I have tried the instructions in your HOWTO (very clear / thank you!), after
lot
of time and frustration trying to setting up an LDAP server with TLS, but
the
client seems not to like the server certificate. Here are my configuration
files for the openldap 2.1.21 on a RH8 linux box:
/etc/openldap/slapd.conf:
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/rfc822-MailMember.schema
include /etc/openldap/schema/redhat/autofs.schema
#include /etc/openldap/schema/redhat/kerberosobject.schema
loglevel 296
pidfile /var/run/slapd.pid
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/servercert.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSVerifyClient never
access to * by read
#######################################################################
# ldbm database definitions
#######################################################################
database bdb
suffix "dc=prisma,dc=com"
rootdn "cn=root,dc=prisma,dc=com"
rootpw {SSHA}vZddgTWTErSxFyNG2MC8fnp4k/9zNadi
directory /var/lib/ldap
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
/etc/ldap.conf:
HOST 127.0.0.1
PORT 389
TLS_CACERT /usr/share/ssl/misc/demoCA/cacert.pem
TLS_CACERTDIR /usr/share/ssl/misc/demoCA
TLS_REQCERT never
This is the result of the ldapsearch with -ZZ option in the slapd log:
conn=0 fd=12 ACCEPT from IP=127.0.0.1:32792 (IP=0.0.0.0:389)
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({m) ber:
do_extended: oid=1.3.6.1.4.1.1466.20037
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 7a 01 03 01 00 51 00 00 00 20 .z....Q...
tls_read: want=113, got=113
0000: 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 ..............f.
0010: 00 05 00 00 04 03 00 80 01 00 80 08 00 80 00 00 ................
0020: 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60 e..d..c..b..a..`
0030: 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 ...........@....
0040: 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00 ................
0050: 80 d6 47 98 b5 73 99 81 d2 68 e6 97 b8 90 c1 ed ..G..s...h......
0060: d0 76 73 9d a7 dc 96 f8 de 66 b0 ca c1 37 c2 65 .vs......f...7.e
0070: 0e .
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=1069, written=1069
0000: 16 03 01 00 4a 02 00 00 46 03 01 3e ee ad 0b 74 ....J...F..>...t
0010: d4 44 d8 fe 96 28 8b 8c e2 e4 f2 20 82 ef d4 13 .D...(..... ....
0020: 17 84 8c 13 56 d0 79 bc d8 b6 55 20 16 18 66 79 ....V.y...U ..fy
0030: 8e 19 5c d4 52 89 73 a7 96 d8 2f 22 9b f1 8c 5c ..\.R.s.../"...\
0040: 3a e4 c3 9c 13 ba 32 ab 51 06 09 dc 00 0a 00 16 :.....2.Q.......
0050: 03 01 03 d0 0b 00 03 cc 00 03 c9 00 03 c6 30 82 ..............0.
0060: 03 c2 30 82 03 2b a0 03 02 01 02 02 01 01 30 0d ..0..+........0.
0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 94 ..*.H........0..
0080: 31 0b 30 09 06 03 55 04 06 13 02 49 54 31 0f 30 1.0...U....IT1.0
0090: 0d 06 03 55 04 08 13 06 4d 69 6c 61 6e 6f 31 0f ...U....Milano1.
00a0: 30 0d 06 03 55 04 07 13 06 4d 69 6c 61 6e 6f 31 0...U....Milano1
00b0: 1f 30 1d 06 03 55 04 0a 13 16 50 72 69 73 6d 61 .0...U....Prisma
00c0: 20 45 6e 67 69 6e 65 65 72 69 6e 67 20 73 72 6c Engineering srl
00d0: 31 0d 30 0b 06 03 55 04 0b 13 04 4c 44 41 50 31 1.0...U....LDAP1
00e0: 13 30 11 06 03 55 04 03 13 0a 70 72 69 73 6d 61 .0...U....prisma
00f0: 2e 63 6f 6d 31 1e 30 1c 06 09 2a 86 48 86 f7 0d .com1.0...*.H...
