[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS / SSL






You are connecting.  "Unable to read TLS client DN error = 49"  is probably
one of those errors that really isn't an error.  (I never claimed to be a
TLS/SSL expert!)  Maybe it just means that client auth is not being
utilized.  Kurt or Howard would know more about your error.

Does the server shut down on it's own or do you do it?

Cheers,
Kent




                                                                                                                                     
                      "Ron Wahler"                                                                                                   
                      <ron@rovingplanet.com>           To:       <openldap-software@OpenLDAP.org>                                    
                      Sent by:                         cc:                                                                           
                      owner-openldap-software@O        Subject:  RE: TLS / SSL                                                       
                      penLDAP.org                                                                                                    
                                                                                                                                     
                                                                                                                                     
                      07/01/2003 12:36 PM                                                                                            
                                                                                                                                     
                                                                                                                                     





thanks for the help.
I modified the files to be this but still don't connect.

Slapd.conf


ssl yes
port 636
TLSCipherSuite          HIGH:MEDIUM:+SSLv3
TLSCertificateFile      /opt/LocalCA/server_crt.pem
TLSCertificateKeyFile   /opt/LocalCA/server_key.pem
TLSCACertificateFile    /opt/LocalCA/cacert.pem
#TLSVerifyClient         never



ldap.conf

ssl yes
port 636
ssl             start_tls
TLS_CACERT  /opt/LocalCA/cacert.pem
TLS_CERT    /opt/LocalCA/server_crt.pem
TLS_KEY    /opt/LocalCA/server_key.pem
#TLS_REQCERT demand

I also tried commenting out TLS_CACERT TLS_CERT and TLS_KEY with the
same result...


Ron.

Ron wrote:
> I also get this when I allow SSLv3 on the ldap side
>
> ldap_pvt_gethostbyname_a: host=fido, r=0
> put_filter: "(objectclass=*)"
> put_filter: simple
> put_simple_filter: "objectclass=*"
> ber_scanf fmt (m) ber:
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> TLS trace: SSL_accept:SSLv3 flush data
> connection_read(13): unable to get TLS client DN error=49 id=0
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> ber_get_next
> TLS trace: SSL3 alert read:warning:close notify
> ber_get_next on fd 13 failed errno=0 (Success)
> connection_read(13): input error=-2 id=0, closing.
> connection_closing: readying conn=0 sd=13 for close
> connection_close: conn=0 sd=13
> TLS trace: SSL3 alert write:warning:close notify
>
>
>
>
> > -----Original Message-----
> > From: Ron Wahler
> > Sent: Tuesday, July 01, 2003 10:30 AM
> > To: Lawrence, Mike (White Plains);
freeradius-users@lists.cistron.nl;
> > openldap-software@OpenLDAP.org
> > Subject: RE: TLS / SSL
> >
> >
> >
> > Getting this but the client can't connect at port 636
> >
> > CLIENT
> > m_ldap: setting TLS mode to 1
> > rlm_ldap: bind as cn=Manager,dc=fido,dc=com/secret to 10.0.0.94:636
> > rlm_ldap: cn=Manager,dc=fido,dc=com bind to 10.0.0.94:636 failed:
> Can't
> > contact LDAP server
> > rlm_ldap: (re)connection attempt failed
> >
> >
> >
> > SERVER:
> >
> > ldap_pvt_gethostbyname_a: host=fido, r=0
> > put_filter: "(objectclass=*)"
> > put_filter: simple
> > put_simple_filter: "objectclass=*"
> > ber_scanf fmt (m) ber:
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:before/accept initialization
> > TLS trace: SSL_accept:SSLv3 read client hello A
> > TLS trace: SSL_accept:SSLv3 write server hello A
> > TLS trace: SSL_accept:SSLv3 write certificate A
> > TLS trace: SSL_accept:SSLv3 write server done A
> > TLS trace: SSL_accept:SSLv3 flush data
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > TLS trace: SSL_accept:SSLv3 read finished A
> > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > TLS trace: SSL_accept:SSLv3 write finished A
> > TLS trace: SSL_accept:SSLv3 flush data
> > connection_read(13): unable to get TLS client DN error=49 id=0
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > ber_get_next
> > TLS trace: SSL3 alert read:warning:close notify
> > ber_get_next on fd 13 failed errno=0 (Success)
> > connection_read(13): input error=-2 id=0, closing.
> > connection_closing: readying conn=0 sd=13 for close
> > connection_close: conn=0 sd=13
> > TLS trace: SSL3 alert write:warning:close notify
> >
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Lawrence, Mike (White Plains)
> > > [mailto:Mike.Lawrence@starwoodhotels.com]
> > > Sent: Tuesday, July 01, 2003 9:01 AM
> > > To: Ron Wahler
> > > Subject: RE: TLS / SSL
> > >
> > >
> > > Hi Ron - I see that error as well and what it means is that
> > > the server was unable to get a client certificate.  It doesn't
> > > need one to do ssl/tls, but it will still give the error if
> > > it doesn't have one, so it's basically a noise error and not
> > > a big deal unless you do have a client cert and are trying to
> > > use it.
> > >
> > > -----Original Message-----
> > > From: Ron Wahler [mailto:ron@rovingplanet.com]
> > > Sent: Monday, June 30, 2003 4:01 PM
> > > To: openldap-software@OpenLDAP. org
> > > Subject: TLS / SSL
> > >
> > >
> > >
> > > I am getting the following error when trying to connect
> > > From FreeRadius to OpenLDAP on SSL port 636.  Is there
> > > Something here I can look at in the configuration files?
> > >
> > > Ron.
> > >
> > >
> > >
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > > TLS trace: SSL_accept:SSLv3 read finished A
> > > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > > TLS trace: SSL_accept:SSLv3 write finished A
> > > TLS trace: SSL_accept:SSLv3 flush data
> > > connection_read(13): unable to get TLS client DN error=49 id=0
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > ber_get_next
> > > TLS trace: SSL3 alert read:warning:close notify
> > > ber_get_next on fd 13 failed errno=0 (Success)
> > > connection_read(13): input error=-2 id=0, closing.
> > > connection_closing: readying conn=0 sd=13 for close
> > > connection_close: conn=0 sd=13
> > > TLS trace: SSL3 alert write:warning:close notify
> > >
> > >
> > > This electronic message transmission contains information from the
> > Company
> > > that may be proprietary, confidential and/or privileged.
> > > The information is intended only for the use of the individual(s)
or
> > > entity named above.  If you are not the intended recipient, be
> > > aware that any disclosure, copying or distribution or use of the
> > contents
> > > of this information is prohibited.  If you have received
> > > this electronic transmission in error, please notify the sender
> > > immediately by replying to the address listed in the "From:"
field.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>