e0: 63 6f 6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d com0..0...*.H... 01f0: 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 .........0...... 0200: ed 45 9a 28 6b a4 e5 6a 5a 82 18 ec d8 3a d0 22 .E.(k..jZ....:." 0210: 14 a5 c2 fb 80 a5 2f fc 40 ca 18 e5 72 56 a7 ef ....../.@...rV.. 0220: 2b 60 4a 3f 6f 59 a5 34 c5 84 8a ed 3d fd a9 e6 +`J?oY.4....=... 0230: db b3 1d fd 85 89 7e 11 d2 e3 f1 f9 29 88 45 63 ......~.....).Ec 0240: 9c c1 2d a7 81 04 44 4c ec 6c 5a 8f 8a 7b 7b e7 ..-...DL.lZ..{{. 0250: 3e 69 bb 28 6f 07 89 0d 08 ce 9a dd 54 1d 81 41 >i.(o.......T..A 0260: 7e e0 a2 18 87 40 7a 04 bc 26 e6 79 8c 72 9e a2 ~....@z..&.y.r.. 0270: ba f0 98 7c c2 4d 49 51 8e 05 b6 3d d0 4d 1c ed ...|.MIQ...=.M.. 0280: 02 03 01 00 01 a3 82 01 00 30 81 fd 30 1d 06 03 .........0..0... 0290: 55 1d 0e 04 16 04 14 e6 ec 58 db cc 7e 61 ce 02 U........X..~a.. 02a0: a1 f1 a7 ec c4 49 43 43 dd 0c b0 30 81 cd 06 03 .....ICC...0.... 02b0: 55 1d 23 04 81 c5 30 81 c2 80 14 e6 ec 58 db cc U.#...0......X.. 02c0: 7e 61 ce 02 a1 f1 a7 ec c4 49 43 43 dd 0c b0 a1 ~a.......ICC.... 02d0: 81 a6 a4 81 a3 30 81 a0 31 0b 30 09 06 03 55 04 .....0..1.0...U. 02e0: 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 13 06 ...FR1.0...U.... 02f0: 46 52 41 4e 43 45 31 11 30 0f 06 03 55 04 07 13 FRANCE1.0...U... 0300: 08 4d 4f 52 41 4e 47 49 53 31 0f 30 0d 06 03 55 .MORANGIS1.0...U 0310: 04 0a 13 06 4d 41 49 52 49 45 31 15 30 13 06 03 ....XXX... 0320: 55 04 0b 13 0c 49 4e 46 4f 52 4d 41 54 49 51 55 U....INFORMATIQU 0330: 45 31 1d 30 1b 06 03 55 04 03 13 14 6f 70 65 6e E1.0...U....open 0340: 6d 61 69 6c 2e 69 6e 74 72 61 6e 65 74 2e 66 72 mail.intranet.fr 0350: 31 26 30 24 06 09 2a 86 48 86 f7 0d 01 09 01 16 1&0$..*.H....... 0360: 17 6d 6f 72 61 6e 67 69 73 40 6d 6f 72 61 6e 67 .XXXX 0370: 69 73 39 31 2e 63 6f 6d 82 01 00 30 0c 06 03 55 is91.com...0...U 0380: 1d 13 04 05 30 03 01 01 ff 30 0d 06 09 2a 86 48 ....0....0...*.H 0390: 86 f7 0d 01 01 04 05 00 03 81 81 00 23 85 18 f9 ............#... 03a0: 18 9b b5 cb 15 97 28 35 21 6d da 28 e4 f6 06 52 ......(5!m.(...R 03b0: 45 38 7e e4 bd 5b 41 32 e8 f6 1d f4 97 51 64 43 E8~..[A2.....QdC 03c0: aa fb 3c f8 c4 62 b0 cc a6 71 91 ff e2 f9 0c 6a ..<..b...q.....j 03d0: a0 7e 06 f9 34 e1 0d c3 fe f7 23 d7 c7 ab 33 9d .~..4.....#...3. 03e0: 4f b2 09 93 68 d5 af 60 52 77 90 6f 55 4e 43 ff O...h..`Rw.oUNC. 03f0: eb 3d e2 33 df f1 61 68 a5 20 bc 67 99 e0 18 c1 .=.3..ah. .g.... 0400: 19 e3 1f e9 c6 27 87 61 91 b4 d1 44 08 82 18 e1 .....'.a...D.... 0410: 05 ba 33 8f 64 57 77 66 d6 9d c9 97 16 03 01 00 ..3.dWwf........ 0420: 04 0e 00 00 00 ..... TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 0000: 16 03 01 00 86 ..... tls_read: want=134, got=134 0000: 10 00 00 82 00 80 41 39 cb 23 ae e4 f4 a4 c6 57 ......A9.#.....W 0010: 5c ff a5 25 10 95 d3 34 5e 97 52 dd 1a 4c 95 49 \..%...4^.R..L.I 0020: 78 30 fb 20 8c 11 c9 9f ad 4f ba b4 d3 fe a8 21 x0. .....O.....! 0030: 59 6d d2 c1 9a ed cb 61 e4 d9 fd a9 07 7f f9 8f Ym.....a........ 0040: f8 c4 6f b7 16 d6 d3 00 ee 94 bc 43 3b 43 07 52 ..o........C;C.R 0050: 96 d5 77 e7 85 39 37 29 dc 24 c1 37 22 c8 7a 62 ..w..97).