[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: debugging tls (apache2 mod_ldap)

* Kurt D. Zeilenga <Kurt@OpenLDAP.org> [0704 16:04]:
> At 04:57 AM 7/13/2004, Dick Davies wrote:
> >* Dick Davies <rasputnik@hellooperator.net> [0721 15:21]:
> >> * Kurt D. Zeilenga <Kurt@OpenLDAP.org> [0709 22:09]:
> >
> >Sorry to reply to my own post, but I've just been reading
> >
> >http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#7.0
> This (independently authored) article uses the terms TLS and
> SSL in a confusing manner.  I've been meaning to ask Kent
> to revise it.

Ah, ok. I just assumed it was authoratative since it's on the site -
and of course by definition your responses are authoratative too :)

> >>>Do I have an option to just do SSL without TLS,

> >What I think is happening is mod_auth_ldap
> >is trying to do both - presumably that works fine with many configurations, but
> >no mine. I need to have an SSL tunnel and not worry about TLS.
> SSL and TLS are same thing.

The point I'm trying (badly) to make is that I wanted to check mod_ldap isn't trying 
to do what the 'ldapsearch -ZZ -H 'ldaps.........' command is - I know it's an error,

Snipping as much irrelevant code as I can, it does the following operations to init 
the connection:

              ldc->ldap = ldap_init(ldc->host, ldc->port);
                if (NULL != ldc->ldap)
                    int SSLmode = LDAP_OPT_X_TLS_HARD;
                    result = ldap_set_option(ldc->ldap, LDAP_OPT_X_TLS, &SSLmode);

[ ldc->ldap is the cached LDAP connection, which gets reused by apache,
the arguments to ldap_init are 'ldaphost.domain' and the ldaps port (636) ]

The ldap_set_option call handles both SSL initialization and startTLS, right ?
If so, I don't think mod_ldap is at fault - it works fine on our other servers.

What I *have* found (with 'openssl s_client', recommended by the url at top, thanks)
is that the CN on the certificate doesn't match the hostname, though there is a
'subject alternate name' set to the correct hostname in there too.

Does that sound like something that would cause the ldap_set_option() call to fail?

The client API is openldap 2.1.30, the server is some Novell directory thing.

> >[user@server httpd-2.0.49]$ /opt/bin/ldapsearch -x -H 'ldaps://ldaphost.domain/o=org' uid=user
> This (ldaps://) initiates TLS upon establishment of the TCP stream (on port 636).
> >[user@server httpd-2.0.49]$ /opt/bin/ldapsearch -ZZ -x -H 'ldaps://ldaphost.domain/o=org' uid=user
> This asks that TLS be established upon establish of the TCP
> stream (on port 636) and subsequently request TLS be established
> (again) via use of the LDAP Start TLS operation.

right, so the ldaps:// prefix specifies to start TLS, rather than to do startTLS 
(you can see where the confusion comes in, cant' you)? Gotcha.
> >Does that make any sense?
> >Maybe we're getting startTLS and TLS confused here?
> Maybe.  TLS (SSL) is a security layer.  StartTLS is a mechanism
> for starting TLS.  ldaps:// is another mechanism for starting TLS.

Thanks, Kurt, that clarifies it well.

Finagle's Creed:
	Science is true.  Don't be misled by facts.
Rasputin :: Jack of All Trades - Master of Nuns