[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question about ldap_init, ldap_initialize, start_tls, LDAP_OPT_X_TLS_ALLOW and TLS/SSL



Markus Moeller wrote:
Howard,

I use OpenSuse 10.2 with  libldap-2.3.so.0.2.15 and if  I have an empty
~/.ldaprc file ldap_start_tls_s comes back with error -11 Connect error

LDAP_OPT_X_TLS is not the same as LDAP_OPT_X_TLS_REQUIRE_CERT.

By default, certificate checking is enforced, and you must supply a valid CA cert, just like it says in the manpages and the Admin Guide.

ldap_int_select
read1msg: ld 0x8054608 msgid 1 all 1
read1msg: ld 0x8054608 msgid 1 message type extended-result
read1msg: ld 0x8054608 0 new referrals
read1msg:  mark request completed, ld 0x8054608 msgid 1
request done: ld 0x8054608 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_err2string
Error while setting start_tls for ldap server: Connect error(-11)
ldap_free_connection 1 1
ldap_send_unbind

When I add  tls_reqcert allow to ~/.ldaprc I get

ldap_int_select
read1msg: ld 0x8054608 msgid 1 all 1
read1msg: ld 0x8054608 msgid 1 message type extended-result
read1msg: ld 0x8054608 0 new referrals
read1msg:  mark request completed, ld 0x8054608 msgid 1
request done: ld 0x8054608 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ldap_parse_result
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, unable to get local issuer certificate
TLS certificate verification: depth: 0, err: 27, subject:
/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, certificate not trusted
TLS certificate verification: depth: 0, err: 21, subject:
/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA
TLS certificate verification: Error, unable to verify the first certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer certificate.
Successfully set up TLS protected connection to ldap server
w2k3.windows2003.home:389


So, this setting definitely does something !!

-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/