[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS / SSL



Just a confirmation of what Kent says. I have also tried to put the client 
certificate declaration in ldap.conf and gut TLS errors. After puting them in 
/home/username/.ldaprc , everything worked fine.

Another thing about SSL/TLS. I don't know either this client freeradius. 
The client "gq" which is excellent doesn't work with SSL but works very well 
with TLS. Are you sure freeradius works with SSL, did you try with TLS (Port 
389 + some TLS switch) ?


Am Dienstag, 1. Juli 2003 19:54 schrieb Kent Soper:
> TLS_CERT and TLS_KEY don't belong in ldap.conf.  They are user-specific
> directives that go into a file called
> a) ldaprc
> or
> b) .ldaprc
> which is located in either the user's home dir or the current working dir.
> Home dir is usually the best place.
>
> This shouldn't be your problem with TLSVerifyCLient not set, but it will be
> a problem in the future if not corrected.
>
> Also, "ssl yes" in the conf files won't turn on SSL.  All you have to do is
> access ldaps://your.server and port 636 is the default ldaps:// port.
>
> Do you have more than one slapd.conf or ldap.conf that can be the problem?
> If you are changing conf files, restarting the server, and not seeing
> different debug output, then I'd locate all of the LDAP conf files and
> verify  the correct ones are being altered.  A PAM ldap.conf (usually
> /etc/ldap.conf) can cause many OpenLDAP problems when it's mistaken for the
> OpenLDAP ldap.conf file.
>
> Sorry, that I don't have more info for you.
>
> Cheers,
> Kent Soper
>
> "You don't stop playing because you grow old ...
>        you grow old because you stop playing."
>
> Linux Technology Center, Linux Security
> phone:  1-512-838-9216
> e-mail:  dksoper@us.ibm.com
>
>
>
>
>
>                       "Ron Wahler"
>                       <ron@rovingplanet        To:       Kent
> Soper/Austin/IBM@IBMUS .com>                    cc:
>                                                Subject:  RE: TLS / SSL
>                       07/01/2003 12:29
>                       PM
>
>
>
>
>
>
>
>
> Thanks kent, thanks for the help.
> I modified the files to be this but still don't connect.
>
> Slapd.conf
>
>
> ssl yes
> port 636
> TLSCipherSuite          HIGH:MEDIUM:+SSLv3
> TLSCertificateFile      /opt/LocalCA/server_crt.pem
> TLSCertificateKeyFile   /opt/LocalCA/server_key.pem
> TLSCACertificateFile    /opt/LocalCA/cacert.pem
> #TLSVerifyClient         never
>
>
>
> ldap.conf
>
> ssl yes
> port 636
> ssl             start_tls
> TLS_CACERT  /opt/LocalCA/cacert.pem
> TLS_CERT    /opt/LocalCA/server_crt.pem
> TLS_KEY    /opt/LocalCA/server_key.pem
> #TLS_REQCERT demand
>
> I also tried commenting out TLS_CACERT TLS_CERT and TLS_KEY with the
> same result...
>
>
> Ron.
>
>
> SERVER:
>
>
> TLS trace: SSL_accept:SSLv3 write finished A
> TLS trace: SSL_accept:SSLv3 flush data
> connection_read(13): unable to get TLS client DN error=49 id=0
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> ber_get_next
> TLS trace: SSL3 alert read:warning:close notify
> ber_get_next on fd 13 failed errno=0 (Success)
> connection_read(13): input error=-2 id=0, closing.
> connection_closing: readying conn=0 sd=13 for close
> connection_close: conn=0 sd=13
> TLS trace: SSL3 alert write:warning:close notify
>
> > -----Original Message-----
> > From: Kent Soper [mailto:dksoper@us.ibm.com]
> > Sent: Tuesday, July 01, 2003 11:12 AM
> > To: Ron Wahler
> > Cc: openldap-software@OpenLDAP.org
> > Subject: RE: TLS / SSL
> >
> >
> >
> >
> >
> > Hi Ron,
> >
> > Have you tried using only server-side authentication first (no client
> > cert)?  If you can get that working, then adding client certs to an
>
> ldaprc
>
> > would be the next step.
