[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS Configuration - "unable to get TLS client DN, error=49"
I might be wrong but I think there is a certain problem with
Debian/*buntu for LDAPS clients...
Sambuddho
On Fri, 2008-08-01 at 16:14 -0400, Brad T Waldorf wrote:
> Hi. We're trying to configure a basic SSL (TLS) connection through
> OpenLDAP version 2.4.6. We're using Linux, Debian Version 4.0 ('etch')
> INTEL.
>
>
> The pertinent info...
>
>
> slapd.conf
>
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
>
> pidfile /usr/local/var/run/slapd.pid
> argsfile /usr/local/var/run/slapd.args
>
> loglevel -1
> logfile /usr/local/var/openldap-data/logb
>
>
> TLSCACertificateFile /home/bwaldorf/certs/1024pcert.pem
> TLSCertificateFile /home/bwaldorf/certs/1024pcert.pem
> TLSCertificateKeyFile /home/bwaldorf/certs/1024pkey.pem
> TLSCipherSuite DES-CBC-SHA
> TLSVerifyClient never
>
>
> #TLSRandFile
> #TLSEphemeralDHParamFile
>
>
>
> #######################################################################
> # BDB database definitions
> #######################################################################
>
> database bdb
> suffix "o=replDB"
> rootdn "cn=replman,o=replDB"
> rootpw password
> timelimit 1
> idletimeout 4
>
> access to attrs=userPassword
> by self write
> by anonymous auth
> by * none
>
> access to *
> by self write
> by * read
>
> directory /usr/local/var/openldap-data
>
> index sn,mail,uid,title eq
>
>
>
>
>
>
>
> ldap.conf
>
> TLS_CACERT /home/bwaldorf/certs/1024pcert.pem
> TLS_CERT /home/bwaldorf/certs/1024pcert.pem
> TLS_KEY /home/bwaldorf/certs/1024pkey.pem
>
>
>
>
>
>
>
>
> So we try the following search (-ZZ to force the command to be
> successful)...
>
> ldapsearch -x -D "cn=replman,o=replDB" -w password -b "o=replDB1" -ZZ
>
>
>
>
>
>
> And we get the following output (below) with -d -1... (sorry for the
> excessive messages).
>
> Looks like the problem is...
> "connection_read(13): unable to get TLS client DN, error=49 id=5"
>
> I did some googling for this error, but never found a thread with a
> cause/solution.
>
> Thanks in advance for your time and help!
>
>
>
>
>
> daemon: activity on 1 descriptor
> daemon: activity on:
> slap_listener_activate(8):
> daemon: epoll: listen=7 active_threads=0 tvp=NULL
> daemon: epoll: listen=8 busy
> >>> slap_listener(ldap:///)
> daemon: activity on 1 descriptor
> daemon: listen=8, new connection on 13
> daemon: activity on:daemon: added 13r (active) listener=(nil)
>
> conn=5 fd=13 ACCEPT from IP=127.0.0.1:32933 (IP=0.0.0.0:389))
> daemon: epoll: listen=7 active_threads=1 tvp=zero.
> daemon: epoll: listen=8 active_threads=1 tvp=zero.
> daemon: activity on 1 descriptor
> daemon: activity on: 13r
> daemon: read active on 13
> daemon: epoll: listen=7 active_threads=1 tvp=zero.
> connection_get(13)
> daemon: epoll: listen=8 active_threads=1 tvp=zero.
> connection_get(13): got connid=5
> connection_read(13): checking for input on id=5
> ber_get_next
> ldap_read: want=8, got=8
> 0000: 30 1d 02 01 01 77 18 80 0....w..
> ldap_read: want=23, got=23
> 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34
> 36 .1.3.6.1.4.1.146
> 0010: 36 2e 32 30 30 33 37 6.20037
> ber_get_next: tag 0x30 len 29 contents:
> ber_dump: buf=0xa0c11fc8 ptr=0xa0c11fc8 end=0xa0c11fe5 len=29.
