[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl SSL fail

To: Raffael Sahli <public@raffaelsahli.com>
Subject: Re: Syncrepl SSL fail
From: Hugo Deprez <hugo.deprez@gmail.com>
Date: Sat, 10 Dec 2011 12:36:18 +0100
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=vVGuG5O3Cf5UuWbmblI4b8Gd/pUXvEVjMTcXMUppf2E=; b=Gq6G6rVowEuRNl2LkJcpfKc6iM1lYDFqJ6PNrxosVgXv27HzhpuaeW5PwG4YozKhON GKghOmxxt/B4kuV67rOVCzqXnxv7Y1H8ZNHEnxzWAKNtp3m6nOTTLpiNNzatBPnCdfoF 47qsuX+XCoba10mRdmRlWtaLeiLNqGQNRmAe8=
In-reply-to: <CAAoQnKjtcYebdafcK0f9f3K93D6mwyioHn7eHFCuiWjXyZRdwQ@mail.gmail.com>
References: <CAAoQnKjisqdHa0Pa8u5fjsUeNvJwY_fi6uJvs_T5U30ao+TG2w@mail.gmail.com> <53616BF91B701EAFA5521B0F@192.168.1.23> <2F29DB7B-BFFD-4004-951B-09EA3BF8429E@itsecureadmin.com> <F6F3F9073A6EC8597D1F5992@quanah-mac.local> <4E9A8CEC.7020403@symas.com> <CAAoQnKhcez2EsV0LXiAOu07jDAd2TKmzmDanvz90qgo3QEuT1w@mail.gmail.com> <alpine.BSO.2.00.1110172128030.8269@morgaine.smi.sendmail.com> <CAAoQnKjnmsRicf0oowossxSvVPpUckjcGZvMcSQ=AhtUjMtVCg@mail.gmail.com> <4ED8DC93.2030103@raffaelsahli.com> <CAAoQnKjtcYebdafcK0f9f3K93D6mwyioHn7eHFCuiWjXyZRdwQ@mail.gmail.com>

Hello,

after reading :
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=734187

It seems that when the consumer provide ldaps service, I must specify
tls_key and tls_cert parameter with the provider files.

If not specified, syncrepl will use consumer certificat and they will
never match the provider cert. This is why I got the error :
 slapd[31043]: do_syncrepl: rid=003 rc -1 retrying (9 retries left)
the private key didn't match with the provider.

So in this setup, cert and private key from provider must be deployed
on each consumer.

