[Date Prev][Date Next] [Chronological] [Thread] [Top]

ssl client probleme?



  Hi All!

I have a probleme with SSL.  My original destination was to
set up a secure openldap service.  Now I can make a slapd,
that listens on tcp/636 using ldaps without stunnel, but
how can I try it out??


host# ldapsearch -vvv -ZZ -x -h localhost -p 636 -b "dc=matav, dc=hu" 'objectclass=*'
ldap_init( localhost, 636 )
ldap_start_tls: Can't contact LDAP server (81)
host# _

  or


using stunnel on 636 to 389:
host# ldapsearch -vvv -H 'ldaps://localhost/' -b "dc=matav, dc=hu" 'objectclass=*'
ldap_initialize( ldaps://localhost/ )
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
host# _


using  slapd -h 'ldaps://...'
host# ldapsearch -vvv -H 'ldaps://localhost/' -b "dc=matav, dc=hu" 'objectclass=*'
ldap_initialize( ldaps://localhost/ )
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
        additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
host# _


As I can see, ldapsearch -Z does not use SSL.  (Yes, it is
compiled with --with-tls option and OpenSSL.)  But lets have
a look at netcat/s output:

host# ldapsearch -x -h localhost -p 666 -b "..." '(objectClass=*)'
...
host# nc -l -p 666
0
 a```a`bc

This is a non encrypted search, and this one is with -Z:

host# ldapsearch -Z -x -h localhost -p 666 -b "..." '(objectClass=*)'
...
host# nc -l -p 666
0|a``wwu1.3.6.1.4.1.1466.20037

As I can see, this is not an ssl handshake. :(  Lets try another
trick!

host# stunnel -d 777 -r localhost:666 -p /usr/local/etc/openldap/server.pem
host# nc -l -p 666 > XX
...
host# ldapsearch -Z -x -h localhost -p 777 -b "..." '(obejctClass=*)'

XX will be an empty file. :(

      ---- o ----


I have more questions:

 - How can I make ldapsearch to use ssl?  Is there any other ldap
	client, that can use ssl?  (source url?)
	
 - Which solution seems better:  compile slapd to have tls support,
	or use stunnel?  I think stunnel is better, because slapd
	is more simple to (re)compile, no linking with openssl and
	cyrus sasl, and it's easier to replace stunnel without
	stopping slapd.

 - If I start up a slapd listening on ldap and ldaps ports, and I can
	use it without ssl, and openssl s_client -connect host:636
	seems to work fine, can I say, that slapd works with ssl?

	How can I verify my servers ssl capabilities?  It listens
	on port 636, but is it working?


Thanks,
Sanyi