[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS headache



Hello,

I'm trying to make a TLS conection work between ldap clients and slapd
but I always get a ssl error. The configuration can't be simpler
I'm using a self-issued certificate.

please, can anyone tellme what's wrong with my configuration?

thanks,

/usr/local/openldap/libexec/slapd -4 -h "ldap:// ldaps://"

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:ldap                  *:*                     LISTEN
tcp        0      0 *:ldaps                 *:*                     LISTEN

slapd.conf excerpt
==================
TLSVerifyClient true
TLSCipherSuite  HIGH
TLSCertificateKeyFile /usr/local/openldap/etc/openldap/slapd.key
TLSCertificateFile /usr/local/openldap/etc/openldap/slapd.pem
TLSCACertificateFile /usr/local/openldap/etc/openldap/slapd.pem

ldap.conf excerpt
==================
TLS_CACERT      /usr/local/openldap/etc/openldap/slapd.pem
TLS_CERT        /usr/local/openldap/etc/openldap/slapd.pem
TLS_KEY         /usr/local/openldap/etc/openldap/slapd.key
TLS_REQCERT allow

filemon:/usr/local/openldap/etc/openldap # openssl x509 -in slapd.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa, OU=informatica, CN=openldap/Email=none@fffff.ff
        Validity
            Not Before: Jun 16 11:09:22 2003 GMT
            Not After : Jun 14 11:09:22 2008 GMT
        Subject: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa, OU=informatica, CN=openldap/Email=none@fffff.ff
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:d7:38:ea:8e:a2:1d:56:de:38:05:c1:41:1f:c5:
                    e1:06:27:28:1b:b6:86:56:7a:b2:bf:48:67:80:ab:
                    15:89:61:0c:f9:c5:26:1b:f9:07:da:cc:da:c9:f1:
                    64:0a:81:09:c3:6c:1d:26:1b:b9:35:0c:83:a6:0a:
                    08:ef:02:ef:a5:9e:6f:17:23:20:72:0f:e3:62:88:
                    40:f8:55:55:c2:75:7b:1d:b3:d8:bf:f2:50:f1:f9:
                    45:d9:fa:ca:b5:df:b2:ed:8a:f9:8a:29:c2:48:b5:
                    ad:4e:c2:d9:54:55:cf:5a:54:d8:3b:f9:3c:ea:d2:
                    8d:eb:8d:d1:45:4c:c5:1e:87:9d:35:2a:d9:94:fd:
                    a9:0d:17:3f:ca:15:8d:f6:48:80:1b:31:4b:46:99:
                    cd:e7:93:cb:92:9c:25:22:f5:ab:9a:01:90:20:c6:
                    70:6b:8d:d1:dd:3b:73:f1:7a:9f:d8:31:fc:b4:4d:
                    e8:d9:53:1b:45:87:6d:51:4e:40:48:bd:0d:b1:a4:
                    3f:51:37:0a:f1:0b:bb:18:be:02:69:a5:ce:67:85:
                    91:25:3a:44:85:bf:6f:ee:cb:cc:44:71:6c:57:99:
                    74:0a:15:ef:7b:e7:29:79:8a:5a:3b:6e:61:ba:09:
                    7f:73:33:da:31:3d:e0:05:da:32:c9:0c:12:64:1a:
                    a1:87
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
            X509v3 Authority Key Identifier:
                keyid:25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
                DirName:/C=ES/ST=La Coru\xF1a/L=La Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
                serial:00

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
        90:81:6e:b2:72:4c:70:2f:c4:5a:41:90:70:0b:0c:77:d0:18:
        af:e2:a5:13:4f:4b:41:23:87:05:a2:6c:f1:d5:8d:84:34:a6:
        fd:5a:c0:93:9f:b2:a4:4d:0b:d6:fd:7b:28:45:f4:35:b4:a9:
        2c:29:1f:6a:c4:5e:87:d2:59:e1:75:1d:9f:2b:3d:69:cd:d9:
        da:b7:15:03:0d:2c:b4:1d:c2:8e:a2:45:47:a9:e7:2a:3d:28:
        22:2b:41:49:25:0e:38:ee:0c:84:b9:e4:1b:f8:07:e8:3b:1a:
        4c:de:68:50:20:fb:2e:f0:74:a2:db:c2:96:95:65:c1:de:e8:
        a2:3d:f6:a9:48:9e:1f:e4:67:ba:59:e5:9a:cb:d6:79:34:7f:
        4d:9a:8e:4a:66:68:d4:59:6f:d7:86:ac:32:8c:3c:f4:e4:60:
        a0:3c:6a:e3:0c:e6:b8:46:b6:1e:c6:25:20:04:5a:93:4f:c2:
        90:3c:b6:7f:88:08:d1:09:59:e7:a1:a7:b4:04:53:28:5b:b2:
        8f:4d:08:58:d2:c2:37:ee:56:ee:23:15:e3:c7:e5:e0:f2:77:
        cb:d9:58:43:53:be:18:1a:f3:8a:19:5b:36:30:49:3c:a4:cb:
        58:78:fc:9f:92:c1:1d:f0:5e:d4:e3:da:8f:0c:5a:74:18:27:
        30:8d:20:cc