> 0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e
> 34 ...w...1.3.6.1.4
> 0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037
> ber_get_next
> ldap_read: want=8 error=Resource temporarily unavailable
> conn=5 op=0 do_extended
> ber_scanf fmt ({m) ber:
> ber_dump: buf=0xa0c11fc8 ptr=0xa0c11fcb end=0xa0c11fe5 len=26
> 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e
> w...1.3.6.1.4.1.
> 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
> conn=5 op=0 EXT oid=1.3.6.1.4.1.1466.20037
> do_extended: oid=1.3.6.1.4.1.1466.20037
> daemon: activity on 1 descriptor
> conn=5 op=0 STARTTLS
> daemon: activity on:send_ldap_extended: err=0 oid= len=0
>
> send_ldap_response: msgid=1 tag=120 err=0
> daemon: epoll: listen=7 active_threads=1 tvp=zero
> ber_flush2: 14 bytes to sd 13
> 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
> ldap_write: want=14, written=14
> 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
> conn=5 op=0 RESULT oid= err=0 text=
> daemon: epoll: listen=8 active_threads=1 tvp=zero
> daemon: activity on 1 descriptor
> daemon: activity on: 13r
> daemon: read active on 13
> daemon: epoll: listen=7 active_threads=1 tvp=zero
> connection_get(13)
> daemon: epoll: listen=8 active_threads=1 tvp=zero
> connection_get(13): got connid=5
> connection_read(13): checking for input on id=5
> TLS trace: SSL_accept:before/accept initialization
> tls_read: want=11, got=11
> 0000: 80 74 01 03 01 00 4b 00 00 00 20 .t....K.......
> tls_read: want=107, got=107
> 0000: 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13
> 00 ..9..8..5.......
> 0010: 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 03
> 00 .......3..2../..
> 0020: 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00
> 12 ................
> 0030: 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08
> 00 .....@..........
> 0040: 00 06 04 00 80 00 00 03 02 00 80 15 2d dd 5d
> 9a ............-.].
> 0050: f5 29 55 3b 15 f2 e5 47 18 9c 22 f2 7d 07 51
> 72 .)U;...G..".}.Qr
> 0060: 60 1f 38 61 8d 9a e7 67 2a 5e 9e `.8a...g*^..}.
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> tls_write: want=985, written=985
> 0000: 16 03 01 00 4a 02 00 00 46 03 01 48 92 1d e7
> 69 ....J...F..H...i
> 0010: f3 a0 ea 95 0f 3b 21 71 a5 b0 11 34 27 91 b8
> 0b .....;!q...4'...
> 0020: d1 25 4f ca d5 56 fd 55 d2 0f 33 20 a7 fe 44
> 07 .%O..V.U..3 ..D.
> 0030: 8a 33 a1 ec 46 61 01 94 2a 05 9a 59 9e 95 02
> ec .3..Fa..*..Y....
> 0040: 99 82 42 77 1d f6 bf 6e b4 0f 05 23 00 09 00
> 16 ..Bw...n...#....
> 0050: 03 01 03 7c 0b 00 03 78 00 03 75 00 03 72 30
> 82 ...|...x..u..r0.
> 0060: 03 6e 30 82 02 d7 a0 03 02 01 02 02 01 00 30
> 0d .n0...........0.
> 0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81
> 87 ..*.H........0..
> 0080: 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 11 30
> 1.0...U....US1.0
> 0090: 0f 06 03 55 04 08 13 08 4e 65 77 20 59 6f 72 6b ...U....New
> York
> 00a0: 31 15 30 13 06 03 55 04 07 13 0c 50 6f 75 67 68
> 1.0...U....Pough
> 00b0: 6b 65 65 70 73 69 65 31 0c 30 0a 06 03 55 04 0a
> keepsie1.0...U..
