Re: RE: OpenLDAP 2.3.4 TLS negotiation failure

Inline...

> -----Original Message-----

> From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-

> technical-bounces@OpenLDAP.org] On Behalf Of Tian Zhiying

> Sent: Wednesday, October 23, 2013 2:59 AM

> To: DieterKlÃnter; openldap-technical

> Subject: Re: Re: OpenLDAP 2.3.4 TLS negotiation failure

> Hi Dieterï

> Thanks for your quick reply.

> I have changed 'TLS_REQCERT try' and check the commonName of the host

> certificate, the common name is LDAP Server hostname "auth.server.com",

> the following is the query results:

> [root@auth cacerts]# openssl s_client -connect localhost:636 -showcerts -

> state -CAfile /etc/openldap/cacerts/cacert.pem

> CONNECTED(00000003)

> SSL_connect:before/connect initialization

> SSL_connect:SSLv2/v3 write client hello A

> SSL_connect:SSLv3 read server hello A

> depth=0 /C=CN/ST=BJ/L=BJ/O=TS/OU=IT/CN=auth.server.com/emailAddres

> s=tianzy@server.com

> verify error:num=18:self signed certificate

> verify return:1

Here is your problem. The host does not trust the SSL cert.

The 'CAfile' you've pointed the openssl command (and the real clients guessing by the path) isn't the CA chain for that SSL cert.

We also use an internal CA that our hosts don't trust globally. Same command and output for me:

[root@ldapmaster1.[snip] ~]# echo | openssl s_client -connect ldapmaster1.[snip]:636 -showcerts -state -CAfile /etc/openldap/cacerts/cacert.pem

CONNECTED(00000003)

SSL_connect:before/connect initialization

SSL_connect:SSLv2/v3 write client hello A

SSL_connect:SSLv3 read server hello A

depth=2 C = US, O = [snip], OU = PKI, CN = [snip] Internal Root CA

verify return:1

depth=1 C = US, O = [snip], OU = PKI, CN = [snip] Internal Issuing CA 01

verify return:1

depth=0 C = US, ST = WA, L = Seattle, O = [snip], CN = ldap-vip. [snip], emailAddress = [snip]

verify return:1

SSL_connect:SSLv3 read server certificate A

SSL_connect:SSLv3 read server done A

SSL_connect:SSLv3 write client key exchange A

SSL_connect:SSLv3 write change cipher spec A

SSL_connect:SSLv3 write finished A

SSL_connect:SSLv3 flush data

SSL_connect:SSLv3 read finished A

The command then continues to dump the cert, and the chain certs, as expected.

You must put the entire CA chain from the Root CA to the signing/subordinate CA that signed this SSL cert (if applicable) in x509/PEM format in your 'CAfile' - assuming the Root CA isn't trusted server wide already.

Then try again. Also, make sure to use the name specified in your SSL cert when connecting/testing - mess with your local hosts file if needed.

- chris

> depth=0 /C=CN/ST=BJ/L=BJ/O=TS/OU=IT/CN=auth.server.com/emailAddres

> s=tianzy@server.com

> verify return:1

> SSL_connect:SSLv3 read server certificate A

> SSL_connect:SSLv3 read server certificate request A

> SSL_connect:SSLv3 read server done A

> SSL_connect:SSLv3 write client certificate A

> SSL_connect:SSLv3 write client key exchange A

> SSL_connect:SSLv3 write change cipher spec A

> SSL_connect:SSLv3 write finished A

> SSL_connect:SSLv3 flush data

> SSL_connect:SSLv3 read finished A

> Now, the /etc/openldap/ldap.conf file:

> URI ldap://ldap.server.com/

> BASE dc=server,dc=com

> TLS_CACERT /etc/openldap/cacerts/cacert.pem

> #SSL ON

> TLS_REQCERT try

> But, run "#ldapsearch -x -H ldap://ldap.server.com -ZZ" , I also get the

> following error:

> [root@client cacerts]# ldapsearch -x -H ldap://ldap.server.com -ZZ

> ldap_start_tls: Connect error (-11)

> ________________________________________

> Tian Zhiying

> From: DieterKlÃnter

> Date: 2013-10-23 17:35

> To: openldap-technical

> CC: tianzy1225

> Subject: Re: OpenLDAP 2.3.4 TLS negotiation failure

> Am Wed, 23 Oct 2013 16:47:25 +0800

> schrieb "Tian Zhiying" <tianzy1225@thundersoft.com>:

> > Hi

> >

> > On the LDAP Server , I run following command is ok:

> > #ldapsearch -x -H ldap://ldap.server.com -ZZ

> > #ldapsearch -x -H ldap://ldap.server.com

> >

> > But on my client , I run "#ldapsearch -x -H ldap://ldap.server.com",

> > is ok; Run "#ldapsearch -x -H ldap://ldap.server.com -ZZ" , I get the

> > following error: [root@client cacerts]# ldapsearch -x -H

> > ldap://ldap.server.com -ZZ ldap_start_tls: Connect error (-11)

> >

> > On LDAP Server log file, I get the following error messages:

> > Oct 23 16:41:25 auth slapd[4213]: conn=206 fd=24 ACCEPT from

> > IP=192.168.9.9:45648 (IP=0.0.0.0:389) Oct 23 16:41:25 auth

> > slapd[4213]: conn=206 op=0 STARTTLS Oct 23 16:41:25 auth slapd[4213]:

> > conn=206 op=0 RESULT oid= err=0 text= Oct 23 16:41:25 auth

> > slapd[4213]: conn=206 fd=24 closed (TLS negotiation failure)

> >

> > My client ldap configuration:

> > /etc/openldap/ldap.conf file:

> > URI ldap://ldap.server.com/

> > BASE dc=server,dc=com

> > TLS_CACERT /etc/openldap/cacerts/ca.crt

> > SSL ON

> > TLS_REQCERT demand

> Set 'TLS_REQCERT try' and check the commonName of the host

> certificate.

> SSL ON is not an openldap configuration parameter.

> The /etc/ldap.conf file is not a openldap client configuration file,

> but of nss_ldap.

> > /etc/ldap.conf file:

> > BASE dc=server,dc=com

> > URI ldap://ldap.server.com

> > SSL ON

> > TLS_CACERT /etc/openldap/cacert/ca.crt

> > TLS_REQCERT demand

> >

> > Any suggestion what cause TLS negotiation failure?

> -Dieter

> --

> Dieter KlÃnter | Systemberatung

> http://dkluenter.de

> GPG Key ID:DA147B05

> 53Â37'09,95"N

> 10Â08'02,42"E

This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.