[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: how to get TLS working

To: Dave Snoopy <kingsnoopy7@yahoo.com>
Subject: Re: how to get TLS working
From: Kent Soper <dksoper@us.ibm.com>
Date: Thu, 19 Jun 2003 15:37:56 -0500
Cc: openldap <openldap-software@OpenLDAP.org>, owner-openldap-software@OpenLDAP.org



See comments below ... probably won't solve your problem, but I have a few
ideas ...




> I'll check out that document. In the mean time, here's
> the info on what I'm doing:

> I have my own LDAP client tool, which I wrote using
> the OpenLDAP library and based off of ldapsearch. I've
> been using the tool for a long time, particularly with
> SASL/GSSAPI support, but recently needed to get TLS
> working too.

I'm struggling with the "black art" of SASL right now.  I got the TLS/SSL
part of my server working first.

> I have an LDAP server which my IT admin claims
> supports TLS. In the ldap.conf file of the server, I
> see these lines:
>
>  BASE    dc=mega, dc=com
>  URI     ldap://doc.mega.com
>ldaps://doc.mega.com:636/
>  TLS_REQCERT allow
>  TLS_CACERT /etc/ssl/openldap/newcert.pem
>
>  ssl start_tls

This is your client configuration file and not the server conf file
(slapd.conf).  Does "ssl start_tls" work?  I couldn't get that to work for
me.  I use ldap_start_tls_s() inside my apps or -ZZ on the command line for
TLS.

> When I use my client to ldap_init to the server on
> port 636, the server closes the TCP connection
> immediately. When I try on port 389 and call
> ldap_start_tls_s() (after calling ldap_init), I see on
> the network that my client sends some type of LDAP
> extended request to the server. The server then
> responds with several packets of data. That's when I
> get the error I mentioned in my last posting.

Little known fact:  Use ldap_init() for TLS and ldap_initialize() for SSL.
The functions have very different parameters that can be seen in the
tools/clients/ dir.
Never use ldap_start_tls_s() for SSL ports.  The SSL connection is already
using TLS.  It's like turning your car's ignition key when it's already
running and you get that nice grinding screech from the starter.

> I also tried copying the newcert.pem file from my LDAP
> server onto my client, and pointing my client to it by
> performing a ldap_set_option(NULL,
> LDAP_OPT_X_TLS_CACERTFILE,
> "/etc/ssl/openldap/newcert.pem");
> but that didn't change anything.
You can let OpenLDAP manage the certs using the TLS* directives in
slapd.conf and ldap.conf.  If using client authentication, you'll have to
put the client cert info into ldaprc (user home dir) and not ldap.conf (see
the how-to doc).


> I'm new to SSL and TLS. I'll try to read up on it now,
> but if anyone has any ideas, I'd appreciate the help.
> I'm trying to get this to work on a deadline.
Use the how-to doc.  It's long but the content is mostly example output.
Detailed too so you shouldn't have too many head scratching opportunities.
:)

> Thanks!
> Dave
You're welcome!  I'm not an OpenLDAP expert so I don't know how to
integrate TLS into your SASL/GSSAPI setup, but I hope I've helped in some
way.

>--- Kent Soper <dksoper@us.ibm.com> wrote:
>
>
>
>
> Dave,
>
> I don't have all of your facts, so you could have
> run into one of many
> problems.  What are your slapd.conf and ldap.conf
> (or ldaprc) entries?  Are
> you connected to an SSL LDAP port (ldaps://) and
> trying to call
> ldap_start_tls_s()?  I believe that results in a
> "broken pipe" error so you
> probably don't have that problem.
>
> You can look at
>
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
> and double check your configuration steps.
>
> Cheers,
> Kent
>
> "You don't stop playing because you grow old ...
>        you grow old because you stop playing."
>
> Linux Technology Center, Linux Security
> tie line:     678-9216
> external:  1-512-838-9216
> e-mail:  dksoper@us.ibm.com
>
>
>
>
>
>
>
>                       Dave Snoopy
>
>
>                       <kingsnoopy7@yahoo.com>
>   To:       openldap
> <openldap-software@OpenLDAP.org>
>
>                       Sent by:
>   cc:
>
>                       owner-openldap-software@O
>   Subject:  how to get TLS working
>
>                       penLDAP.org
>
>
>
>
>
>
>
>
>                       06/19/2003 12:52 PM
>
>
>
>
>
>
>
>
>
>
>
>
> According to my IT manager, our OpenLDAP server
> supports TLS. I'm trying to get my LDAP client to
> work
> with it. I call the function ldap_start_tls_s, and
> it
> fails with error LDAP_CONNECT_ERROR (0x5b).
>
> I traced the problem down to tls_info_cb in tls.c.
> It
> gets a callback from SSL_connect in the SSL_CB_EXIT
> state, with a "ret" of -1. The SSL error at that
> point
> is:
>
>   TLS trace: SSL_connect:error in SSLv3 read server
> certificate B
>   TLS trace: SSL_connect:error in SSLv3 read server
> certificate B
>
> Any idea what this means? Am I missing some type of
> setup, or intermediary step?
>
> Thanks,
> Dave
>

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com
Prev by Date: RE: Replication with slurpd - problems using TLS
Next by Date: RE: Replication with slurpd - problems using TLS
Index(es):
- Chronological
- Thread