0100: 01 09 01 16 0f 6c 64 61 70 40 70 72 69 73 6d 61 .....ldap@prisma
0110: 2e 63 6f 6d 30 1e 17 0d 30 33 30 36 31 37 30 35 .com0...03061705
0120: 33 30 32 30 5a 17 0d 30 34 30 36 31 36 30 35 33 3020Z..040616053
0130: 30 32 30 5a 30 81 94 31 0b 30 09 06 03 55 04 06 020Z0..1.0...U..
0140: 13 02 49 54 31 0f 30 0d 06 03 55 04 08 13 06 4d ..IT1.0...U....M
0150: 69 6c 61 6e 6f 31 0f 30 0d 06 03 55 04 07 13 06 ilano1.0...U....
0160: 4d 69 6c 61 6e 6f 31 1f 30 1d 06 03 55 04 0a 13 Milano1.0...U...
0170: 16 50 72 69 73 6d 61 20 45 6e 67 69 6e 65 65 72 .Prisma Engineer
0180: 69 6e 67 20 73 72 6c 31 0d 30 0b 06 03 55 04 0b ing srl1.0...U..
0190: 13 04 4c 44 41 50 31 13 30 11 06 03 55 04 03 13 ..LDAP1.0...U...
01a0: 0a 70 72 69 73 6d 61 2e 63 6f 6d 31 1e 30 1c 06 .prisma.com1.0..
01b0: 09 2a 86 48 86 f7 0d 01 09 01 16 0f 6c 64 61 70 .*.H........ldap
01c0: 40 70 72 69 73 6d 61 2e 63 6f 6d 30 81 9f 30 0d @prisma.com0..0.
01d0: 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d ..*.H...........
01e0: 00 30 81 89 02 81 81 00 bd d9 8a d3 ce a6 89 35 .0.............5
01f0: c4 1d 79 3b 53 44 08 08 a7 92 2a e6 4d 5b db 35 ..y;SD....*.M[.5
0200: ec b7 2e ca 9b ea 4e 77 9e 98 8f de ff 67 ae d0 ......Nw.....g..
0210: f8 17 45 95 02 55 86 34 7a 2b a9 1f 23 3a cc 5e ..E..U.4z+..#:.^
0220: d9 5b 76 df 51 e6 07 fe b9 24 15 66 f8 9f 6d 29 .[v.Q....$.f..m)
0230: ea 96 21 66 a3 72 ef 20 d7 e7 6a fa f6 55 18 35 ..!f.r. ..j..U.5
0240: af c9 54 cf 84 f1 76 55 38 e5 5e 0f 95 53 b4 fd ..T...vU8.^..S..
0250: 1f 0a 3c 48 3b b4 cb 01 e1 ab 04 a6 70 a8 65 63 ..<H;.......p.ec
0260: 5f 8e 28 79 ff ca d1 61 02 03 01 00 01 a3 82 01 _.(y...a........
0270: 20 30 82 01 1c 30 09 06 03 55 1d 13 04 02 30 00 0...0...U....0.
0280: 30 2c 06 09 60 86 48 01 86 f8 42 01 0d 04 1f 16 0,..`.H...B.....
0290: 1d 4f 70 65 6e 53 53 4c 20 47 65 6e 65 72 61 74 .OpenSSL Generat
02a0: 65 64 20 43 65 72 74 69 66 69 63 61 74 65 30 1d ed Certificate0.
02b0: 06 03 55 1d 0e 04 16 04 14 24 59 e5 47 7e b2 95 ..U......$Y.G~..
02c0: c0 2c 62 ec 73 56 c1 ae b1 b1 77 f0 df 30 81 c1 .,b.sV....w..0..
02d0: 06 03 55 1d 23 04 81 b9 30 81 b6 80 14 1f 83 c3 ..U.#...0.......
02e0: e4 b0 f7 f9 eb bf de 5e 79 90 3d 73 64 18 c3 84 .......^y.=sd...
02f0: dd a1 81 9a a4 81 97 30 81 94 31 0b 30 09 06 03 .......0..1.0...
0300: 55 04 06 13 02 49 54 31 0f 30 0d 06 03 55 04 08 U....IT1.0...U..
