Re: SSL problems with some clients

[Bradley Scutvick <brad@bytewise.net>]

For the Softerra client, try installing the cert7.db and key3.db files 
in its root folder, use netscape to go to 
https://yourldapserver:sslport#, then copy them from netscape over to 
the client.  I still don't know why exactly, but it worked for me.

Good luck,
Brad


Branko F. Gračnar wrote:
> Hi there!
>
> I'm experiencing problems with some clients utilizing SSL. I have openldap
> 2.1.12 server on linux platform with openssl version 0.9.6h.
>
> I can successfuly connect to port 636 with LDAP administrator, which is
> written in java, cyrus-saslauthd with tls, courier-imapd with tls.
>
> But i cannot connect with nss_ldap (with tls) and microsoft outlook clients
> or with softerra's ldap administrator 2.5 utilizing ssl or TLS.
>
> Here goes slapd's debug log, which holds informations about failed
> connection attempt from microsoft outlook express address book client using
> SSL.
>
> slapd runs unprivileged and chrooted.
>
> conn=1 fd=12 ACCEPT from IP=213.143.79.46:1136 (IP=0.0.0.0:636)
> daemon: added 12r
> daemon: activity on:
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 12r
> daemon: read activity on 12
> connection_get(12)
> connection_get(12): got connid=1
> connection_read(12): checking for input on id=1
> TLS trace: SSL_accept:before/accept initialization
> tls_read: want=11, got=11
>   0000:  80 4c 01 03 01 00 33 00  00 00 10                  .L....3....
> tls_read: want=67, got=67
>   0000:  00 00 04 00 00 05 00 00  0a 01 00 80 07 00 c0 03   ................
>   0010:  00 80 00 00 09 06 00 40  00 00 64 00 00 62 00 00   .......@..d..b..
>   0020:  03 00 00 06 02 00 80 04  00 80 00 00 13 00 00 12   ................
>   0030:  00 00 63 08 b5 c9 38 b9  a5 5b 63 46 0c 6c 67 52   ..c...8..[cF.lgR
>   0040:  74 47 c5                                           tG.
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> tls_write: want=1012, written=1012
>   0000:  16 03 01 00 4a 02 00 00  46 03 01 3e 2d a4 79 c6   ....J...F..>-.y.
>   0010:  4e 2e d6 78 bf 7f 0e ac  84 7f e5 94 d8 72 2e 94   N..x.........r..
>   0020:  0c 9e df c3 78 08 69 e5  c1 09 3b 20 83 3d 18 f1   ....x.i...; .=..
>   0030:  b2 e2 1d 70 29 86 d5 06  81 3a ad 75 04 d8 33 bd   ...p)....:.u..3.
>   0040:  9b 58 e8 63 a0 41 ec 9d  9e d8 7c 80 00 04 00 16   .X.c.A....|.....
>   0050:  03 01 03 97 0b 00 03 93  00 03 90 00 03 8d 30 82   ..............0.
>   0060:  03 89 30 82 02 f2 a0 03  02 01 02 02 01 00 30 0d   ..0...........0.
>   0070:  06 09 2a 86 48 86 f7 0d  01 01 04 05 00 30 81 90   ..*.H........0..
>   0080:  31 0b 30 09 06 03 55 04  06 13 02 53 49 31 11 30   1.0...U....SI1.0
>   0090:  0f 06 03 55 04 08 13 08  53 6c 6f 76 65 6e 69 61   ...U....Slovenia
>   00a0:  31 12 30 10 06 03 55 04  07 13 09 4c 6a 75 62 6c   1.0...U....Ljubl
>   00b0:  6a 61 6e 61 31 17 30 15  06 03 55 04 0a 13 0e 4e   jana1.0...U....N
>   00c0:  6f 76 69 66 6f 72 75 6d  20 4c 74 64 2e 31 1a 30   oviforum Ltd.1.0
>   00d0:  18 06 03 55 04 03 13 11  6c 64 61 70 2e 6e 6f 76   ...U....ldap.nov
>   00e0:  69 66 6f 72 75 6d 2e 73  69 31 25 30 23 06 09 2a   iforum.si1%0#..*
>   00f0:  86 48 86 f7 0d 01 09 01  16 16 6c 64 61 70 61 64   .H........ldapad
>   0100:  6d 69 6e 40 6e 6f 76 69  66 6f 72 75 6d 2e 73 69   min@ldap.org
>   0110:  30 1e 17 0d 30 33 30 31  32 31 31 39 34 35 35 33   0...030121194553
>   0120:  5a 17 0d 30 35 30 31 32  30 31 39 34 35 35 33 5a   Z..050120194553Z
>   0130:  30 81 90 31 0b 30 09 06  03 55 04 06 13 02 53 49   0..1.0...U....SI