> >
> > In slapd.conf, try using only these directives:
> > TLSCipherSuite  <settings>
> > TLSCertificateFile  <server cert>
> > TLSCACertificateFile <ca cert>
> > (no TLSVerifyClient directive)
> >
> > In ldap.conf:
> > Nothing or "TLS_REQCERT  demand" which is the default.
> > You don't need a client CA cert for TLS/SSL, but you can have it
>
> listed
>
> > too.
> >
> > After success you can add client auth entries to slapd.conf and ldaprc
> > (see man pages for *.conf or the document Pierre pointed you to).
> >
> > I don't know much about your setup, so please pardon me if this is a
> > Netscape or other issue that I'm not aware of.
> >
> > Cheers,
> > Kent Soper
> >
> > "You don't stop playing because you grow old ...
> >        you grow old because you stop playing."
> >
> > Linux Technology Center, Linux Security
> > phone:  1-512-838-9216
> > e-mail:  dksoper@us.ibm.com
> >
> >
> >
> >
> >
> >                       "Ron Wahler"
> >                       <ron@rovingplanet.com>           To:
> > <freeradius-users@lists.cistron.nl>, "Lawrence, Mike (White
> >                       Sent by:                          Plains)"
> > <Mike.Lawrence@starwoodhotels.com>,
> >                       owner-openldap-software@O         <openldap-
> > software@OpenLDAP.org>
> >                       penLDAP.org                      cc:
> >                                                        Subject:  RE:
>
> TLS /
>
> > SSL
> >
> >                       07/01/2003 11:46 AM
> >
> >
> >
> >
> >
> >
> >
> > I also get this when I allow SSLv3 on the ldap side
> >
> > ldap_pvt_gethostbyname_a: host=fido, r=0
> > put_filter: "(objectclass=*)"
> > put_filter: simple
> > put_simple_filter: "objectclass=*"
> > ber_scanf fmt (m) ber:
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:before/accept initialization
> > TLS trace: SSL_accept:SSLv3 read client hello A
> > TLS trace: SSL_accept:SSLv3 write server hello A
> > TLS trace: SSL_accept:SSLv3 write certificate A
> > TLS trace: SSL_accept:SSLv3 write server done A
> > TLS trace: SSL_accept:SSLv3 flush data
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > TLS trace: SSL_accept:SSLv3 read finished A
> > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > TLS trace: SSL_accept:SSLv3 write finished A
> > TLS trace: SSL_accept:SSLv3 flush data
> > connection_read(13): unable to get TLS client DN error=49 id=0
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > ber_get_next
> > TLS trace: SSL3 alert read:warning:close notify
> > ber_get_next on fd 13 failed errno=0 (Success)
> > connection_read(13): input error=-2 id=0, closing.
