[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS - Help Please

To: openldap-software@OpenLDAP.org
Subject: Re: SSL/TLS - Help Please
From: Miguel Baptista <miguel@ccom.uminho.pt>
Date: Wed, 28 Jan 2004 17:11:21 +0000
In-reply-to: <Pine.GSO.4.58.0401260856590.23804@lectura.CS.Arizona.EDU>
References: <Pine.LNX.4.44.0401231310170.2630-100000@avenir.CS.Arizona.EDU> <4015331D.1090203@ccom.uminho.pt> <Pine.GSO.4.58.0401260856590.23804@lectura.CS.Arizona.EDU>
User-agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.2.1) Gecko/20030225

Hi,

Firts off all, i want to thank you Siva, for trying to help me.

Here is the whole debug (it doesn't give more information about the problem):

daemon: activity on 1 descriptors
daemon: new connection on 13
conn=1 fd=13 ACCEPT from IP=127.0.0.1:33901 (IP=0.0.0.0:636)
daemon: added 13r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
connection_get(13): got connid=1
connection_read(13): checking for input on id=1
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=0

TLS: can't accept.
connection_read(13): TLS accept error error=-1 id=1, closing
connection_closing: readying conn=1 sd=13 for close
connection_close: conn=1 sd=13
daemon: removing 13
conn=1 fd=13 closed
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL

I tried this command (in the slapd.conf i put: TLSVerifyClient never)
> openssl s_client -connect estagio:636 -showcerts -state -CAfile /var/myca/cacert.pem

and everything is ok.

Then i tried this one (in the slapd.conf i put: TLSVerifyClient demand)
> openssl s_client -connect estagio:636 -showcerts -state -CAfile /var/myca/cacert.pem -cert /home/miguel/client.pem -key /home/miguel/Client.key.pem

and everything is ok.

I think the error should be in my clients configuration. But don't know exacly where

Here is, one more time, my clients configuration files:

My ldap.conf (in /etc/openldap):
...
HOST estagio
PORT 636
TLS_CACERT /var/myca/cacert.pem

My .ldaprc (in my user's home)
...
TLS_CERT /home/miguel/client.pem
TLS_KEY /home/miguel/client.key.pem
TLS_REQCERT demand

Don't know what to do. Any ideas?

Siva Kollipara wrote:

tls_read: want=11, got=0

indicates that TLS was expecting 11 bytes but instead got 0 bytes.
can u include the whole debug trace ?

Siva

On Mon, 26 Jan 2004, Miguel Baptista wrote:

Hi,

I tried start my server with the "-d -1" option.

In the cliente i got this message:
    ?ldap_start_tls: Can't contact LDAP server (81)?


This is the error message i got in the server:

?TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=0

TLS: can't accept.
connection_read(13): TLS accept error error=-1 id=1, closing
connection_closing: readying conn=1 sd=13 for close
connection_close: conn=1 sd=13
daemon: removing 13
conn=1 fd=13 closed?

It looks like TLS is expeting the value 11 and is getting the value 0.

I looked in the OpenLDAP archive and in google but i don't know what may
be causing this error.

Any idea? Can someone help me? or give some directions.

Best Regards


Siva Kollipara wrote:

On Fri, 23 Jan 2004, Miguel Baptista wrote:
can u give more detail on the error information.

try using -d -1 on ur ldapsearch that should more detailed info.

i assume u have installed ldap with ssl support (and the correct path to
ssl libraries) also check if ur server permission to read
the CA certs (server as root shuld b ok)

best bet try with -d -1 and that should b sufficient to find out the
reason.

lemme know if this helps,
siva

I'm using Openldap v.2.1.22 and openSSL 0.9.7b

I start my server with this command line:
/usr/local/libexec/slapd -d9 -h "ldap:/// ldaps:///"

PORT 636
                          TLS_CACERT  /var/myca/estagio/cacert.pem
TLS_REQCERT demand




My .ldaprc (in my user's home)

TLS_REQCERT demand

                                         # client authentication
TLS_CERT /home/miguel/client.pem
TLS_KEY /home/miguel/client.key.pem


When i try this:
ldapsearch -x  -D "cn=Manager,dc=uminho,dc=pt" '(objectclass=*)' -H
ldaps://estagio  -W

I got this error (in ldap server ):
TLS trace: SSL_accept:before/accept initialization
TLS: can't accept.
connection_read(13): TLS accept error error=-1 id=4, closing


and with this:
ldapsearch -x -D "cn=Manager,dc=uminho,dc=pt" '(objectclass=*)'  -H
ldaps://estagio -w "secret" -ZZ

i got the same error


I tried the testing commands (from the how to, and everything seams ok):
openssl s_client -connect myserver.com:636 ...


Can anyone help? I'm forgeting something? I've read something about the
 environment variable LDAPNOINIT, is this necessary?

Best Regards

Follow-Ups:
- Re: SSL/TLS - Help Please
  - From: Siva Kollipara <siva@cs.arizona.edu>

References:
- Re: SSL/TLS - Help Please
  - From: Miguel Baptista <miguel@ccom.uminho.pt>

Prev by Date: Re: Unable to use OpenLDAP with BDB in Solaris.
Next by Date: Re: SSL/TLS - Help Please
Index(es):
- Chronological
- Thread