0310: 13 06 4d 69 6c 61 6e 6f 31 0f 30 0d 06 03 55 04 ..Milano1.0...U.
0320: 07 13 06 4d 69 6c 61 6e 6f 31 1f 30 1d 06 03 55 ...Milano1.0...U
0330: 04 0a 13 16 50 72 69 73 6d 61 20 45 6e 67 69 6e ....Prisma Engin
0340: 65 65 72 69 6e 67 20 73 72 6c 31 0d 30 0b 06 03 eering srl1.0...
0350: 55 04 0b 13 04 4c 44 41 50 31 13 30 11 06 03 55 U....LDAP1.0...U
0360: 04 03 13 0a 70 72 69 73 6d 61 2e 63 6f 6d 31 1e ....prisma.com1.
0370: 30 1c 06 09 2a 86 48 86 f7 0d 01 09 01 16 0f 6c 0...*.H........l
0380: 64 61 70 40 70 72 69 73 6d 61 2e 63 6f 6d 82 01 dap@prisma.com..
0390: 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 .0...*.H........
03a0: 03 81 81 00 2d fb 74 28 0a 76 f5 b9 a3 cb ef 8c ....-.t(.v......
03b0: 0a df dd 67 8b 12 a3 7a b4 a6 28 83 6e 70 98 7b ...g...z..(.np.{
03c0: 7c 0c 68 4f d4 f4 f9 67 67 56 c9 e9 16 3a 28 8f |.hO...ggV...:(.
03d0: 37 fa 35 67 ae 1a a2 d5 82 c2 74 f6 a9 c0 cf f2 7.5g......t.....
03e0: 24 24 a0 fa bd bf 6e aa 15 e8 a6 8a 91 50 cd 18 $$....n......P..
03f0: 44 cc 4f be dd 69 e4 86 51 13 b2 68 66 a0 74 15 D.O..i..Q..hf.t.
0400: 7e 91 18 b4 36 33 97 d1 15 72 9c 1e 90 1b 72 5d ~...63...r....r]
0410: 80 43 d3 70 55 f0 b9 0c 46 99 2e 85 65 12 db 21 .C.pU...F...e..!
0420: 64 4b b3 c5 16 03 01 00 04 0e 00 00 00 dK...........
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 30 .0
TLS trace: SSL3 alert read:fatal:unknown
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1002
connection_read(12): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12
conn=0 fd=12 closed
Needless to say, without TLS ldapsearch is OK and returns the correct
search.
Sorry for the long mail, but I think this problem affects a lot of people.
Does it have to do with server name, CA names ? Documentation states that
the DN
of a server certificate must use the CN attribute to name the server, and
the CN
must carry the servers fully qualified domain name. What does it mean ?
Thank you
Paolo
----- Original Message -----
From: "Kent Soper" <dksoper@us.ibm.com>
To: <ldap@fadesa.es>
Cc: <openldap-software@OpenLDAP.org>
Sent: Monday, June 16, 2003 9:25 PM
Subject: Re: TLS headache
Hi Jose,
I'm not sure whether you're trying to get server side TLS or server side
TLS with client side authentication working. If you are only setting up
server side TLS, then you don't need the TLSVerifyClient line in
slapd.conf
or much of the ldap.conf file.
If you are trying to setup client authentication, then your user (client)
will also need the TLS_CERT and TLS_KEY entries moved from ldap.conf to
either a file called ldaprc or .ldaprc in the user's home directory or
current directory.
Please see the new doc
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html for various
TLS/SSL issues. It's full of examples too. Well written (tongue firmly
in
cheek!!).
Cheers,
Kent Soper
"You don't stop playing because you grow old ...
you grow old because you stop playing."