> 00c0: 13 03 49 42 4d 31 0c 30 0a 06 03 55 04 0b 13
> 03 ..IBM1.0...U....
> 00d0: 54 50 46 31 0e 30 0c 06 03 55 04 03 13 05 44 61
> TPF1.0...U....Da
> 00e0: 76 69 64 31 22 30 20 06 09 2a 86 48 86 f7 0d 01
> vid1"0 ..*.H....
> 00f0: 09 01 16 13 6d 6f 7a 65 73 68 74 61 40 75 73
> 2e ....mozeshta@us.
> 0100: 69 62 6d 2e 63 6f 6d 30 1e 17 0d 30 38 30 33 31
> ibm.com0...08031
> 0110: 31 30 31 31 36 31 31 5a 17 0d 31 30 31 32 30 37
> 1011611Z..101207
> 0120: 30 31 31 36 31 31 5a 30 81 87 31 0b 30 09 06 03
> 011611Z0..1.0...
> 0130: 55 04 06 13 02 55 53 31 11 30 0f 06 03 55 04 08
> U....US1.0...U..
> 0140: 13 08 4e 65 77 20 59 6f 72 6b 31 15 30 13 06 03 ..New
> York1.0...
> 0150: 55 04 07 13 0c 50 6f 75 67 68 6b 65 65 70 73 69
> U....Poughkeepsi
> 0160: 65 31 0c 30 0a 06 03 55 04 0a 13 03 49 42 4d 31
> e1.0...U....IBM1
> 0170: 0c 30 0a 06 03 55 04 0b 13 03 54 50 46 31 0e
> 30 .0...U....TPF1.0
> 0180: 0c 06 03 55 04 03 13 05 44 61 76 69 64 31 22
> 30 ...U....David1"0
> 0190: 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 6d
> 6f ..*.H........mo
> 01a0: 7a 65 73 68 74 61 40 75 73 2e 69 62 6d 2e 63 6f
> zeshta@us.ibm.co
> 01b0: 6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01
> m0..0...*.H.....
> 01c0: 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 ac
> ee .......0........
> 01d0: f9 a7 40 cc 73 af 67 a0 ea 46 08 45 a5 fd 44
> 71 ..@.s.g..F.E..Dq
> 01e0: a4 04 3e 51 f7 39 51 82 3d 7e 9b 99 ae 1d c1
> 22 ..>Q.9Q.=~....."
> 01f0: 67 10 e7 15 d1 a9 65 75 e9 3e 0f 77 64 d1 14 4d
> g.....eu.>.wd..M
> 0200: 28 f0 8c ba d3 ed 87 e9 b1 5b 11 c1 3f 11 ed 1a
> (........[..?...
> 0210: 96 9a 3f b3 4b f3 db bd 84 41 11 aa ea 37 6d
> ab ..?.K....A...7m.
> 0220: c5 fb a9 bb ab 9d 87 66 b2 31 7a c8 35 06 06
> ec .......f.1z.5...
> 0230: fb 07 f1 29 f5 f3 fd 29 f4 df 33 bf 40 de 84
> 6f ...)...)..3.@..o
> 0240: 9d 66 ea 57 42 ab 0f 13 a0 07 71 d5 e0 6d 02
> 03 .f.WB.....q..m..
> 0250: 01 00 01 a3 81 e7 30 81 e4 30 1d 06 03 55 1d
> 0e ......0..0...U..
> 0260: 04 16 04 14 11 76 af b1 5a bd 99 53 a5 de 02
> 35 .....v..Z..S...5
> 0270: 06 51 c4 01 74 71 2c c6 30 81 b4 06 03 55 1d
> 23 .Q..tq,.0....U.#
> 0280: 04 81 ac 30 81 a9 80 14 11 76 af b1 5a bd 99
> 53 ...0.....v..Z..S
> 0290: a5 de 02 35 06 51 c4 01 74 71 2c c6 a1 81 8d
> a4 ...5.Q..tq,.....