> > connection_closing: readying conn=0 sd=13 for close
> > connection_close: conn=0 sd=13
> > TLS trace: SSL3 alert write:warning:close notify
> >
> > > -----Original Message-----
> > > From: Ron Wahler
> > > Sent: Tuesday, July 01, 2003 10:30 AM
> > > To: Lawrence, Mike (White Plains);
>
> freeradius-users@lists.cistron.nl;
>
> > > openldap-software@OpenLDAP.org
> > > Subject: RE: TLS / SSL
> > >
> > >
> > >
> > > Getting this but the client can't connect at port 636
> > >
> > > CLIENT
> > > m_ldap: setting TLS mode to 1
> > > rlm_ldap: bind as cn=Manager,dc=fido,dc=com/secret to 10.0.0.94:636
> > > rlm_ldap: cn=Manager,dc=fido,dc=com bind to 10.0.0.94:636 failed:
> >
> > Can't
> >
> > > contact LDAP server
> > > rlm_ldap: (re)connection attempt failed
> > >
> > >
> > >
> > > SERVER:
> > >
> > > ldap_pvt_gethostbyname_a: host=fido, r=0
> > > put_filter: "(objectclass=*)"
> > > put_filter: simple
> > > put_simple_filter: "objectclass=*"
> > > ber_scanf fmt (m) ber:
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > TLS trace: SSL_accept:before/accept initialization
> > > TLS trace: SSL_accept:SSLv3 read client hello A
> > > TLS trace: SSL_accept:SSLv3 write server hello A
> > > TLS trace: SSL_accept:SSLv3 write certificate A
> > > TLS trace: SSL_accept:SSLv3 write server done A
> > > TLS trace: SSL_accept:SSLv3 flush data
> > > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > > TLS trace: SSL_accept:SSLv3 read finished A
> > > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > > TLS trace: SSL_accept:SSLv3 write finished A
> > > TLS trace: SSL_accept:SSLv3 flush data
> > > connection_read(13): unable to get TLS client DN error=49 id=0
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > ber_get_next
> > > TLS trace: SSL3 alert read:warning:close notify
> > > ber_get_next on fd 13 failed errno=0 (Success)
> > > connection_read(13): input error=-2 id=0, closing.
> > > connection_closing: readying conn=0 sd=13 for close
> > > connection_close: conn=0 sd=13
> > > TLS trace: SSL3 alert write:warning:close notify
> > >
> > > > -----Original Message-----
> > > > From: Lawrence, Mike (White Plains)
> > > > [mailto:Mike.Lawrence@starwoodhotels.com]
> > > > Sent: Tuesday, July 01, 2003 9:01 AM
> > > > To: Ron Wahler
> > > > Subject: RE: TLS / SSL
> > > >
> > > >
> > > > Hi Ron - I see that error as well and what it means is that
> > > > the server was unable to get a client certificate.  It doesn't
> > > > need one to do ssl/tls, but it will still give the error if
> > > > it doesn't have one, so it's basically a noise error and not
> > > > a big deal unless you do have a client cert and are trying to
> > > > use it.
> > > >
> > > > -----Original Message-----
> > > > From: Ron Wahler [mailto:ron@rovingplanet.com]
> > > > Sent: Monday, June 30, 2003 4:01 PM
> > > > To: openldap-software@OpenLDAP. org
> > > > Subject: TLS / SSL
> > > >
> > > >
> > > >
> > > > I am getting the following error when trying to connect
> > > > From FreeRadius to OpenLDAP on SSL port 636.  Is there
> > > > Something here I can look at in the configuration files?
> > > >
> > > > Ron.
> > > >
> > > >
> > > >
> > > > connection_get(13): got connid=0
> > > > connection_read(13): checking for input on id=0
> > > > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > > > TLS trace: SSL_accept:SSLv3 read finished A
> > > > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > > > TLS trace: SSL_accept:SSLv3 write finished A
> > > > TLS trace: SSL_accept:SSLv3 flush data
> > > > connection_read(13): unable to get TLS client DN error=49 id=0
> > > > connection_get(13): got connid=0
> > > > connection_read(13): checking for input on id=0
> > > > ber_get_next
> > > > TLS trace: SSL3 alert read:warning:close notify
> > > > ber_get_next on fd 13 failed errno=0 (Success)
> > > > connection_read(13): input error=-2 id=0, closing.
> > > > connection_closing: readying conn=0 sd=13 for close
> > > > connection_close: conn=0 sd=13
> > > > TLS trace: SSL3 alert write:warning:close notify
> > > >
> > > >
> > > > This electronic message transmission contains information from the
> > >
> > > Company
> > >
> > > > that may be proprietary, confidential and/or privileged.
> > > > The information is intended only for the use of the individual(s)
>
> or
>
> > > > entity named above.  If you are not the intended recipient, be
> > > > aware that any disclosure, copying or distribution or use of the
> > >
> > > contents
> > >
> > > > of this information is prohibited.  If you have received
> > > > this electronic transmission in error, please notify the sender
> > > > immediately by replying to the address listed in the "From:"
>
> field.
>
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html