I am trying to get a basic TLS connection working on my Linux server
using OpenLDAP and the ldapsearch command, but it does not connect with
TLS.
I've created an SSL certificate with the usual command:
openssl req -new -x509 -nodes -out ldcert.pem -keyout ldkey.pem
-days 3650
I've added the requisite lines to slapd.conf (TLSCertificateFile
TLSCertificateKeyFile) and to ldap.conf (TLS_CACERT) (since my
certificate is self-signed).
I've started the OpenLDAP server with the command:
slapd -d 10
If I issue the command:
ldapsearch -x -b 'dc=com' -H 'ldap://localhost/' -D 'uid=root'
-W -v
And everything works and I see a list of all the directory entries in
the server.
However, if I issue the same command except with the -ZZ option to use
TLS:
ldapsearch -x -b 'dc=com' -H 'ldap://localhost/' -D 'uid=root'
-W -v -ZZ
Then I get an error that reads:
ldap_start_tls: Connect error (-11)
So I analyzed the debug log coming from the server (during the
ldapsearch ... -ZZ command) and I get the debug log below (I've snipped
out the actual buffer exchanges for brevity). As you can see, it goes
through several handshakes successfully, but then suddenly the server is
looking for more data but the client doesn't send it, so the server
closes the connection.
Can someone please help to analyze this problem so I can get this
working. LDAP 2.4.12, OpenSSL 0.9.8i. Thank you in advance for any
advice you can offer me.
-Eric
slap_listener_activate(8):
slap_listener(ldap:///)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36
.1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_dump: buf=0x83881e8 ptr=0x83881e8 end=0x8388205 len=29
0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34
...w...1.3.6.1.4
0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.1.1466.20037
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=0 op=0 do_extended
ber_scanf fmt ({m) ber:
ber_dump: buf=0x83881e8 ptr=0x83881eb end=0x8388205 len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e
w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 12
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00
0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00
0....x........
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 7a 01 03 01 00 51 00 00 00 20 .z....Q...
tls_read: want=113, got=113
<... snip ...>
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=1105, written=1105
<... snip ...>
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
0000: 16 03 01 01 06 .....
tls_read: want=262, got=262
<... snip ...>
TLS trace: SSL_accept:SSLv3 read client key exchange A
tls_read: want=5, got=5
0000: 14 03 01 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5, got=5
0000: 16 03 01 00 30 ....0
tls_read: want=48, got=48
<... snip ...>
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
tls_write: want=59, written=59
<... snip ...>
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=0
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
tls_read: want=5, got=0
ldap_read: want=8, got=0
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12
---
-Eric Johanson
Principle Software Engineer
Newpoint Technologies, Inc.