> 02a0: 81 8a 30 81 87 31 0b 30 09 06 03 55 04 06 13
> 02 ..0..1.0...U....
> 02b0: 55 53 31 11 30 0f 06 03 55 04 08 13 08 4e 65 77
> US1.0...U....New
> 02c0: 20 59 6f 72 6b 31 15 30 13 06 03 55 04 07 13 0c
> York1.0...U....
> 02d0: 50 6f 75 67 68 6b 65 65 70 73 69 65 31 0c 30 0a
> Poughkeepsie1.0.
> 02e0: 06 03 55 04 0a 13 03 49 42 4d 31 0c 30 0a 06
> 03 ..U....IBM1.0...
> 02f0: 55 04 0b 13 03 54 50 46 31 0e 30 0c 06 03 55 04
> U....TPF1.0...U.
> 0300: 03 13 05 44 61 76 69 64 31 22 30 20 06 09 2a
> 86 ...David1"0 ..*.
> 0310: 48 86 f7 0d 01 09 01 16 13 6d 6f 7a 65 73 68 74
> H........mozesht
> 0320: 61 40 75 73 2e 69 62 6d 2e 63 6f 6d 82 01 00 30
> a@us.ibm.com...0
> 0330: 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30 0d
> 06 ...U....0....0..
> 0340: 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81 81
> 00 .*.H............
> 0350: a8 39 22 f9 88 b2 c1 e6 95 5e af 4d ae f6 89
> e5 .9"......^.M....
> 0360: 64 82 37 42 f6 5b 00 56 22 d0 c6 b9 5f 70 36 2f
> d.7B.[.V"..._p6/
> 0370: 8f 10 bb 5a d1 18 33 2a 37 8a a0 f2 c3 53 21
> 12 ...Z..3*7....S!.
> 0380: 2c 28 8a 62 a9 e0 b5 5a 70 4c 77 f1 5c 33 d2
> a3 ,(.b...ZpLw.\3..
> 0390: 6d 77 e8 6e e8 7e 5b 74 d9 3a 70 24 38 89 ce 11 mw.n.~[t.:p
> $8...
> 03a0: 4c ec 64 51 f2 be 61 4c 18 09 25 13 48 e2 5b 13
> L.dQ..aL..%.H.[.
> 03b0: d9 fa 8c 0c b7 a2 dd 09 dd e8 da 01 c7 29 2b
> 9a .............)+.
> 03c0: 22 51 6f 19 54 e7 02 90 75 0e a9 3a 4b e0 d1 a4
> "Qo.T...u..:K...
> 03d0: 16 03 01 00 04 0e 00 00 00 ...........:
> TLS trace: SSL_accept:SSLv3 flush data
> tls_read: want=5 error=Resource temporarily unavailable
> TLS trace: SSL_accept:error in SSLv3 read client certificate A.........:
> TLS trace: SSL_accept:error in SSLv3 read client certificate A.........:
> daemon: activity on 1 descriptor
> daemon: activity on:
> daemon: epoll: listen=7 active_threads=1 tvp=zero
> daemon: epoll: listen=8 active_threads=1 tvp=zero
> daemon: activity on 1 descriptor
> daemon: activity on: 13r
> daemon: read active on 13
> daemon: epoll: listen=7 active_threads=1 tvp=zero
> connection_get(13)
> daemon: epoll: listen=8 active_threads=1 tvp=zero
> connection_get(13): got connid=5
> connection_read(13): checking for input on id=5
> tls_read: want=5, got=5
> 0000: 16 03 01 00 86 ...........:
> tls_read: want=134, got=134
> 0000: 10 00 00 82 00 80 91 6b 72 70 d5 4e 89 66 4e
> 5f .......krp.N.fN_
> 0010: f2 d6 d6 41 e7 3a 85 1e 8e ce 85 4d 90 ac 4a
> ec ...A.:.....M..J.