	/------/

ldapsearch -ZZ -d -1 -b "dc=fadesa"
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: -1
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=filemon.servidores.fadesa
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
ldap_write: want=31, written=31
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: localhost  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Jun 16 13:54:07 2003

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=9, got=9
  0000:  30 0c 02 01 01 78 07 0a  01                        0....x...
ldap_read: want=5, got=5
  0000:  00 04 00 04 00                                     .....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x0807df08 ptr=0x0807df08 end=0x0807df14 len=12
  0000:  02 01 01 78 07 0a 01 00  04 00 04 00               ...x........
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
  0000:  78 07 0a 01 00 04 00 04  00                        x........
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
  0000:  78 07 0a 01 00 04 00 04  00                        x........
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
  0000:  78 07 0a 01 00 04 00 04  00                        x........
ber_scanf fmt (}) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df14 end=0x0807df14 len=0

ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
tls_write: want=124, written=124
  0000:  80 7a 01 03 01 00 51 00  00 00 20 00 00 16 00 00   .z....Q... .....
  0010:  13 00 00 0a 07 00 c0 00  00 66 00 00 05 00 00 04   .........f......
  0020:  03 00 80 01 00 80 08 00  80 00 00 65 00 00 64 00   ...........e..d.
  0030:  00 63 00 00 62 00 00 61  00 00 60 00 00 15 00 00   .c..b..a..`.....
  0040:  12 00 00 09 06 00 40 00  00 14 00 00 11 00 00 08   ......@.........
  0050:  00 00 06 00 00 03 04 00  80 02 00 80 39 13 8b a0   ............9...
  0060:  72 49 06 d9 a2 aa 96 66  d6 a7 cc a6 5b f3 c8 52   rI.....f....[..R
  0070:  b0 98 c2 d9 ea f4 d7 68  fb 1a 74 07               .......h..t.
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
  0000:  16 03 01 00 4a 02 00                               ....J..
tls_read: want=72, got=72
  0000:  00 46 03 01 3e ed af df  ac 36 d2 53 17 d5 a0 12   .F..>....6.S....
  0010:  d3 ed 59 a0 c1 76 d2 06  64 e6 06 8e 52 8e d9 85   ..Y..v..d...R...
  0020:  80 ce 6d 47 20 8c 89 00  18 6a 0c 2b d9 ff c5 44   ..mG ....j.+...D
  0030:  d5 65 79 1a 7a f8 26 99  b4 6a e3 fa c4 9c 49 10   .ey.z.&..j....I.
  0040:  9f d1 77 2b 09 00 0a 00                            ..w+....
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
  0000:  16 03 01 04 93                                     .....
tls_read: want=1171, got=1171
  0000:  0b 00 04 8f 00 04 8c 00  04 89 30 82 04 85 30 82   ..........0...0.
  0010:  03 6d a0 03 02 01 02 02  01 00 30 0d 06 09 2a 86   .m........0...*.
  0020:  48 86 f7 0d 01 01 04 05  00 30 81 8d 31 0b 30 09   H........0..1.0.
