[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP Client + IBM Directory Server + TLS


 has anyone ever managed to set-up an TLS connection between an OpenLDAP
client and an IBM LDAP Server (more specifically, ITDS 6.1, linux

I can submit queries in the standard way, but using TLS seems to be a
bit of a problem.

I have the server certificate specified as TLS_CACERT in my client
config since it's self-signed.

The query result goes like this:

klausk@klausk:~/sandbox/Kerberos_work$ ldapsearch -D cn=root -W -H
ldap://fqdn -s sub -x -ZZ -d 9 objectclass=*
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP fqdn:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x8059240 msgid 1
wait4msg ld 0x8059240 msgid 1 (infinite timeout)
wait4msg continue ld 0x8059240 msgid 1 all 1
** ld 0x8059240 Connections:
* host: fqdn  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Aug 28 13:43:57 2008

** ld 0x8059240 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x8059240 request count 1 (abandoned 0)
** ld 0x8059240 Response Queue:
  ld 0x8059240 response count 0
ldap_chkResponseList ld 0x8059240 msgid 1 all 1
ldap_chkResponseList returns ld 0x8059240 NULL
read1msg: ld 0x8059240 msgid 1 all 1
ber_get_next: tag 0x30 len 38 contents:
read1msg: ld 0x8059240 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x8059240 0 new referrals
read1msg:  mark request completed, ld 0x8059240 msgid 1
request done: ld 0x8059240 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ber_scanf fmt (O) ber:
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
TLS: can't connect: Decryption has failed..
ldap_start_tls: Connect error (-11)

Note: the server is configured to accept TLS in the standard port (389),
after a START_TLS extended LDAP operation. It works fine using the IBM

After sniffing the packets I could see that the OpenLDAP Client sends a
"Client Hello" message advertising TLS 1.1 support (0x0302), whereas the
IBM Client asks for TLS 1.0 (0x0301).

In both cases the server replies with a TLS 1.0 "Server Hello" message,
with the certificate and TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher
Suite. The following client messages are TLS 1.0, indicating that the
OpenLDAP correctly fell back the version.

But with the OpenLDAP Client, after Change Cipher Spec and Encrypted
Handshake, the server sends an "Encrypted Alert" message and the
connection is dropped, with the output above.

I'm using a certificate generated using GSKIT in the server box, and
exported the .PEM key, which OpenSSL appears to recognize fine.

Is there anything more I can do to debug this error? I'm particularly
interested in further debugging the TLS connection. Maybe there is an
environment variable that will enable debugging output from OpenSSL?

Any pointers are helpful.


 -Klaus K.
Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Linux Security Development, IBM Linux Technology Center