$.7".zb 0060: 89 a3 98 7e 94 27 a8 21 bb 1b 85 1b 5b 3b f4 46 ...~.'.!....[;.F 0070: ad b7 87 30 60 50 c2 e2 88 50 50 ac 7a 8c ec 24 ...0`P...PP.z..$ 0080: e2 fe fb 6d 83 62 ...m.b TLS trace: SSL_accept:SSLv3 read client key exchange A tls_read: want=5, got=5 0000: 14 03 01 00 01 ..... tls_read: want=1, got=1 0000: 01 . tls_read: want=5, got=5 0000: 16 03 01 00 28 ....( tls_read: want=40, got=40 0000: 68 36 7f 54 04 69 ba 25 e9 00 32 b0 2c ba ad ae h6.T.i.%..2.,... 0010: 1d e9 f2 e4 00 10 02 e7 f9 eb 05 fc 9a ce d4 56 ...............V 0020: 8e 87 c4 a7 89 63 d4 4e .....c.N TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A tls_write: want=51, written=51 0000: 14 03 01 00 01 01 16 03 01 00 28 0f fe 1f 2a 25 ..........(...*% 0010: c4 6f 17 23 35 6f 71 69 c4 31 ba 68 5b a6 10 a7 .o.#5oqi.1.h[... 0020: aa e4 f0 ea f8 18 24 a3 e8 a8 9e 9d 61 f6 90 8c ......$.....a... 0030: 00 10 31 ..1 TLS trace: SSL_accept:SSLv3 flush data connection_read(14): unable to get TLS client DN error=49 id=24 daemon: select: listen=6 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 14r daemon: read activity on 14 connection_get(14) connection_get(14): got connid=24 connection_read(14): checking for input on id=24 ber_get_next tls_read: want=5, got=5 0000: 17 03 01 00 60 ....` tls_read: want=96, got=96 0000: b7 81 7c e4 01 6c 1a 54 5d e9 9e 69 f9 f4 5b f1 ..|..l.T]..i..[. 0010: ee ec f9 9c 9b 7f 5f cc 11 84 0e d7 ee de 85 be ......_......... 0020: 80 bd c2 55 19 32 d9 22 c3 16 44 56 85 0f 39 71 ...U.2."..DV..9q 0030: a3 c2 bb 1e c5 b0 e0 04 a0 cc 2b 5a 20 7d ef 97 ..........+Z }.. 0040: 33 c4 ca 86 77 81 ed 7a c5 08 85 df 24 66 9d 53 3...w..z....$f.S 0050: d4 57 1e 10 cb 0f 74 b0 8e 98 ab ac 45 8f 94 bd .W....t.....E... ldap_read: want=9, got=9 0000: 30 44 02 01 02 60 3f 02 01 0D...`?.. ldap_read: want=61, got=61 0000: 03 04 30 75 69 64 3d 6d 61 73 74 65 72 31 2c 6f ..0uid=master1,o 0010: 75 3d 41 64 6d 69 6e 73 2c 6f 3d 4d 61 69 72 69 u=Admins,o=Mairi 0020: 65 2c 64 63 3d 69 6e 74 72 61 6e 65 74 2c 64 63 e,dc=intranet,dc 0030: 3d 66 72 80 08 61 4b 39 31 76 6d 49 37 =fr..XXXXX ber_get_next: tag 0x30 len 68 contents: ber_dump: buf=0x081eba80 ptr=0x081eba80 end=0x081ebac4 len=68 0000: 02 01 02 60 3f 02 01 03 04 30 75 69 64 3d 6d 61 ...`?....0uid=ma 0010: 73 74 65 72 31 2c 6f 75 3d 41 64 6d 69 6e 73 2c ster1,ou=Admins, 0020: 6f 3d 4d 61 69 72 69 65 2c 64 63 3d 69 6e 74 72 o=Mairie,dc=intr 0030: 61 6e 65 74 2c 64 63 3d 66 72 80 08 61 4b 39 31 anet,dc=fr..XXXXX 0040: 76 6d 49 37 vmI7 ber_get_next tls_read: want=5 error=Resource temporarily unavailable ldap_read: want=9 error=Resource temporarily unavailable ber_get_next on fd 14 failed errno=11 (Resource temporarily unavailable) do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x081eba80 ptr=0x081eba83 end=0x081ebac4 len=65 0000: 60 3f 02 01 03 04 30 75 69 64 3d 6d 61 73 74 65 `?....0uid=maste 0010: 72 31 2c 6f 75 3d 41 64 6d 69 6e 73 2c 6f 3d 4d r1,ou=Admins,o=M 0020: 61 69 72 