  0030:  06 03 55 04 06 13 02 45  53 31 12 30 10 06 03 55   ..U....ES1.0...U
  0040:  04 08 14 09 4c 61 20 43  6f 72 75 f1 61 31 12 30   ....La Coru.a1.0
  0050:  10 06 03 55 04 07 14 09  4c 61 20 43 6f 72 75 f1   ...U....La Coru.
  0060:  61 31 0f 30 0d 06 03 55  04 0a 13 06 46 61 64 65   a1.0...U....Fade
  0070:  73 61 31 14 30 12 06 03  55 04 0b 13 0b 69 6e 66   sa1.0...U....inf
  0080:  6f 72 6d 61 74 69 63 61  31 11 30 0f 06 03 55 04   ormatica1.0...U.
  0090:  03 13 08 6f 70 65 6e 6c  64 61 70 31 1c 30 1a 06   ...openldap1.0..
  00a0:  09 2a 86 48 86 f7 0d 01  09 01 16 0d 6e 6f 6e 65   .*.H........none
  00b0:  40 66 66 66 66 66 2e 66  66 30 1e 17 0d 30 33 30   @fffff.ff0...030
  00c0:  36 31 36 31 31 30 39 32  32 5a 17 0d 30 38 30 36   616110922Z..0806
  00d0:  31 34 31 31 30 39 32 32  5a 30 81 8d 31 0b 30 09   14110922Z0..1.0.
  00e0:  06 03 55 04 06 13 02 45  53 31 12 30 10 06 03 55   ..U....ES1.0...U
  00f0:  04 08 14 09 4c 61 20 43  6f 72 75 f1 61 31 12 30   ....La Coru.a1.0
  0100:  10 06 03 55 04 07 14 09  4c 61 20 43 6f 72 75 f1   ...U....La Coru.
  0110:  61 31 0f 30 0d 06 03 55  04 0a 13 06 46 61 64 65   a1.0...U....Fade
  0120:  73 61 31 14 30 12 06 03  55 04 0b 13 0b 69 6e 66   sa1.0...U....inf
  0130:  6f 72 6d 61 74 69 63 61  31 11 30 0f 06 03 55 04   ormatica1.0...U.
  0140:  03 13 08 6f 70 65 6e 6c  64 61 70 31 1c 30 1a 06   ...openldap1.0..
  0150:  09 2a 86 48 86 f7 0d 01  09 01 16 0d 6e 6f 6e 65   .*.H........none
  0160:  40 66 66 66 66 66 2e 66  66 30 82 01 22 30 0d 06   @fffff.ff0.."0..
  0170:  09 2a 86 48 86 f7 0d 01  01 01 05 00 03 82 01 0f   .*.H............
  0180:  00 30 82 01 0a 02 82 01  01 00 d7 38 ea 8e a2 1d   .0.........8....
  0190:  56 de 38 05 c1 41 1f c5  e1 06 27 28 1b b6 86 56   V.8..A....'(...V
  01a0:  7a b2 bf 48 67 80 ab 15  89 61 0c f9 c5 26 1b f9   z..Hg....a...&..
  01b0:  07 da cc da c9 f1 64 0a  81 09 c3 6c 1d 26 1b b9   ......d....l.&..
  01c0:  35 0c 83 a6 0a 08 ef 02  ef a5 9e 6f 17 23 20 72   5..........o.# r
  01d0:  0f e3 62 88 40 f8 55 55  c2 75 7b 1d b3 d8 bf f2   ..b.@.UU.u{.....
  01e0:  50 f1 f9 45 d9 fa ca b5  df b2 ed 8a f9 8a 29 c2   P..E..........).
  01f0:  48 b5 ad 4e c2 d9 54 55  cf 5a 54 d8 3b f9 3c ea   H..N..TU.ZT.;.<.
  0200:  d2 8d eb 8d d1 45 4c c5  1e 87 9d 35 2a d9 94 fd   .....EL....5*...
  0210:  a9 0d 17 3f ca 15 8d f6  48 80 1b 31 4b 46 99 cd   ...?....H..1KF..
  0220:  e7 93 cb 92 9c 25 22 f5  ab 9a 01 90 20 c6 70 6b   .....%"..... .pk
  0230:  8d d1 dd 3b 73 f1 7a 9f  d8 31 fc b4 4d e8 d9 53   ...;s.z..1..M..S
  0240:  1b 45 87 6d 51 4e 40 48  bd 0d b1 a4 3f 51 37 0a   .E.mQN@H....?Q7.
  0250:  f1 0b bb 18 be 02 69 a5  ce 67 85 91 25 3a 44 85   ......i..g..%:D.
  0260:  bf 6f ee cb cc 44 71 6c  57 99 74 0a 15 ef 7b e7   .o...DqlW.t...{.
  0270:  29 79 8a 5a 3b 6e 61 ba  09 7f 73 33 da 31 3d e0   )y.Z;na...s3.1=.
