Re: debugging tls (apache2 mod_ldap)

[Dieter Kluenter <dieter@dkluenter.de>]

Dick Davies <rasputnik@hellooperator.net> writes:

> * Dick Davies <rasputnik@hellooperator.net> [0721 15:21]:
>> * Kurt D. Zeilenga <Kurt@OpenLDAP.org> [0709 22:09]:

> The url I mentioned seems to back up my earlier assumption that you could 
> do SSL without TLS, and vice versa.
>
> What I think is happening is mod_auth_ldap
> is trying to do both - presumably that works fine with many configurations, but
> no mine. I need to have an SSL tunnel and not worry about TLS.
>
> To illustrate:
>
>
> [user@server httpd-2.0.49]$ /opt/bin/ldapsearch -x -H 'ldaps://ldaphost.domain/o=org' uid=user
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope sub
> # filter: uid=user
> # requesting: ALL
> #
>
> [returns the requested entry, no problems]
> but requesting TLS fails:
>
> [user@server httpd-2.0.49]$ /opt/bin/ldapsearch -ZZ -x -H 'ldaps://ldaphost.domain/o=org' uid=user
> ldap_start_tls: Operations error (1)
>         additional info: TLS is is already established
> [user@server httpd-2.0.49]$
>
> Does that make any sense?
> Maybe we're getting startTLS and TLS confused here?

Just to illustrate the difference between SSL and STARTTLS.
On port 389 the client has to tell the server, 'hey I want to make use
of TLS please start encryption' this is envoked by the ldap_starttls
function. If the server has been started with the flag '-h ldaps:///' it listens
on port 636 and announces that it is mandatory to establish an
encryted connection without any further client announcements.

With STARTTLS the first tcp packet exchange is unencrypted, while with
SSL packet exchange is encrypted right from the beginning.

-Dieter 

-- 
Dieter Klünter | Systemberatung
Tel.: +49.40.64861967
Fax : +49.40.64891521
http://www.avci.de