>   0140:  31 11 30 0f 06 03 55 04  08 13 08 53 6c 6f 76 65   1.0...U....Slove
>   0150:  6e 69 61 31 12 30 10 06  03 55 04 07 13 09 4c 6a   nia1.0...U....Lj
>   0160:  75 62 6c 6a 61 6e 61 31  17 30 15 06 03 55 04 0a   ubljana1.0...U..
>   0170:  13 0e 4e 6f 76 69 66 6f  72 75 6d 20 4c 74 64 2e   ..LDAP.
>   0180:  31 1a 30 18 06 03 55 04  03 13 11 6c 64 61 70 2e   1.0...U....ldap.
>   0190:  6e 6f 76 69 66 6f 72 75  6d 2e 73 69 31 25 30 23   ldap.org1%0#
>   01a0:  06 09 2a 86 48 86 f7 0d  01 09 01 16 16 6c 64 61   ..*.H........lda
>   01b0:  70 61 64 6d 69 6e 40 6e  6f 76 69 66 6f 72 75 6d   padmin@ldap
>   01c0:  2e 73 69 30 81 9f 30 0d  06 09 2a 86 48 86 f7 0d   .si0..0...*.H...
>   01d0:  01 01 01 05 00 03 81 8d  00 30 81 89 02 81 81 00   .........0......
>   01e0:  ab 6b 3b 4a 6a ee cc d3  d3 f6 59 c7 98 4a 25 13   .k;Jj.....Y..J%.
>   01f0:  26 32 aa be 0b 95 2d d2  ce d6 d6 c9 10 9e 14 cb   &2....-.........
>   0200:  65 72 95 ec c0 68 d5 78  9e b9 9d 8e 7a b6 3b 25   er...h.x....z.;%
>   0210:  5b e5 b2 de f9 3d 7a 33  d2 d9 1c 9a 51 c5 84 1d   [....=z3....Q...
>   0220:  1b de 7b 35 73 24 55 a4  6f 98 39 d5 45 e9 1d 8e   ..{5s$U.o.9.E...
>   0230:  12 76 46 7c 8e 54 8b 1a  13 70 34 dc 2b 20 1f b2   .vF|.T...p4.+ ..
>   0240:  19 e3 fc 15 34 30 06 9a  17 58 6a b3 dd ba 1d 0c   ....40...Xj.....
>   0250:  71 4d d7 b7 6f a4 f8 e9  4a b3 22 39 cd fc 11 03   qM..o...J."9....
>   0260:  02 03 01 00 01 a3 81 f0  30 81 ed 30 1d 06 03 55   ........0..0...U
>   0270:  1d 0e 04 16 04 14 59 16  bb 38 af ea dc 1b 48 57   ......Y..8....HW
>   0280:  ba 5b f0 24 21 77 1d 8b  2d e1 30 81 bd 06 03 55   .[.$!w..-.0....U
>   0290:  1d 23 04 81 b5 30 81 b2  80 14 59 16 bb 38 af ea   .#...0....Y..8..
>   02a0:  dc 1b 48 57 ba 5b f0 24  21 77 1d 8b 2d e1 a1 81   ..HW.[.$!w..-...
>   02b0:  96 a4 81 93 30 81 90 31  0b 30 09 06 03 55 04 06   ....0..1.0...U..
>   02c0:  13 02 53 49 31 11 30 0f  06 03 55 04 08 13 08 53   ..SI1.0...U....S
>   02d0:  6c 6f 76 65 6e 69 61 31  12 30 10 06 03 55 04 07   lovenia1.0...U..
>   02e0:  13 09 4c 6a 75 62 6c 6a  61 6e 61 31 17 30 15 06   ..Ljubljana1.0..
>   02f0:  03 55 04 0a 13 0e 4e 6f  76 69 66 6f 72 75 6d 20   .U....Noviforum
>   0300:  4c 74 64 2e 31 1a 30 18  06 03 55 04 03 13 11 6c   Ltd.1.0...U....l
>   0310:  64 61 70 2e 6e 6f 76 69  66 6f 72 75 6d 2e 73 69   dap.ldap.org
>   0320:  31 25 30 23 06 09 2a 86  48 86 f7 0d 01 09 01 16   1%0#..*.H.......
>   0330:  16 6c 64 61 70 61 64 6d  69 6e 40 6e 6f 76 69 66   .ldapadmin@lda
>   0340:  6f 72 75 6d 2e 73 69 82  01 00 30 0c 06 03 55 1d   p.org...0...U.
>   0350:  13 04 05 30 03 01 01 ff  30 0d 06 09 2a 86 48 86   ...0....0...*.H.
>   0360:  f7 0d 01 01 04 05 00 03  81 81 00 7e d2 85 fa 5c   ...........~...\
>   0370:  c5 92 74 6d 7c a1 8d 35  3c e7 8b 7d 5a 8c 8c ab   ..tm|..5<..}Z...
>   0380:  5e f2 ce 59 3b 07 96 e1  a7 fc 2b b8 08 00 91 f0   ^..Y;.....+.....
>   0390:  39 ca 73 d3 8f 49 d7 dd  e6 46 8d 85 ff 17 68 b2   9.s..I...F....h.
>   03a0:  d6 21 66 ca d7 e7 23 12  e8 22 25 7d d2 69 69 cb   .!f...#.."%}.ii.
>   03b0:  7c 49 8e e6 72 d3 a9 4e  99 7e a1 7d 97 6e 9a f6   |I..r..N.~.}.n..
>   03c0:  97 06 f9 6d 31 47 38 bf  e7 90 3c 5e b4 1c 13 66   ...m1G8...<^...f
>   03d0:  2b e8 87 2b 43 69 79 bd  75 ce 10 eb 50 44 07 eb   +..+Ciy.u...PD..
>   03e0:  db 9f 33 f3 95 82 1f 14  90 37 fb 16 03 01 00 04   ..3......7......
>   03f0:  0e 00 00 00                                        ....
> TLS trace: SSL_accept:SSLv3 flush data
> tls_read: want=5 error=Resource temporarily unavailable
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
>
>
> any ideas?
>
> best regards, Brane