[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSL problem with slurpd

To: openldap-software@OpenLDAP.org
Subject: SSL problem with slurpd
From: "Derek T. Yarnell" <derek@cs.umd.edu>
Date: Wed, 25 Aug 2004 18:19:40 +0000
Content-disposition: inline

I am having a problem with ssl and slurpd. We have a local CA that we have built and both ldap servers are using it fine. As you can see below with the ldapsearch.

The problem is that when I go and run the slurpd I get the slurpd output below.

My slapd.master.conf ssl stuff is
TLSCipherSuite          HIGH
TLSCertificateFile      /var/openssl/certs/cert.pem
TLSCertificateKeyFile   /var/openssl/certs/key.pem
TLSCACertificateFile    /etc/openldap/cacert.pem

My client ldapsearch stuff is
TLS_CACERT /etc/openldap/cacert.pem
TLS_REQCERT demand

Both the cacert.pem files are the same on the server and the client.

I have also included a s_client session to ripper (the slave slapd) with the CA Certificate file and it also checks out.

Anyone know why slurpd is just ignoring or not checking the SSL certificated correctly?

############# LDAP SEARCH [derek@queasy openldap]# ldapsearch -h torch.cs.umd.edu -LLL -ZZ sn=derek SASL/GSSAPI authentication started SASL username: derek@CSIC.UMD.EDU SASL SSF: 56 SASL installing layers dn: uid=derek,ou=people,dc=csic,dc=umd,dc=edu objectClass: inetOrgPerson objectClass: inetLocalMailRecipient objectClass: csicAccount uid: derek cn: derek sn: derek mailHost: csic.umd.edu mailLocalAddress: derek@csic.umd.edu mailRoutingAddress: derek@cs.umd.edu

##############SLURPD 455 root@torch:csic # /usr/local/openldap-2.2.14/libexec/slurpd -f / etc/openldap/slapd.master.conf -r /var/openldap/csic/csic.replog -t / var/openldap/csic -d 1 @(#) $OpenLDAP: slurpd 2.2.14 (Jun 29 2004 15:22:19) $ root@zartan:/export/tmp/openldap-2.2.14/servers/slurpd

ldap_url_parse_ext(ldaps://ripper.cs.umd.edu:636) ldap_create ldap_url_parse_ext(ldaps://ripper.cs.umd.edu:636) ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP ripper.cs.umd.edu:636 ldap_new_socket: 7 ldap_prepare_socket: 7 ldap_connect_to_host: Trying 128.8.129.19:636 ldap_connect_timeout: fd: 7 tm: -1 async: 0 ldap_ndelay_on: 7 ldap_is_sock_ready: 7 ldap_ndelay_off: 7 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /C=US/ ST=Maryland/L=College Park/O=University of Maryland/OU=Computer Science Department/CN=staff@cs.umd.edu/emailAddress=staff@cs.umd.edu, issuer: / C=US/ST=Maryland/L=College Park/O=University of Maryland/OU=Computer Science Department/CN=staff@cs.umd.edu/emailAddress=staff@cs.umd.edu TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string Error: ldap_simple_bind_s for ripper.cs.umd.edu:636 failed: Can't contact LDAP server ldap_unbind