69 65 2c 64 63 3d 69 6e 74 72 61 6e 65 airie,dc=intrane 0030: 74 2c 64 63 3d 66 72 80 08 61 4b 39 31 76 6d 49 t,dc=fr..XXXXX 0040: 37 7 ber_scanf fmt (m}) ber: ber_dump: buf=0x081eba80 ptr=0x081ebaba end=0x081ebac4 len=10 0000: 00 08 61 4b 39 31 76 6d 49 37 ..XXXXXX >>> dnPrettyNormal: <uid=master1,ou=Admins,o=Mairie,dc=intranet,dc=fr> => ldap_bv2dn(uid=master1,ou=Admins,o=Mairie,dc=intranet,dc=fr,0) <= ldap_bv2dn(uid=master1,ou=Admins,o=Mairie,dc=intranet,dc=fr,0)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=master1,ou=Admins,o=Mairie,dc=intranet,dc=fr,272)=0 => ldap_dn2bv(16) <= ldap_dn2bv(uid=master1,ou=admins,o=mairie,dc=intranet,dc=fr,16)=0 <<< dnPrettyNormal: <uid=master1,ou=Admins,o=Mairie,dc=intranet,dc=fr>, <uid=master1,ou=admins,o=mairie,dc=intranet,dc=fr> do_bind: version=3 dn="uid=master1,ou=Admins,o=Mairie,dc=intranet,dc=fr" method=128 conn=24 op=1 BIND dn="uid=master1,ou=Admins,o=Mairie,dc=intranet,dc=fr" method=128 ==> bdb_bind: dn: uid=master1,ou=Admins,o=Mairie,dc=intranet,dc=fr bdb_dn2entry_rw("uid=master1,ou=admins,o=mairie,dc=intranet,dc=fr") => bdb_dn2id_matched( "uid=master1,ou=admins,o=mairie,dc=intranet,dc=fr" ) ====> bdb_cache_find_entry_dn2id("uid=master1,ou=admins,o=mairie,dc=intranet,dc=fr"): 34 (1 tries) ====> bdb_cache_find_entry_id( 34 ) "uid=master1,ou=Admins,o=Mairie,dc=intranet,dc=fr" (found) (1 tries) => access_allowed: auth access to "uid=master1,ou=Admins,o=Mairie,dc=intranet,dc=fr" "userPassword" requested => acl_get: [1] check attr userPassword <= acl_get: [1] acl uid=master1,ou=Admins,o=Mairie,dc=intranet,dc=fr attr: userPassword => acl_mask: access to entry "uid=master1,ou=Admins,o=Mairie,dc=intranet,dc=fr", attr "userPassword" requested => acl_mask: to all values by "", (=n) <= check a_dn_pat: uid=wheel.*+realm=intranet.fr => string_expand: pattern: uid=wheel.*+realm=intranet.fr => string_expand: expanded: uid=wheel.*+realm=intranet.fr => regex_matches: string: => regex_matches: rc: 1 no matches <= check a_dn_pat: uid=wheel,ou=Admins,o=Mairie,dc=intranet,dc=fr => string_expand: pattern: uid=wheel,ou=Admins,o=Mairie,dc=intranet,dc=fr => string_expand: expanded: uid=wheel,ou=Admins,o=Mairie,dc=intranet,dc=fr => regex_matches: string: => regex_matches: rc: 1 no matches <= check a_dn_pat: uid=master1,ou=admins,o=mairie,dc=intranet,dc=fr => string_expand: pattern: uid=master1,ou=admins,o=mairie,dc=intranet,dc=fr => string_expand: expanded: uid=master1,ou=admins,o=mairie,dc=intranet,dc=fr => regex_matches: string: => regex_matches: rc: 1 no matches <= check a_dn_pat: uid=master1\+realm=intranet.fr => string_expand: pattern: uid=master1\+realm=intranet.fr => string_expand: expanded: uid=master1\+realm=intranet.fr => regex_matches: string: => regex_matches: rc: 1 no matches <= check a_dn_pat: * <= acl_mask: [5] applying read(=rscx) (stop) <= acl_mask: [5] mask: read(=rscx) => access_allowed: auth access granted by read(=rscx) send_ldap_result: conn=24 op=1 p=3 send_ldap_result: err=49 matched="" text="" send_ldap_response: msgid=2 tag=97 err=49