Linux Technology Center, Linux Security
phone: 1-512-838-9216
e-mail: dksoper@us.ibm.com
"José M. Fandiño"
<ldap@fadesa.es> To:
openldap-software@OpenLDAP.org
Sent by: cc:
owner-openldap-software@O Subject: TLS
headache
penLDAP.org
06/16/2003 06:56 AM
Please respond to ldap
Hello,
I'm trying to make a TLS conection work between ldap clients and slapd
but I always get a ssl error. The configuration can't be simpler
I'm using a self-issued certificate.
please, can anyone tellme what's wrong with my configuration?
thanks,
/usr/local/openldap/libexec/slapd -4 -h "ldap:// ldaps://"
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ldap *:* LISTEN
tcp 0 0 *:ldaps *:* LISTEN
slapd.conf excerpt
==================
TLSVerifyClient true
TLSCipherSuite HIGH
TLSCertificateKeyFile /usr/local/openldap/etc/openldap/slapd.key
TLSCertificateFile /usr/local/openldap/etc/openldap/slapd.pem
TLSCACertificateFile /usr/local/openldap/etc/openldap/slapd.pem
ldap.conf excerpt
==================
TLS_CACERT /usr/local/openldap/etc/openldap/slapd.pem
TLS_CERT /usr/local/openldap/etc/openldap/slapd.pem
TLS_KEY /usr/local/openldap/etc/openldap/slapd.key
TLS_REQCERT allow
filemon:/usr/local/openldap/etc/openldap # openssl x509 -in slapd.pem
-noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
OU=informatica, CN=openldap/Email=none@fffff.ff
Validity
Not Before: Jun 16 11:09:22 2003 GMT
Not After : Jun 14 11:09:22 2008 GMT
Subject: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
OU=informatica, CN=openldap/Email=none@fffff.ff
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d7:38:ea:8e:a2:1d:56:de:38:05:c1:41:1f:c5:
e1:06:27:28:1b:b6:86:56:7a:b2:bf:48:67:80:ab:
15:89:61:0c:f9:c5:26:1b:f9:07:da:cc:da:c9:f1:
64:0a:81:09:c3:6c:1d:26:1b:b9:35:0c:83:a6:0a:
08:ef:02:ef:a5:9e:6f:17:23:20:72:0f:e3:62:88:
40:f8:55:55:c2:75:7b:1d:b3:d8:bf:f2:50:f1:f9:
45:d9:fa:ca:b5:df:b2:ed:8a:f9:8a:29:c2:48:b5:
ad:4e:c2:d9:54:55:cf:5a:54:d8:3b:f9:3c:ea:d2:
8d:eb:8d:d1:45:4c:c5:1e:87:9d:35:2a:d9:94:fd:
a9:0d:17:3f:ca:15:8d:f6:48:80:1b:31:4b:46:99:
cd:e7:93:cb:92:9c:25:22:f5:ab:9a:01:90:20:c6:
70:6b:8d:d1:dd:3b:73:f1:7a:9f:d8:31:fc:b4:4d:
e8:d9:53:1b:45:87:6d:51:4e:40:48:bd:0d:b1:a4:
3f:51:37:0a:f1:0b:bb:18:be:02:69:a5:ce:67:85:
91:25:3a:44:85:bf:6f:ee:cb:cc:44:71:6c:57:99:
74:0a:15:ef:7b:e7:29:79:8a:5a:3b:6e:61:ba:09:
7f:73:33:da:31:3d:e0:05:da:32:c9:0c:12:64:1a:
a1:87
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
X509v3 Authority Key Identifier:
keyid:25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
DirName:/C=ES/ST=La Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
90:81:6e:b2:72:4c:70:2f:c4:5a:41:90:70:0b:0c:77:d0:18:
af:e2:a5:13:4f:4b:41:23:87:05:a2:6c:f1:d5:8d:84:34:a6:
fd:5a:c0:93:9f:b2:a4:4d:0b:d6:fd:7b:28:45:f4:35:b4:a9:
2c:29:1f:6a:c4:5e:87:d2:59:e1:75:1d:9f:2b:3d:69:cd:d9:
da:b7:15:03:0d:2c:b4:1d:c2:8e:a2:45:47:a9:e7:2a:3d:28:
22:2b:41:49:25:0e:38:ee:0c:84:b9:e4:1b:f8:07:e8:3b:1a:
4c:de:68:50:20:fb:2e:f0:74:a2:db:c2:96:95:65:c1:de:e8:
a2:3d:f6:a9:48:9e:1f:e4:67:ba:59:e5:9a:cb:d6:79:34:7f:
4d:9a:8e:4a:66:68:d4:59:6f:d7:86:ac:32:8c:3c:f4:e4:60:
a0:3c:6a:e3:0c:e6:b8:46:b6:1e:c6:25:20:04:5a:93:4f:c2:
90:3c:b6:7f:88:08:d1:09:59:e7:a1:a7:b4:04:53:28:5b:b2:
8f:4d:08:58:d2:c2:37:ee:56:ee:23:15:e3:c7:e5:e0:f2:77:
cb:d9:58:43:53:be:18:1a:f3:8a:19:5b:36:30:49:3c:a4:cb:
58:78:fc:9f:92:c1:1d:f0:5e:d4:e3:da:8f:0c:5a:74:18:27:
30:8d:20:cc
/------/
ldapsearch -ZZ -d -1 -b "dc=fadesa"
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: -1
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=filemon.servidores.fadesa
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Jun 16 13:54:07 2003
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=9, got=9
0000: 30 0c 02 01 01 78 07 0a 01 0....x...
