[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Solaris 10 native Client with TLS to OpenLDAP

To: openldap-technical@openldap.org
Subject: Re: Solaris 10 native Client with TLS to OpenLDAP
From: Howard Chu <hyc@symas.com>
Date: Mon, 13 Oct 2008 04:07:53 -0700
In-reply-to: <20081013101655.GA8108@sandbox.kleinfeld.ch>
References: <20081007164812.GA536@sandbox.kleinfeld.ch> <87fxn88bye.fsf@rubin.l4b.de> <20081008060828.GA17861@sandbox.kleinfeld.ch> <1223483736.787.9.camel@rubin> <20081012073308.GA8111@sandbox.kleinfeld.ch> <87ljwuezuh.fsf@rubin.l4b.de> <20081013101655.GA8108@sandbox.kleinfeld.ch>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b1pre) Gecko/20081004 SeaMonkey/2.0a1pre

John Gee wrote:

On Sun, Oct 12, 2008 at 02:56:38PM +0200, Dieter Kluenter wrote:
[...]

Did you sign the server cerficates with this ca-cert? And how did you
create the CA and the server certificates?
I personally use the CA.pl tools from openssl, this is by no means the
best way to do, but the simplest. If you follow this path, you may
have to edit openssl.cnf to meet your requirements. Then you just do
./CA.pl -newca, which creates es self signed CA
./CA.pl -newreq, this creates a host or user certficate request
./CA.pl -sign, wwhich signs the request
openssl rsa -in newreq.pem -out foo-key.pem, this removes password
from the requested certificate and creates a key file.
mv newcert.pem foo-cert.pem
./CA.pl -verify foo-cert.pem


The CA-Cert and ldap01-Certs created with openssl.
When verifying it with openssl all seems to be ok:
# openssl s_client -connect ldap01.kleinfeld.ch:636 -CAfile /var/ldap/ca.pem -showcerts
...
---
	New, TLSv1/SSLv3, Cipher is AES256-SHA
	Server public key is 2048 bit
	SSL-Session:
	Protocol  : TLSv1
	Cipher    : AES256-SHA
	Session-ID: E276B6ABD9349FDFD7EA22CCB491D3E9FE423BA1D45B0C18D4019422EF1FF607
	Session-ID-ctx:
	Master-Key: 758F1B898907CDA46E70E37D306517C60E21864E4119846C05597DA19572B1FDF9A4E6D1299848A2E769CA002DA76D93
	Key-Arg   : None
	Start Time: 1223891247
	Timeout   : 300 (sec)
	Verify return code: 0 (ok)
---

Slapd - Debug Output:
	connection_get(11): got connid=9
	connection_read(11): checking for input on id=9
	TLS trace: SSL_accept:SSLv3 read client key exchange A
	TLS trace: SSL_accept:SSLv3 read finished A
	TLS trace: SSL_accept:SSLv3 write change cipher spec A
	TLS trace: SSL_accept:SSLv3 write finished A
	TLS trace: SSL_accept:SSLv3 flush data
	connection_read(11): unable to get TLS client DN, error=49 id=9

When connecting with ldapsearch (openldap) the conenction established and
continues after TLS client error:

	connection_read(11): checking for input on id=0
	TLS trace: SSL_accept:before/accept initialization
	TLS trace: SSL_accept:SSLv3 read client hello A
	TLS trace: SSL_accept:SSLv3 write server hello A
	TLS trace: SSL_accept:SSLv3 write certificate A
	TLS trace: SSL_accept:SSLv3 write server done A
	TLS trace: SSL_accept:SSLv3 flush data
	TLS trace: SSL_accept:error in SSLv3 read client certificate A
	TLS trace: SSL_accept:error in SSLv3 read client certificate A
	connection_get(11): got connid=0
	connection_read(11): checking for input on id=0
	TLS trace: SSL_accept:SSLv3 read client key exchange A
	TLS trace: SSL_accept:SSLv3 read finished A
	TLS trace: SSL_accept:SSLv3 write change cipher spec A
	TLS trace: SSL_accept:SSLv3 write finished A
	TLS trace: SSL_accept:SSLv3 flush data
	connection_read(11): unable to get TLS client DN, error=49 id=0
	connection_get(11): got connid=0
	connection_read(11): checking for input on id=0

(To renember slapd.conf - TLSVerifyClient never)

When doing the same search with ldapsearch (SUNWlldap package), it seems to be
forced for tls client verification.
	connection_get(11): got connid=3
	connection_read(11): checking for input on id=3
	TLS trace: SSL_accept:before/accept initialization
	TLS trace: SSL_accept:SSLv3 read client hello A
	TLS trace: SSL_accept:SSLv3 write server hello A
	TLS trace: SSL_accept:SSLv3 write certificate A
	TLS trace: SSL_accept:SSLv3 write server done A
	TLS trace: SSL_accept:SSLv3 flush data
	TLS trace: SSL_accept:error in SSLv3 read client certificate A
	TLS trace: SSL_accept:error in SSLv3 read client certificate A
	connection_get(11): got connid=3
	connection_read(11): checking for input on id=3
	TLS trace: SSL3 alert read:fatal:bad certificate
	TLS trace: SSL_accept:failed in SSLv3 read client certificate A
	TLS: can't accept.
	TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053
	connection_read(11): TLS accept failure error=-1 id=3, closing
	connection_closing: readying conn=3 sd=11 for close
	connection_close: conn=3 sd=11

I will try it later today with a new-ca, but i think the problems must be at
ldapclient (SUNWlldap) or inside cerutil.

Use the debug flag on ldapsearch as well. It's obvious from the slapd logs that the problem is in the client, so you won't get any more help from the slapd debug output.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Solaris 10 native Client with TLS to OpenLDAP
  - From: John Gee <john@kleinfeld.ch>
- Re: Solaris 10 native Client with TLS to OpenLDAP
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: Solaris 10 native Client with TLS to OpenLDAP
  - From: John Gee <john@kleinfeld.ch>
- Re: Solaris 10 native Client with TLS to OpenLDAP
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: Solaris 10 native Client with TLS to OpenLDAP
  - From: John Gee <john@kleinfeld.ch>
- Re: Solaris 10 native Client with TLS to OpenLDAP
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: Solaris 10 native Client with TLS to OpenLDAP
  - From: John Gee <john@kleinfeld.ch>

Prev by Date: Re: Solaris 10 native Client with TLS to OpenLDAP
Next by Date: Re: Solaris 10 native Client with TLS to OpenLDAP
Index(es):
- Chronological
- Thread