[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl SSL fail

To: Philip Guenther <guenther+ldaptech@sendmail.com>
Subject: Re: Syncrepl SSL fail
From: Hugo Deprez <hugo.deprez@gmail.com>
Date: Fri, 2 Dec 2011 14:50:45 +0100
Cc: Howard Chu <hyc@symas.com>, Josh Miller <joshua@itsecureadmin.com>, Quanah Gibson-Mount <quanah@zimbra.com>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=iodzj8BuwXTwtuoPiI/vnV13Y0zzEm0dquzC0MaJc5A=; b=rRG1pX0DMD3VcdeE0X+RsUdOL6Humv+ImgmAOhcrto+g12S33AxstW6w7UyyHPxh7g vZ29a3f0MM5p0wvdbnEL0iWbDqrfWz6BMx8IAgvK8cqBJQCdbab6ne6cG+p+h4O92NwU yuAWdi58o5u2BGs0wozBB/tuVFT8XP0pbQCEc=
In-reply-to: <alpine.BSO.2.00.1110172128030.8269@morgaine.smi.sendmail.com>
References: <CAAoQnKjisqdHa0Pa8u5fjsUeNvJwY_fi6uJvs_T5U30ao+TG2w@mail.gmail.com> <53616BF91B701EAFA5521B0F@192.168.1.23> <2F29DB7B-BFFD-4004-951B-09EA3BF8429E@itsecureadmin.com> <F6F3F9073A6EC8597D1F5992@quanah-mac.local> <4E9A8CEC.7020403@symas.com> <CAAoQnKhcez2EsV0LXiAOu07jDAd2TKmzmDanvz90qgo3QEuT1w@mail.gmail.com> <alpine.BSO.2.00.1110172128030.8269@morgaine.smi.sendmail.com>

Hello Philip,

thank you for your explanation.

This is more clear now.

So I changed my configuration like :

Syncrepl                   rid=003
                                provider=ldaps://my.server:1024/
                                type=refreshOnly
                                retry="60 10 600 +"
                                interval=00:00:00:10
                                searchbase="dc=my,dc=domain"
                                scope=sub
                                schemachecking=on
                                bindmethod=simple
                                tls_reqcert=demand
                                tls_cert=/etc/ssl/certs/ldap-cert.pem
                                tls_cacert=/etc/ssl/certs/ldap-cert.pem
                                tls_key=/etc/ldap/ssl/ldap-key.pem
                                binddn="cn=syncrepluser..."
                                credentials=********

I added the tls_key, tls_cacert, tls_reqcert parameter.
The tls option are using the certificate and the key of the LDAP Provider.

The last thing I don't understand is that the tls_key is needed. So I
need to deploy the private key of the provider to each consumer.

I though the certificate would be sufficient ?

Regards,





On 18 October 2011 06:28, Philip Guenther
<guenther+ldaptech@sendmail.com> wrote:
> On Sun, 16 Oct 2011, Hugo Deprez wrote:
>> It seems that the proper configuration for my case is :
>>
>> syncrepl       rid=003
>>                provider=ldaps://ldap.mydomain.fr:1024/
>>                type=refreshOnly
>>                retry="60 10 600 +"
>>                interval=00:00:00:10
>>                searchbase="dc=mydomain,dc=fr"
>>                scope=sub
>>                schemachecking=on
>>                bindmethod=simple
>>                tls_reqcert=never
>>                binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr"
>>                credentials=my_password
>>
>> It works, but I am confuse with those parameters. If I understand
>> well, I will never use TLS here, but only ssl ?
>> Hence, it was a TLS issue ?
>
> No, you're using TLS.  You're just not using the StartTLS operation.
>
> There are two ways to use SSL/TLS: "negotiate-on-connect" and "upgrade
> from clear".  The former is what you get when you use an ldaps:// URL,
> where the first data the client sends is the raw SSL/TLS ClientHello
> packet.  The latter is what you get when you use an ldap:// URL and have
> starttls=yes or starttls=critical, where the first data the client sends
> is LDAP protocol data in the clear, including a StartTLS request.  If the
> server sends a success response to that StartTLS request, then the client
> starts the SSL/TLS handshake with its ClientHello packet.
>
> This should answer why it failed when you tried to combine an ldaps:// URL
> with starttls=yes: the exchange was already using SSL/TLS and (rightly)
> libldap won't let you negotiate multiple levels of SSL/TLS encryption.
>
> (You may note that I write "SSL/TLS".  That's because they're just
> different versions of the same protocol.  Using 'SSL' as a shorthand for
> "negotiate on connect" and 'TLS' for "upgrade from clear" is poor naming,
> as the choice of method is orthogonal to the protocol version.  Your
> ldaps:// connection is probably negotiating the TLS 1.0 protocol (aka SSL
> version 3.1), just as an ldap:// connection using StartTLS may, on a
> poorly configured server, negotiate SSL 3.0)
>
>
> Next: the fact that you need tls_reqcert=never for TLS negotiation to
> succeed strongly suggests the problem is either
> a) the subject and subjectAltName of the cert don't match the hostname in
>   the URL, OR
> b) the client doesn't have the self-signed CA cert at the root of the
>   signing chain for the server's cert.
>
> Those are both necessary to protect the server against Man-in-the-Middle
> attacks.
>
> (It used to be that tls_reqcert=allow would disable check (b) and only
> perform check (a), or at least that was the case when using the OpenSSL
> crypto backend, but that behavior has apparently been removed from the
> version in git as of August.  Given the vagaries of the error reporting of
> the underlying crypto libraries, this was a useful tool in tracking down
> which check was causing TLS failures. Oh well.)
>
> So, does the server's certificate subject or subjectAltName match the
> hostname from the URL the client is using?  Have you verified that the CA
> at the root of the server's cert's chain really is configured for the
> client?
>
>
> Philip Guenther

Follow-Ups:
- Re: Syncrepl SSL fail
  - From: Raffael Sahli <public@raffaelsahli.com>

Prev by Date: Re: memberof overlay deployment
Next by Date: Re: Failure while importing an exported ldif file
Index(es):
- Chronological
- Thread