ldap_read: want=5, got=5
0000: 00 04 00 04 00 .....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x0807df08 ptr=0x0807df08 end=0x0807df14 len=12
0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
ber_scanf fmt (}) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df14 end=0x0807df14 len=0
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
tls_write: want=124, written=124
0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 16 00 00 .z....Q...
.....
0010: 13 00 00 0a 07 00 c0 00 00 66 00 00 05 00 00 04
.........f......
0020: 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00
...........e..d.
0030: 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00
.c..b..a..`.....
0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08
......@.........
0050: 00 00 06 00 00 03 04 00 80 02 00 80 39 13 8b a0
............9...
0060: 72 49 06 d9 a2 aa 96 66 d6 a7 cc a6 5b f3 c8 52
rI.....f....[..R
0070: b0 98 c2 d9 ea f4 d7 68 fb 1a 74 07 .......h..t.
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 16 03 01 00 4a 02 00 ....J..
tls_read: want=72, got=72
0000: 00 46 03 01 3e ed af df ac 36 d2 53 17 d5 a0 12
.F..>....6.S....
0010: d3 ed 59 a0 c1 76 d2 06 64 e6 06 8e 52 8e d9 85
..Y..v..d...R...
0020: 80 ce 6d 47 20 8c 89 00 18 6a 0c 2b d9 ff c5 44 ..mG
....j.+...D
0030: d5 65 79 1a 7a f8 26 99 b4 6a e3 fa c4 9c 49 10
.ey.z.&..j....I.
0040: 9f d1 77 2b 09 00 0a 00 ..w+....
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
0000: 16 03 01 04 93 .....
tls_read: want=1171, got=1171
0000: 0b 00 04 8f 00 04 8c 00 04 89 30 82 04 85 30 82
..........0...0.
0010: 03 6d a0 03 02 01 02 02 01 00 30 0d 06 09 2a 86
.m........0...*.
0020: 48 86 f7 0d 01 01 04 05 00 30 81 8d 31 0b 30 09
H........0..1.0.
0030: 06 03 55 04 06 13 02 45 53 31 12 30 10 06 03 55
..U....ES1.0...U
0040: 04 08 14 09 4c 61 20 43 6f 72 75 f1 61 31 12 30 ....La
Coru.a1.0
0050: 10 06 03 55 04 07 14 09 4c 61 20 43 6f 72 75 f1 ...U....La
Coru.
0060: 61 31 0f 30 0d 06 03 55 04 0a 13 06 46 61 64 65
a1.0...U....Fade
0070: 73 61 31 14 30 12 06 03 55 04 0b 13 0b 69 6e 66
sa1.0...U....inf
0080: 6f 72 6d 61 74 69 63 61 31 11 30 0f 06 03 55 04
ormatica1.0...U.
0090: 03 13 08 6f 70 65 6e 6c 64 61 70 31 1c 30 1a 06
...openldap1.0..