Thanks for help

Howard Chu wrote:

-----Original Message-----
From: thierryW [mailto:thierryw@libertysurf.fr]
ThierryW wrote : I was having the same error (unknown CA), like you write i put TLS_CACERT /usr/local/openldap/etc/certs/CA_pubkey.pem) in ldap.conf but now i get a new error : connection_read(14): unable to get TLS client DN error=49 id=6 then it bind anonymous..? thierryW
I have no idea what the context is for your question.
The "unable to get TLS client DN" message is informational, it is
not a critical error by itself. It usually means the client didn't
provide a certificate, which is fine if you aren't trying to use
SASL EXTERNAL authentication. If you were trying to use EXTERNAL,
in this case, then you will have a fatal error. (Probably the error
message should only be displayed if the server is configured with
TLSVerifyClient enabled...)
Howard Chu wrote:
I have just this afternoon committed the support for the TLSCACertPath. If you pull the latest version of libldap/tls.c from CVS you'll get it. (But in general, you are of course welcome to fix/write
anything you wish.)
As for the unknown CA problem, you need to configure your LDAP
clients to
use the certs as well. It looks like you have only configured
slapd so far.
You probably need to add this
	TLS_CACERT /usr/local/openldap/etc/certs/CA_pubkey.pem)
to your /usr/local/openldap/etc/ldap.conf file.
-- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support
-----Original Message-----
From: Tarassov Vadim [mailto:Vadim.Tarassov@winterthur.ch]
Sent: Friday, June 14, 2002 4:31 AM
To: 'Howard Chu'; Tarassov Vadim; OpenLDAP-software@OpenLDAP.org
Subject: AW: unknown CA
Hallo Howard,
Do you mind if I will fix it? And look, I believe there is something wrong with

openldap 2.1.2, openssl 1.9.6d

if build together on solaris 2.6 with forte 6 update 1. I was struggling few hours with those fancy error messages I've described before, but could not find anything besides of the fact that s_client and s_server do work well with the same certificates. Thus, I will have to investigate this problem. I will inform you regardless to if I will have success or not.

Cheers, Vadim Tarassov.

References:
- RE: unknown CA
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Attribute name for storing userCertificates
Next by Date: Re: {KERBEROS} userPasswords
Index(es):
- Chronological
- Thread