[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS problem

To: openldap-technical@openldap.org
Subject: TLS problem
From: Cedric Jeanneret <cedric.jeanneret@camptocamp.com>
Date: Wed, 7 Jul 2010 12:17:27 +0200
Organization: camptocamp

Hello,

I'm trying to configure an openldap with TLS so that all connections are encrypted.

Here's the revelent part of my slapd.conf:

TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSVerifyClient never
TLSCertificateFile /etc/ldap/ssl/server.crt
TLSCertificateKeyFile /etc/ldap/ssl/server.key

Here's my ldap.conf:

URI ldaps://my.server.ltd
BASE dc=my,dc=server,dc=ltd
LDAP_VERSION 3

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
ssl start_tls
ssl on
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3


While starting slapd with:
slapd -h 'ldaps:///' -g openldap -u openldap  -d 16383

and trying to connect to it with:
ldapsearch -Z -d 16383 -LLL -b cn=admin,dc=my,dc=server,dc=ltd -w "foo.bar" -S cn -h my.server.ltd -p 636 cn

I have these logs :
[slapd]

daemon: activity on 1 descriptor
>>> slap_listener(ldaps:///)daemon: listen=7, new connection on 11
ldap_pvt_gethostbyname_a: host=my, r=0
daemon: added 11r (active) listener=(nil)
conn=0 fd=11 ACCEPT from IP=xx.yy.zz.aa:38806 (IP=0.0.0.0:636)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 11r
daemon: read activity on 11
connection_get(11)
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
  0000:  30 3e 02 01 01 63 39 04  00 0a 01                  0>...c9....       
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:562
connection_read(11): TLS accept failure error=-1 id=0, closing
connection_closing: readying conn=0 sd=11 for close
connection_close: conn=0 sd=11
daemon: removing 11
conn=0 fd=11 closed (TLS negotiation failure)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: waked
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL

[ldapsearch]

ldap_create
ldap_url_parse_ext(ldap://my.server.ltd:636)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS: supportedSASLMechanisms
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP my.server.ltd:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying xx.yy.zz.aa:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0xb92b6d68 ptr=0xb92b6d68 end=0xb92b6da8 len=64
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02   0>...c9.........  
  0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74   ..........object  
  0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74   class0...support  
  0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73   edSASLMechanisms  
ber_scanf fmt ({) ber:
ber_dump: buf=0xb92b6d68 ptr=0xb92b6d6d end=0xb92b6da8 len=59
  0000:  63 39 04 00 0a 01 00 0a  01 00 02 01 00 02 01 00   c9..............  
  0010:  01 01 00 87 0b 6f 62 6a  65 63 74 63 6c 61 73 73   .....objectclass  
  0020:  30 19 04 17 73 75 70 70  6f 72 74 65 64 53 41 53   0...supportedSAS  
  0030:  4c 4d 65 63 68 61 6e 69  73 6d 73                  LMechanisms       
ber_flush2: 64 bytes to sd 3
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02   0>...c9.........  
  0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74   ..........object  
  0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74   class0...support  
  0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73   edSASLMechanisms  
ldap_write: want=64, written=64
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02   0>...c9.........  
  0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74   ..........object  
  0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74   class0...support  
  0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73   edSASLMechanisms  
ldap_result ld 0xb92ae158 msgid 1
wait4msg ld 0xb92ae158 msgid 1 (infinite timeout)
wait4msg continue ld 0xb92ae158 msgid 1 all 1
** ld 0xb92ae158 Connections:
* host: my.server.ltd  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Wed Jul  7 12:11:03 2010


** ld 0xb92ae158 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0xb92ae158 request count 1 (abandoned 0)
** ld 0xb92ae158 Response Queue:
   Empty
  ld 0xb92ae158 response count 0
ldap_chkResponseList ld 0xb92ae158 msgid 1 all 1
ldap_chkResponseList returns ld 0xb92ae158 NULL
ldap_int_select
read1msg: ld 0xb92ae158 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=0

ber_get_next failed.
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

I really don't know what to do. My certificates are correct I guess, as we're using them in apache for https... For information, they are self-signed.

Any help would be great.

Thank you!

Best regards,

C.


-- 
Cédric Jeanneret                 |  System Administrator
021 619 10 32                    |  Camptocamp SA
cedric.jeanneret@camptocamp.com  |  PSE-A / EPFL

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- Re: TLS problem
  - From: Hugo Monteiro <hugo.monteiro@fct.unl.pt>
- Re: TLS problem
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: OpenLDAP, PADL and querying multiple ADs
Next by Date: Re: 2.4.21 delta syncrepl : do_syncrep2: rid=000 (4096) Content Sync Refresh Required
Index(es):
- Chronological
- Thread