######### openssl s_client

457 root@torch:csic # /usr/local/openssl-0.9.6k/bin/openssl s_client - connect ripper.cs.umd.edu:636 -CAfile /etc/openldap/cacert.pem CONNECTED(00000003) depth=1 /C=US/ST=Maryland/L=College Park/O=University of Maryland/ OU=Computer Science Department/CN=staff@cs.umd.edu/Email=staff@cs.umd. edu verify return:1 depth=0 /C=US/ST=Maryland/L=College Park/O=University of Maryland/ OU=Computer Science Department/CN=ripper.cs.umd.edu/Email=staff@cs.umd. edu verify return:1 --- Certificate chain 0 s:/C=US/ST=Maryland/L=College Park/O=University of Maryland/ OU=Computer Science Department/CN=ripper.cs.umd.edu/Email=staff@cs.umd. edu i:/C=US/ST=Maryland/L=College Park/O=University of Maryland/ OU=Computer Science Department/CN=staff@cs.umd.edu/Email=staff@cs.umd. edu 1 s:/C=US/ST=Maryland/L=College Park/O=University of Maryland/ OU=Computer Science Department/CN=staff@cs.umd.edu/Email=staff@cs.umd. edu i:/C=US/ST=Maryland/L=College Park/O=University of Maryland/ OU=Computer Science Department/CN=staff@cs.umd.edu/Email=staff@cs.umd. edu --- Server certificate -----BEGIN CERTIFICATE----- MIIENzCCA6CgAwIBAgIDASkZMA0GCSqGSIb3DQEBBAUAMIG6MQswCQYDVQQGEwJV UzERMA8GA1UECBMITWFyeWxhbmQxFTATBgNVBAcTDENvbGxlZ2UgUGFyazEfMB0G A1UEChMWVW5pdmVyc2l0eSBvZiBNYXJ5bGFuZDEkMCIGA1UECxMbQ29tcHV0ZXIg U2NpZW5jZSBEZXBhcnRtZW50MRkwFwYDVQQDFBBzdGFmZkBjcy51bWQuZWR1MR8w HQYJKoZIhvcNAQkBFhBzdGFmZkBjcy51bWQuZWR1MB4XDTA0MDUxMTIxNTg1N1oX DTA1MDUxMTIxNTg1N1owgbsxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFu ZDEVMBMGA1UEBxMMQ29sbGVnZSBQYXJrMR8wHQYDVQQKExZVbml2ZXJzaXR5IG9m IE1hcnlsYW5kMSQwIgYDVQQLExtDb21wdXRlciBTY2llbmNlIERlcGFydG1lbnQx GjAYBgNVBAMTEXJpcHBlci5jcy51bWQuZWR1MR8wHQYJKoZIhvcNAQkBFhBzdGFm ZkBjcy51bWQuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJqYgqpr2a DDdCzW/YdA1if/bD6BH049OcRSw2KAs2iKQZmAzRe7MBwXcmDu4PbEbz6kfHgOSo ISicZmoHzlkBtLEvCzKEgb0KT4lz8Z8J6QQLECqh79pUyLf951mSF4TXbGqQ5eB1 R1t0pXHZDzQOSoQnRdaZ2R9Kdki4iTZo2QIDAQABo4IBRjCCAUIwCQYDVR0TBAIw ADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw HQYDVR0OBBYEFGmFbv/Tx5+lLniGbfnQ8vZxh0UdMIHnBgNVHSMEgd8wgdyAFO4x i7e2hojEQEdYlQUYixlb3xc1oYHApIG9MIG6MQswCQYDVQQGEwJVUzERMA8GA1UE CBMITWFyeWxhbmQxFTATBgNVBAcTDENvbGxlZ2UgUGFyazEfMB0GA1UEChMWVW5p dmVyc2l0eSBvZiBNYXJ5bGFuZDEkMCIGA1UECxMbQ29tcHV0ZXIgU2NpZW5jZSBE ZXBhcnRtZW50MRkwFwYDVQQDFBBzdGFmZkBjcy51bWQuZWR1MR8wHQYJKoZIhvcN AQkBFhBzdGFmZkBjcy51bWQuZWR1ggEAMA0GCSqGSIb3DQEBBAUAA4GBAMVsWyd0 rdm3HwFip0lcqTJ0VLt1bCogfkFqoJvOHhGiOSZ+Vcyz6nPIvCWzgF5Hmv/1Vp+8 HjIHT2EwY0hm/PC2UmBJ7MsP3O4G4wOwTch4Pe/dODgRiO1G4vQa27xWIjLdYSdf giSvngLdaTnEiLeNscYA0zPn3OnM1LlEpaYQ -----END CERTIFICATE----- subject=/C=US/ST=Maryland/L=College Park/O=University of Maryland/ OU=Computer Science Department/CN=ripper.cs.umd.edu/Email=staff@cs.umd. edu issuer=/C=US/ST=Maryland/L=College Park/O=University of Maryland/ OU=Computer Science Department/CN=staff@cs.umd.edu/Email=staff@cs.umd. edu --- No client certificate CA names sent --- SSL handshake has read 2277 bytes and written 320 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : DES-CBC3-SHA Session-ID: B8F4525A5B2E54C2BE67D9831016AA117DAD2F7714A9DAC97B6646C51C206084 Session-ID-ctx: Master-Key: A570AB66EB3231A78AA14E72D69B3665A4754C487F077F8BCD176898021FEB4684FA1BBDB43C963F2602D7F8E4C54C08 Key-Arg : None Start Time: 1093457941 Timeout : 300 (sec) Verify return code: 0 (ok) ---


--
Derek T. Yarnell
UNIX System Administrator
Computer Science Deparment
University of Maryland

Follow-Ups:
- Re: SSL problem with slurpd
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: Overlays?
Next by Date: Re: deferring operation: awaiting write
Index(es):
- Chronological
- Thread