00a0: 09 2a 86 48 86 f7 0d 01 09 01 16 0d 6e 6f 6e 65
.*.H........none
00b0: 40 66 66 66 66 66 2e 66 66 30 1e 17 0d 30 33 30
@fffff.ff0...030
00c0: 36 31 36 31 31 30 39 32 32 5a 17 0d 30 38 30 36
616110922Z..0806
00d0: 31 34 31 31 30 39 32 32 5a 30 81 8d 31 0b 30 09
14110922Z0..1.0.
00e0: 06 03 55 04 06 13 02 45 53 31 12 30 10 06 03 55
..U....ES1.0...U
00f0: 04 08 14 09 4c 61 20 43 6f 72 75 f1 61 31 12 30 ....La
Coru.a1.0
0100: 10 06 03 55 04 07 14 09 4c 61 20 43 6f 72 75 f1 ...U....La
Coru.
0110: 61 31 0f 30 0d 06 03 55 04 0a 13 06 46 61 64 65
a1.0...U....Fade
0120: 73 61 31 14 30 12 06 03 55 04 0b 13 0b 69 6e 66
sa1.0...U....inf
0130: 6f 72 6d 61 74 69 63 61 31 11 30 0f 06 03 55 04
ormatica1.0...U.
0140: 03 13 08 6f 70 65 6e 6c 64 61 70 31 1c 30 1a 06
...openldap1.0..
0150: 09 2a 86 48 86 f7 0d 01 09 01 16 0d 6e 6f 6e 65
.*.H........none
0160: 40 66 66 66 66 66 2e 66 66 30 82 01 22 30 0d 06
@fffff.ff0.."0..
0170: 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f
.*.H............
0180: 00 30 82 01 0a 02 82 01 01 00 d7 38 ea 8e a2 1d
.0.........8....
0190: 56 de 38 05 c1 41 1f c5 e1 06 27 28 1b b6 86 56
V.8..A....'(...V
01a0: 7a b2 bf 48 67 80 ab 15 89 61 0c f9 c5 26 1b f9
z..Hg....a...&..
01b0: 07 da cc da c9 f1 64 0a 81 09 c3 6c 1d 26 1b b9
......d....l.&..
01c0: 35 0c 83 a6 0a 08 ef 02 ef a5 9e 6f 17 23 20 72 5..........o.#
r
01d0: 0f e3 62 88 40 f8 55 55 c2 75 7b 1d b3 d8 bf f2
..b.@.UU.u{.....
01e0: 50 f1 f9 45 d9 fa ca b5 df b2 ed 8a f9 8a 29 c2
P..E..........).
01f0: 48 b5 ad 4e c2 d9 54 55 cf 5a 54 d8 3b f9 3c ea
H..N..TU.ZT.;.<.
0200: d2 8d eb 8d d1 45 4c c5 1e 87 9d 35 2a d9 94 fd
.....EL....5*...
0210: a9 0d 17 3f ca 15 8d f6 48 80 1b 31 4b 46 99 cd
...?....H..1KF..
0220: e7 93 cb 92 9c 25 22 f5 ab 9a 01 90 20 c6 70 6b .....%".....
.pk
0230: 8d d1 dd 3b 73 f1 7a 9f d8 31 fc b4 4d e8 d9 53
...;s.z..1..M..S
0240: 1b 45 87 6d 51 4e 40 48 bd 0d b1 a4 3f 51 37 0a
.E.mQN@H....?Q7.
0250: f1 0b bb 18 be 02 69 a5 ce 67 85 91 25 3a 44 85
......i..g..%:D.
0260: bf 6f ee cb cc 44 71 6c 57 99 74 0a 15 ef 7b e7
.o...DqlW.t...{.
0270: 29 79 8a 5a 3b 6e 61 ba 09 7f 73 33 da 31 3d e0
)y.Z;na...s3.1=.
0280: 05 da 32 c9 0c 12 64 1a a1 87 02 03 01 00 01 a3
..2...d.........
0290: 81 ed 30 81 ea 30 1d 06 03 55 1d 0e 04 16 04 14
..0..0...U......
02a0: 25 18 ef 9a 09 20 44 11 fc 3a b7 6c 67 7e 80 b4 %....