Regards,

Hugo

On 6 December 2011 12:04, Hugo Deprez <hugo.deprez@gmail.com> wrote:
> Hello,
>
> if I don't sepcify the key path I get the following error when starting slpad :
>
>  slap_client_connect: URI=ldaps://ldap.domain.fr:1024/ TLS context
> initialization failed (-1)
>  slapd[31043]: do_syncrepl: rid=003 rc -1 retrying (9 retries left)
>
> So I need the tls_key=/etc/ldap/ssl/ldap-key.pem pointing to the key
> of the provider.
>
> Any idea why I should specify the private key of the provider ?
>
> Regards,
>
> On 2 December 2011 15:11, Raffael Sahli <public@raffaelsahli.com> wrote:
>> On 12/02/2011 02:50 PM, Hugo Deprez wrote:
>>>
>>> Hello Philip,
>>>
>>> thank you for your explanation.
>>>
>>> This is more clear now.
>>>
>>> So I changed my configuration like :
>>>
>>> Syncrepl                   rid=003
>>>                                 provider=ldaps://my.server:1024/
>>>                                 type=refreshOnly
>>>                                 retry="60 10 600 +"
>>>                                 interval=00:00:00:10
>>>                                 searchbase="dc=my,dc=domain"
>>>                                 scope=sub
>>>                                 schemachecking=on
>>>                                 bindmethod=simple
>>>                                 tls_reqcert=demand
>>>                                 tls_cert=/etc/ssl/certs/ldap-cert.pem
>>>                                 tls_cacert=/etc/ssl/certs/ldap-cert.pem
>>>                                 tls_key=/etc/ldap/ssl/ldap-key.pem
>>>                                 binddn="cn=syncrepluser..."
>>>                                 credentials=********
>>>
>>> I added the tls_key, tls_cacert, tls_reqcert parameter.
>>> The tls option are using the certificate and the key of the LDAP Provider.
>>>
>>> The last thing I don't understand is that the tls_key is needed. So I
>>> need to deploy the private key of the provider to each consumer.
>>>
>>> I though the certificate would be sufficient ?
>>
>>
>> No you don't have to deploy the private key!
>> In syncrepl, just define the tls_cacert, and it works.
>>
>>
>>
>>>
>>> Regards,
>>>
>>>
>>>
>>>
>>>
>>> On 18 October 2011 06:28, Philip Guenther
>>> <guenther+ldaptech@sendmail.com>  wrote:
>>>>
>>>> On Sun, 16 Oct 2011, Hugo Deprez wrote:
>>>>>
>>>>> It seems that the proper configuration for my case is :
>>>>>
>>>>> syncrepl       rid=003
>>>>>                provider=ldaps://ldap.mydomain.fr:1024/
>>>>>                type=refreshOnly
>>>>>                retry="60 10 600 +"
>>>>>                interval=00:00:00:10
>>>>>                searchbase="dc=mydomain,dc=fr"
>>>>>                scope=sub
>>>>>                schemachecking=on
>>>>>                bindmethod=simple
>>>>>                tls_reqcert=never
>>>>>                binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr"
>>>>>                credentials=my_password
>>>>>
>>>>> It works, but I am confuse with those parameters. If I understand
>>>>> well, I will never use TLS here, but only ssl ?
>>>>> Hence, it was a TLS issue ?
>>>>
>>>> No, you're using TLS.  You're just not using the StartTLS operation.
>>>>
>>>> There are two ways to use SSL/TLS: "negotiate-on-connect" and "upgrade
>>>> from clear".  The former is what you get when you use an ldaps:// URL,
>>>> where the first data the client sends is the raw SSL/TLS ClientHello
>>>> packet.  The latter is what you get when you use an ldap:// URL and have
>>>> starttls=yes or starttls=critical, where the first data the client sends
>>>> is LDAP protocol data in the clear, including a StartTLS request.  If the
>>>> server sends a success response to that StartTLS request, then the client
>>>> starts the SSL/TLS handshake with its ClientHello packet.
>>>>
>>>> This should answer why it failed when you tried to combine an ldaps://
>>>> URL
>>>> with starttls=yes: the exchange was already using SSL/TLS and (rightly)
>>>> libldap won't let you negotiate multiple levels of SSL/TLS encryption.
>>>>
>>>> (You may note that I write "SSL/TLS".  That's because they're just
>>>> different versions of the same protocol.  Using 'SSL' as a shorthand for
>>>> "negotiate on connect" and 'TLS' for "upgrade from clear" is poor naming,
>>>> as the choice of method is orthogonal to the protocol version.  Your
>>>> ldaps:// connection is probably negotiating the TLS 1.0 protocol (aka SSL
>>>> version 3.1), just as an ldap:// connection using StartTLS may, on a
>>>> poorly configured server, negotiate SSL 3.0)
>>>>
>>>>
>>>> Next: the fact that you need tls_reqcert=never for TLS negotiation to
>>>> succeed strongly suggests the problem is either
>>>> a) the subject and subjectAltName of the cert don't match the hostname in
>>>>   the URL, OR
>>>> b) the client doesn't have the self-signed CA cert at the root of the
>>>>   signing chain for the server's cert.
>>>>
>>>> Those are both necessary to protect the server against Man-in-the-Middle
>>>> attacks.
>>>>
>>>> (It used to be that tls_reqcert=allow would disable check (b) and only
>>>> perform check (a), or at least that was the case when using the OpenSSL
>>>> crypto backend, but that behavior has apparently been removed from the
>>>> version in git as of August.  Given the vagaries of the error reporting
>>>> of
>>>> the underlying crypto libraries, this was a useful tool in tracking down
>>>> which check was causing TLS failures. Oh well.)
>>>>
>>>> So, does the server's certificate subject or subjectAltName match the
>>>> hostname from the URL the client is using?  Have you verified that the CA
>>>> at the root of the server's cert's chain really is configured for the
>>>> client?
>>>>
>>>>
>>>> Philip Guenther
>>
>>
>>
>> --
>> Raffael Sahli
>> public@raffaelsahli.com
>> Switzerland
>>

References:
- Re: Syncrepl SSL fail
  - From: Hugo Deprez <hugo.deprez@gmail.com>
- Re: Syncrepl SSL fail
  - From: Raffael Sahli <public@raffaelsahli.com>
- Re: Syncrepl SSL fail
  - From: Hugo Deprez <hugo.deprez@gmail.com>

Prev by Date: Re: Starting out with NSS overlay - Guidance required
Next by Date: OpenLDAP reader-only users , and removing anonymous user reading ?
Index(es):
- Chronological
- Thread