  0280:  05 da 32 c9 0c 12 64 1a  a1 87 02 03 01 00 01 a3   ..2...d.........
  0290:  81 ed 30 81 ea 30 1d 06  03 55 1d 0e 04 16 04 14   ..0..0...U......
  02a0:  25 18 ef 9a 09 20 44 11  fc 3a b7 6c 67 7e 80 b4   %.... D..:.lg~..
  02b0:  3c 21 ef 64 30 81 ba 06  03 55 1d 23 04 81 b2 30   <!.d0....U.#...0
  02c0:  81 af 80 14 25 18 ef 9a  09 20 44 11 fc 3a b7 6c   ....%.... D..:.l
  02d0:  67 7e 80 b4 3c 21 ef 64  a1 81 93 a4 81 90 30 81   g~..<!.d......0.
  02e0:  8d 31 0b 30 09 06 03 55  04 06 13 02 45 53 31 12   .1.0...U....ES1.
  02f0:  30 10 06 03 55 04 08 14  09 4c 61 20 43 6f 72 75   0...U....La Coru
  0300:  f1 61 31 12 30 10 06 03  55 04 07 14 09 4c 61 20   .a1.0...U....La
  0310:  43 6f 72 75 f1 61 31 0f  30 0d 06 03 55 04 0a 13   Coru.a1.0...U...
  0320:  06 46 61 64 65 73 61 31  14 30 12 06 03 55 04 0b   .Fadesa1.0...U..
  0330:  13 0b 69 6e 66 6f 72 6d  61 74 69 63 61 31 11 30   ..informatica1.0
  0340:  0f 06 03 55 04 03 13 08  6f 70 65 6e 6c 64 61 70   ...U....openldap
  0350:  31 1c 30 1a 06 09 2a 86  48 86 f7 0d 01 09 01 16   1.0...*.H.......
  0360:  0d 6e 6f 6e 65 40 66 66  66 66 66 2e 66 66 82 01   .none@fffff.ff..
  0370:  00 30 0c 06 03 55 1d 13  04 05 30 03 01 01 ff 30   .0...U....0....0
  0380:  0d 06 09 2a 86 48 86 f7  0d 01 01 04 05 00 03 82   ...*.H..........
  0390:  01 01 00 90 81 6e b2 72  4c 70 2f c4 5a 41 90 70   .....n.rLp/.ZA.p
  03a0:  0b 0c 77 d0 18 af e2 a5  13 4f 4b 41 23 87 05 a2   ..w......OKA#...
  03b0:  6c f1 d5 8d 84 34 a6 fd  5a c0 93 9f b2 a4 4d 0b   l....4..Z.....M.
  03c0:  d6 fd 7b 28 45 f4 35 b4  a9 2c 29 1f 6a c4 5e 87   ..{(E.5..,).j.^.
  03d0:  d2 59 e1 75 1d 9f 2b 3d  69 cd d9 da b7 15 03 0d   .Y.u..+=i.......
  03e0:  2c b4 1d c2 8e a2 45 47  a9 e7 2a 3d 28 22 2b 41   ,.....EG..*=("+A
  03f0:  49 25 0e 38 ee 0c 84 b9  e4 1b f8 07 e8 3b 1a 4c   I%.8.........;.L
  0400:  de 68 50 20 fb 2e f0 74  a2 db c2 96 95 65 c1 de   .hP ...t.....e..
  0410:  e8 a2 3d f6 a9 48 9e 1f  e4 67 ba 59 e5 9a cb d6   ..=..H...g.Y....
  0420:  79 34 7f 4d 9a 8e 4a 66  68 d4 59 6f d7 86 ac 32   y4.M..Jfh.Yo...2
  0430:  8c 3c f4 e4 60 a0 3c 6a  e3 0c e6 b8 46 b6 1e c6   .<..`.<j....F...
  0440:  25 20 04 5a 93 4f c2 90  3c b6 7f 88 08 d1 09 59   % .Z.O..<......Y
  0450:  e7 a1 a7 b4 04 53 28 5b  b2 8f 4d 08 58 d2 c2 37   .....S([..M.X..7
  0460:  ee 56 ee 23 15 e3 c7 e5  e0 f2 77 cb d9 58 43 53   .V.#......w..XCS
  0470:  be 18 1a f3 8a 19 5b 36  30 49 3c a4 cb 58 78 fc   ......[60I<..Xx.
  0480:  9f 92 c1 1d f0 5e d4 e3  da 8f 0c 5a 74 18 27 30   .....^.....Zt.'0
  0490:  8d 20 cc                                           . .
TLS certificate verification: depth: 0, err: 18, subject: /C=ES/ST=La Coru\xF1a/L=La Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff, issuer: /C=ES/ST=La Coru\xF1a/L=La Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------