[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP TLS/SSL Security problem

On Thu, 1 Jul 2004 sworden@focal.com wrote:

> I read what you sent me, and even recompiled with all the env's again and
> redoing the cert's.  I'm still not able to make a secure connection.  If
> I'm still trying to establish a ssl connection on a already secure port,
> what do I need to change to not get this to happen?
> I changes the files to:
> /etc/ldap.conf

You have a combination of pam/nss_ldap and OpenLDAP client
configuration directives in this file. By default, OpenLDAP
client libs look in [install-prefix]/etc/openldap/ldap.conf for
their settings. By default, pam_ldap and nss_ldap look for their
settings in /etc/ldap.conf. Depending on how you configured OpenLDAP
at build time, you may be putting your OpenLDAP directives in the
wrong file.  At minimum, it is not considered the best practice to
combine directives for these two separately developed and maintained
packages into the same file.

> HOST    ldaptest.*********.com
> BASE   dc=*********,dc=com
> URI    ldap://ldaptest.*********.com/
> URI    ldaps://ldaptest.*********.com/
> TLS_CACER       /usr/local/etc/cacert.pem

The above should be TLS_CACERT.

> #TLS_CACERTDIR  /usr/local/etc/server.pem
> #TLS_KEY        /usr/local/etc/server.pem
> ssl start_tls
> #TLS_REQCERT never
> SIZELIMIT      12
> TIMELIMIT      15
> /usr/loca/etc/openldap/slapd.conf
> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 2003/05/24
> 23:19:14 ku
> rt Exp $
> # Sample security restrictions
> #       Require integrity protection (prevent hijacking)
> #       Require 112-bit (3DES or better) encryption for updates
> #       Require 63-bit encryption for simple bind
> # security ssf=1 update_ssf=112 simple_bind=64
> ##security ssf=128
> ##TLSCipherSuite                3DES:RC4:EXPORT40
> ##TLSCertificateFile    /usr/local/etc/slapd-cert.pem
> ##TLSCertificateKeyFile /usr/local/etc/slapd-key.pem
> TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
> TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem

I assume that the above two files were signed by the certificate
authority you specified for TLS_CACERT.

> TLSCACertificateFile /usr/local/etc/openldap/demoCA/cacert.pem
> command
> /usr/local/bin/ldapsearch -d 1 -x -b "dc=***********,dc=com"  -H
> 'ldap://ldaptest.*********.com' -ZZ

OK, you're telling ldapsearch to attempt a StartTLS operation on
a non-encrypted LDAP service and fail if it doesn't work. Good.

> ldap_msgfree
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 0, err: 20, subject:
> /C=US/ST=IL/L=AH/O=FOCAL/OU=NMS/CN=ldaptest.**********.com, issuer:
> /C=US/ST=IL/L=AH/O=FOCAL/OU=NMS/CN=ldaptest.**********.com
> TLS certificate verification: Error, unable to get local issuer certificate
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (91)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The above error may be due to (1) using TLS_CACER instead of
TLS_CACERT, and (2) putting your OpenLDAP client directives in the
wrong config file.

Kirk Turner-Rustin
Libraries and Information Services
Ohio Wesleyan University