[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem with clientside TLS

I'm trying to setup clientside TLS with openldap 2.1.29.

Serverside works OK. I've just generated a client cert, signed it with the same CA as the server cert, and added
TLSVerifyClient demand
in slapd.conf

However, it doesn't work anymore
guillomovitch@katu:~$ ldapsearch -x -H ldaps://ldap.zarb.org
ldap_bind: Can't contact LDAP server (81)

guillomovitch@katu:~$ ldapsearch -x -H ldaps://ldap.zarb.org -d 9
ldap_connect_to_host: TCP ldap.zarb.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=katu3
TLS certificate verification: depth: 0, err: 0, subject: C=, ST=, L=, O=zarb.org, OU=ldap server, CN=ldap.zarb.org/Email=ldapmaster@zarb.org, issuer: C=, ST=Some-State, L=, O=zarb.org, OU=certification authority, CN=ca.zarb.org/Email=camaster@zarb.org
ldap_open_defconn: successful
ber_flush: 14 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: ldap.zarb.org port: 636 (default)
refcnt: 2 status: Connected
last used: Wed Nov 24 23:27:35 2004

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
read1msg: msgid 1, all 1
ber_get_next failed.
ldap_bind: Can't contact LDAP server (81)

Here is my .ldaprc:
TLS_CACERT      /etc/ssl/crt/ca.pem
TLS_REQCERT     demand
TLS_CERT        /etc/ssl/client.crt
TLS_KEY         /etc/ssl/client.key

Following http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.2, I tested with openssl_client:

guillomovitch@katu:~$ openssl s_client -connect ldap.zarb.org:636 -showcerts -state -CAfile /etc/ssl/crt/ca.pem -cert /etc/ssl/client.crt -key /etc/ssl/client.key
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=FR/ST=Some-State/O=zarb.org/OU=certification authority/CN=ca.zarb.org/Email=camaster@zarb.org
verify return:1
depth=0 /C=FR/O=zarb.org/OU=ldap server/CN=ldap.zarb.org/Email=ldapmaster@zarb.org
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
Certificate chain
0 s:/C=FR/O=zarb.org/OU=ldap server/CN=ldap.zarb.org/Email=ldapmaster@zarb.org
i:/C=FR/ST=Some-State/O=zarb.org/OU=certification authority/CN=ca.zarb.org/Email=camaster@zarb.org
Server certificate
subject=/C=FR/O=zarb.org/OU=ldap server/CN=ldap.zarb.org/Email=ldapmaster@zarb.org
issuer=/C=FR/ST=Some-State/O=zarb.org/OU=certification authority/CN=ca.zarb.org/Email=camaster@zarb.org
No client certificate CA names sent
SSL handshake has read 1681 bytes and written 282 bytes
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Protocol : TLSv1
Session-ID: 12E58010D2F0364E7965C3DD2974012903B37756661955B8730129E1CBADEE69 Session-ID-ctx:
Master-Key: D7F2483CFF8C438B17D6D9278100770E413666AE9F71CDE5C64834D6431242928F381236DCABFB5866F9FAB516BA372B
Key-Arg : None
Start Time: 1101335314
Timeout : 300 (sec)
Verify return code: 0 (ok)
SSL3 alert write:warning:close notify

Note that I still have the infamous "No client certificate CA names sent" line, and my SSL handshake trace is slightly different from the one exposed in the document: no "SSL_connect:SSLv3 read server certificate request A", but "SSL_connect:SSLv3 read server key exchange A"

my openssl_client version is 0.9.6c, while ldap is linked against libopenssl 0.9.7c, which could explain part of the problem.
Why is it when two planes almost hit each other it is called a "near miss"? Shouldn't it be called a "near hit"?
-- Why Why Why n°43