D..:.lg~..
02b0: 3c 21 ef 64 30 81 ba 06 03 55 1d 23 04 81 b2 30
<!.d0....U.#...0
02c0: 81 af 80 14 25 18 ef 9a 09 20 44 11 fc 3a b7 6c ....%....
D..:.l
02d0: 67 7e 80 b4 3c 21 ef 64 a1 81 93 a4 81 90 30 81
g~..<!.d......0.
02e0: 8d 31 0b 30 09 06 03 55 04 06 13 02 45 53 31 12
.1.0...U....ES1.
02f0: 30 10 06 03 55 04 08 14 09 4c 61 20 43 6f 72 75 0...U....La
Coru
0300: f1 61 31 12 30 10 06 03 55 04 07 14 09 4c 61 20
.a1.0...U....La
0310: 43 6f 72 75 f1 61 31 0f 30 0d 06 03 55 04 0a 13
Coru.a1.0...U...
0320: 06 46 61 64 65 73 61 31 14 30 12 06 03 55 04 0b
.Fadesa1.0...U..
0330: 13 0b 69 6e 66 6f 72 6d 61 74 69 63 61 31 11 30
..informatica1.0
0340: 0f 06 03 55 04 03 13 08 6f 70 65 6e 6c 64 61 70
...U....openldap
0350: 31 1c 30 1a 06 09 2a 86 48 86 f7 0d 01 09 01 16
1.0...*.H.......
0360: 0d 6e 6f 6e 65 40 66 66 66 66 66 2e 66 66 82 01
.none@fffff.ff..
0370: 00 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30
.0...U....0....0
0380: 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 82
...*.H..........
0390: 01 01 00 90 81 6e b2 72 4c 70 2f c4 5a 41 90 70
.....n.rLp/.ZA.p
03a0: 0b 0c 77 d0 18 af e2 a5 13 4f 4b 41 23 87 05 a2
..w......OKA#...
03b0: 6c f1 d5 8d 84 34 a6 fd 5a c0 93 9f b2 a4 4d 0b
l....4..Z.....M.
03c0: d6 fd 7b 28 45 f4 35 b4 a9 2c 29 1f 6a c4 5e 87
..{(E.5..,).j.^.
03d0: d2 59 e1 75 1d 9f 2b 3d 69 cd d9 da b7 15 03 0d
.Y.u..+=i.......
03e0: 2c b4 1d c2 8e a2 45 47 a9 e7 2a 3d 28 22 2b 41
,.....EG..*=("+A
03f0: 49 25 0e 38 ee 0c 84 b9 e4 1b f8 07 e8 3b 1a 4c
I%.8.........;.L
0400: de 68 50 20 fb 2e f0 74 a2 db c2 96 95 65 c1 de .hP
...t.....e..
0410: e8 a2 3d f6 a9 48 9e 1f e4 67 ba 59 e5 9a cb d6
..=..H...g.Y....
0420: 79 34 7f 4d 9a 8e 4a 66 68 d4 59 6f d7 86 ac 32
y4.M..Jfh.Yo...2
0430: 8c 3c f4 e4 60 a0 3c 6a e3 0c e6 b8 46 b6 1e c6
.<..`.<j....F...
0440: 25 20 04 5a 93 4f c2 90 3c b6 7f 88 08 d1 09 59 %
.Z.O..<......Y
0450: e7 a1 a7 b4 04 53 28 5b b2 8f 4d 08 58 d2 c2 37
.....S([..M.X..7
0460: ee 56 ee 23 15 e3 c7 e5 e0 f2 77 cb d9 58 43 53
.V.#......w..XCS
0470: be 18 1a f3 8a 19 5b 36 30 49 3c a4 cb 58 78 fc
......[60I<..Xx.
0480: 9f 92 c1 1d f0 5e d4 e3 da 8f 0c 5a 74 18 27 30
.....^.....Zt.'0
0490: 8d 20 cc . .
TLS certificate verification: depth: 0, err: 18, subject: /C=ES/ST=La
Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff, issuer:
/C=ES/ST=La Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------