[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Solaris 10 native Client with TLS to OpenLDAP



On Sun, Oct 12, 2008 at 02:56:38PM +0200, Dieter Kluenter wrote:
[...]
> 
> Did you sign the server cerficates with this ca-cert? And how did you
> create the CA and the server certificates?
> I personally use the CA.pl tools from openssl, this is by no means the
> best way to do, but the simplest. If you follow this path, you may
> have to edit openssl.cnf to meet your requirements. Then you just do
> ./CA.pl -newca, which creates es self signed CA
> ./CA.pl -newreq, this creates a host or user certficate request
> ./CA.pl -sign, wwhich signs the request
> openssl rsa -in newreq.pem -out foo-key.pem, this removes password
> from the requested certificate and creates a key file.
> mv newcert.pem foo-cert.pem
> ./CA.pl -verify foo-cert.pem

The CA-Cert and ldap01-Certs created with openssl.
When verifying it with openssl all seems to be ok:
# openssl s_client -connect ldap01.kleinfeld.ch:636 -CAfile /var/ldap/ca.pem -showcerts
...
---
	New, TLSv1/SSLv3, Cipher is AES256-SHA
	Server public key is 2048 bit
	SSL-Session:
	Protocol  : TLSv1
	Cipher    : AES256-SHA
	Session-ID: E276B6ABD9349FDFD7EA22CCB491D3E9FE423BA1D45B0C18D4019422EF1FF607
	Session-ID-ctx:
	Master-Key: 758F1B898907CDA46E70E37D306517C60E21864E4119846C05597DA19572B1FDF9A4E6D1299848A2E769CA002DA76D93
	Key-Arg   : None
	Start Time: 1223891247
	Timeout   : 300 (sec)
	Verify return code: 0 (ok)
---

Slapd - Debug Output:
	connection_get(11): got connid=9
	connection_read(11): checking for input on id=9
	TLS trace: SSL_accept:SSLv3 read client key exchange A
	TLS trace: SSL_accept:SSLv3 read finished A
	TLS trace: SSL_accept:SSLv3 write change cipher spec A
	TLS trace: SSL_accept:SSLv3 write finished A
	TLS trace: SSL_accept:SSLv3 flush data
	connection_read(11): unable to get TLS client DN, error=49 id=9

When connecting with ldapsearch (openldap) the conenction established and 
continues after TLS client error:

	connection_read(11): checking for input on id=0
	TLS trace: SSL_accept:before/accept initialization
	TLS trace: SSL_accept:SSLv3 read client hello A
	TLS trace: SSL_accept:SSLv3 write server hello A
	TLS trace: SSL_accept:SSLv3 write certificate A
	TLS trace: SSL_accept:SSLv3 write server done A
	TLS trace: SSL_accept:SSLv3 flush data
	TLS trace: SSL_accept:error in SSLv3 read client certificate A
	TLS trace: SSL_accept:error in SSLv3 read client certificate A
	connection_get(11): got connid=0
	connection_read(11): checking for input on id=0
	TLS trace: SSL_accept:SSLv3 read client key exchange A
	TLS trace: SSL_accept:SSLv3 read finished A
	TLS trace: SSL_accept:SSLv3 write change cipher spec A
	TLS trace: SSL_accept:SSLv3 write finished A
	TLS trace: SSL_accept:SSLv3 flush data
	connection_read(11): unable to get TLS client DN, error=49 id=0
	connection_get(11): got connid=0
	connection_read(11): checking for input on id=0

(To renember slapd.conf - TLSVerifyClient never)

When doing the same search with ldapsearch (SUNWlldap package), it seems to be 
forced for tls client verification.
	connection_get(11): got connid=3
	connection_read(11): checking for input on id=3
	TLS trace: SSL_accept:before/accept initialization
	TLS trace: SSL_accept:SSLv3 read client hello A
	TLS trace: SSL_accept:SSLv3 write server hello A
	TLS trace: SSL_accept:SSLv3 write certificate A
	TLS trace: SSL_accept:SSLv3 write server done A
	TLS trace: SSL_accept:SSLv3 flush data
	TLS trace: SSL_accept:error in SSLv3 read client certificate A
	TLS trace: SSL_accept:error in SSLv3 read client certificate A
	connection_get(11): got connid=3
	connection_read(11): checking for input on id=3
	TLS trace: SSL3 alert read:fatal:bad certificate
	TLS trace: SSL_accept:failed in SSLv3 read client certificate A
	TLS: can't accept.
	TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053
	connection_read(11): TLS accept failure error=-1 id=3, closing
	connection_closing: readying conn=3 sd=11 for close
	connection_close: conn=3 sd=11

I will try it later today with a new-ca, but i think the problems must be at
ldapclient (SUNWlldap) or inside cerutil.

John