[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS still works not proper.
Hi Turbo, good morning (CEST) list!
Thanks for your advises. Unfortunately it did not help.
>Try double Z's (ldapsearch -ZZ) instead. If there's something
>wrong, ldapsearch will fail. In your case, it will continue
>even if there's something wrong...
The extra Z changed nothing. It's still the same output.
The HOWTO sais:
"The single "-Z" flag tries to enable TLS and will proceed without using
encrypted connections if the TLS handshake fails."
That confuses me. If TLS fails it should show me the same result I can see
with the normal search command, shouldn't it?
>The client needs to know about the CA cert. Either in the
>global LDAP client config or the user ldaprc.
>TLS_CACERT /etc/ldap/cacert.pem
It was already in the ldap.conf and I put it in the user's ldaprc as well.
Alas nothing.
All the following tests are done on localhost since my next step will be
remote connections with TLS (hopefully).
/var/log/debug.log after a request:
Jun 30 10:56:02 ldap slapd[4339]: conn=10 fd=12 ACCEPT from
IP=192.168.1.22:49183 (IP=0.0.0.0:389)
Jun 30 10:56:02 ldap slapd[4339]: conn=10 op=1 BIND dn="" method=128
Jun 30 10:56:02 ldap slapd[4339]: conn=10 op=1 RESULT tag=97 err=0 text=
Jun 30 10:56:02 ldap slapd[4339]: conn=10 op=2 UNBIND
Jun 30 10:56:02 ldap slapd[4339]: conn=10 fd=12 closed
slapd -d 256 shows the same. That's nothing unusual, isn't it?
Next I did this:
bash-2.05b$ openssl s_client -connect localhost:389 -showcerts -state
-CAfile /etc/ssl/openldap/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
7119:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:/usr/src/crypto/openssl/ssl/s23_lib.c:226:
The server invoked with ldap# /usr/local/libexec/slapd -d9 -h "ldap:///
ldaps:///" shows me:
daemon: new connection on 14
daemon: added 14r
daemon: activity on:
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: select: listen=11 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 14r
daemon: read activity on 14
connection_get(14): got connid=0
connection_read(14): checking for input on id=0
ber_get_next
ber_get_next on fd 14 failed errno=34 (Result too large)
connection_read(14): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=14 for close
connection_close: conn=0 sd=14
daemon: removing 14
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: select: listen=11 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
Another test according to the openldap-TLS-howto looks ok.
openssl s_client -connect localhost:636 -state
-CAfile /etc/ssl/openldap/cacert.pem -cert ldap.client.pem -key
ldap.client.key.pem
The last lines of the output:
SSL handshake has read 1242 bytes and written 2300 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
43CEA22C2E89844942D5BE3FE60B79CC2E252FF0C48EA3EF9C9CBE20E21544C7
Session-ID-ctx:
Master-Key:
00D71F7F5BD81C64EDEBA4A2D8CEF07B979A17A323E530EA5E22D8EC7C4F41DDFA41FC4F2C23828F89BC99185C98783A
Key-Arg : None
Start Time: 1088586644
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
The server is happy as well (partly output):
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read certificate verify A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
Again I need a push in the right direction. Could somebody help me?
Thanx for your patience!
Greetings,
Oliver.