[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS + SSL and openldap



Before , I want thank at everybody  for answer my  questions. I have trying start service ldap with tls / ssl but when I start sldapd (slapd -d127 -h "ldaps:///")  show this message down 

TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=0

TLS: can't accept.
connection_read(12): TLS accept failure error=-1 id=4, closing
connection_closing: readying conn=4 sd=12 for close
connection_close: conn=4 sd=12
daemon: removing 12
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
>>> slap_listener(ldaps:///)
daemon: listen=8, new connection on 12
daemon: added 12r (active) listener=(nil)
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
connection_get(12)
connection_get(12): got connid=5
connection_read(12): checking for input on id=5
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=0
 
I done test for SSL connection 

 openssl s_client -connect localhost:636 -state -CAfile /etc/openldap/chaves/cacert.pem -key /etc/openldap/chaves/serverkey.pem -cert  /etc/openldap/chaves/servercrt.pem


Result 

CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress=bruno@ainfra.net
verify return:1
depth=0 /C=BR/ST=DF/L=Brasilia/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress=bruno@ainfra.net
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=BR/ST=DF/L=Brasilia/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress=bruno@ainfra.net
   i:/C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress=bruno@ainfra.net
 1 s:/C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress=bruno@ainfra.net
   i:/C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress=bruno@ainfra.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC7TCCAlagAwIBAgIBATANBgkqhkiG9w0BAQUFADB0MQswCQYDVQQGEwJCUjEL
MAkGA1UECBMCRGYxDzANBgNVBAoTBkFpbmZyYTEPMA0GA1UECxMGQWluZnJhMRUw
EwYDVQQDEwxMaW51eERlZmF1bHQxHzAdBgkqhkiG9w0BCQEWEGJydW5vQGFpbmZy
YS5uZXQwHhcNMDkxMjExMTE0NTA3WhcNMTAxMjExMTE0NTA3WjCBhzELMAkGA1UE
BhMCQlIxCzAJBgNVBAgTAkRGMREwDwYDVQQHEwhCcmFzaWxpYTEPMA0GA1UEChMG
QWluZnJhMQ8wDQYDVQQLEwZBaW5mcmExFTATBgNVBAMTDExpbnV4RGVmYXVsdDEf
MB0GCSqGSIb3DQEJARYQYnJ1bm9AYWluZnJhLm5ldDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAuZc4XzZD2yNKKtbzSsFZETNsKGKWxNfJ2R/Qz85vTkvmRHk3
kbfsqEiFnHVZFehg5BOyaa9HKQO4MkrI5HgjLitDg2Lb38B6Ol0ENSClUF/0BcoQ
rgWDc14qANkA5zMaT90FF18GkcuY26lV15HEsJVOymroKZ460YmhwlFzT40CAwEA
AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNhWyiIOJR9bIJB1bM5tgPYu9EAFMB8G
A1UdIwQYMBaAFCmQRsAs/UNo/7VQUGnRXp6GRi1SMA0GCSqGSIb3DQEBBQUAA4GB
AMJqfAQK/gbRMqiDm+Gm+iNUO4N93JdtT4eDcErEapd7lC4IMzjxCO8L9QYAjY9h
NBXF5MN61ZlTPA++FX2eCbU6pdOw4gL9RnSyxWjUSVv0wTz57J87mMaPTNHHb5mP
cqPjqEu7Gpe6is04qOQsI3HCwFWYcY96PHqtrlgHeQDT
-----END CERTIFICATE-----
subject=/C=BR/ST=DF/L=Brasilia/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress=bruno@ainfra.net
issuer=/C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress=bruno@ainfra.net
---
No client certificate CA names sent
---
SSL handshake has read 1651 bytes and written 331 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: BC50DC3AD20A932A59FF109F33C6703632CDBB32A4BFF29C3A716119083B8044
    Session-ID-ctx:
    Master-Key: DC38E06060E9473E21B043743718B690EFA4CA50AEE53CA6C7026741F2C026C5058366CF0DC7798DA395D47BCD7E747B
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1260541294
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

For me this ok !!!

How I should resolve this problem ? 



2009/12/10 Michael Ströder <michael@stroeder.com>
Dieter Kluenter wrote:
> Bruno Steven <aspenbr@gmail.com> writes:
>> I am trying configure openldap work with tls , but I have two question about this, first
>> when I use tls openldap use port 389 and ssl port 639 , is this correct ?
>> Second How I can test connection between client and server, cryptography is working ?
>
> There is no ssl port! SSL (Secure Socket Layer) is a proprietary,
> licence based protocol, owned by Netscape? I don't know whether the
> IPR of this protocol have been part of the Netscape/AOL deal. OpenLDAP,
> and most other network based applications, have implemented Transport
> Layer Security (TLS), RFC 2246. As a LPI certified professional you
> should be aware of this.

Sorry Dieter, don't mess up things. Your comment is at least strongly
misleading: E.g. OpenSSL (also libnss) certainly implements SSLv3 (and even
insecure SSLv2) and you can use that to connect to 3rd party LDAP servers with
the OpenLDAP client libs or connect to OpenLDAP servers.

> OpenLDAP uses port 639,

nb2:~ # grep ldaps /etc/services
ldaps           636/tcp    # ldap protocol over TLS/SSL (was sldap)
ldaps           636/udp    # ldap protocol over TLS/SSL (was sldap)

> You may test your TLS session with:
> openssl s_client -connect localhost:639 -CAfile <file>
                                       ^
636, if slapd was started with -h "ldaps://"

Ciao, Michael.




--
Bruno Steven - Administrador de sistemas.
LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
https://www.lpi.org/caf/Xamman/certification

MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
https://mcp.microsoft.com/authenticate/validatemcp.aspx


P Antes de imprimir pense em sua responsabilidade e comprometimento com o Meio Ambiente. Before printing this message, think about your ecologic responsability and environment commitment.