> 0020: 81 f6 4d 2c 1d 94 85 e8 78 cf c9 68 11 77 b3
> 4e ..M,....x..h.w.N
> 0030: 13 97 62 43 e2 e8 12 44 42 46 c6 bc c3 74 c7
> ad ..bC...DBF...t..
> 0040: f7 46 22 2b ac 8c 8e 59 5d de f4 fd f9 73 3f
> 76 .F"+...Y]....s?v
> 0050: 1b 58 1f da 5c 95 49 a6 73 ec 75 37 fc 38 fa
> 53 .X..\.I.s.u7.8.S
> 0060: 6d 3c a9 fd 2a 7d c3 f7 b9 79 e7 3f 8f da df 04
> m<..*}...y.?....
> 0070: cb 06 e2 67 75 3c 57 cf 8e 60 6e e4 27 fa 23
> a3 ...gu<W..`n.'.#.
> 0080: b8 fb c6 5b 14 7e ...[.~
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> tls_read: want=5, got=5
> 0000: 14 03 01 00 01 .....
> tls_read: want=1, got=1
> 0000: 01 .....
> tls_read: want=5, got=5
> 0000: 16 03 01 00 28 ....(
> tls_read: want=40, got=40
> 0000: 77 34 09 6c 45 e9 f1 f0 a2 e6 cb 2d e4 49 27 42
> w4.lE......-.I'B
> 0010: 45 a5 84 74 bb bd 0f 6e 24 70 e1 b0 0f 19 83 4a E..t...n
> $p.....J
> 0020: 7a 41 c3 b3 ca fe 80 68 zA.....h
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> tls_write: want=51, written=51
> 0000: 14 03 01 00 01 01 16 03 01 00 28 97 a6 bb b1
> 8c ..........(.....
> 0010: 50 d4 6f 60 2c fb c7 d1 10 a6 a6 37 ff ea 0b e8
> P.o`,......7....
> 0020: 60 d0 f1 6b 34 d7 26 7b a9 c8 c0 45 72 33 7c 67 `..k4.&{...Er3|
> g
> 0030: b4 07 93 ...
> TLS trace: SSL_accept:SSLv3 flush data
> connection_read(13): unable to get TLS client DN, error=49 id=5
> conn=5 fd=13 TLS established tls_ssf=56 ssf=56
> daemon: activity on 1 descriptor
> daemon: activity on:
> daemon: epoll: listen=7 active_threads=1 tvp=zero
> daemon: epoll: listen=8 active_threads=1 tvp=zero
> daemon: activity on 1 descriptor
> daemon: activity on: 13r
> daemon: read active on 13
> daemon: epoll: listen=7 active_threads=1 tvp=zero
> connection_get(13)
> daemon: epoll: listen=8 active_threads=1 tvp=zero
> connection_get(13): got connid=5
> connection_read(13): checking for input on id=5
> ber_get_next
> tls_read: want=5, got=0
>
> ldap_read: want=8, got=0
>
> ber_get_next on fd 13 failed errno=0 (Success)
> connection_read(13): input error=-2 id=5, closing.
> connection_closing: readying conn=5 sd=13 for close
> connection_close: conn=5 sd=13
> daemon: removing 13
> daemon: activity on 1 descriptor
> tls_write: want=29, written=29
> 0000: 15 03 01 00 18 73 41 45 4f f9 51 03 05 e6 66
> c2 .....sAEO.Q...f.
> 0010: f5 65 d2 a9 ab 03 aa 8d d1 79 ef 18 8c .e.......y....
> TLS trace: SSL3 alert write:warning:close notify
> conn=5 fd=13 closed (connection lost)
> daemon: activity on:
> daemon: epoll: listen=7 active_threads=0 tvp=NULL
> daemon: epoll: listen=8 active_threads=0 tvp=NULL
>