[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Out of ideas when troubleshooting TLS negotiation failure

To: openldap-technical@openldap.org
Subject: Re: Out of ideas when troubleshooting TLS negotiation failure
From: Graham Allan <allan@physics.umn.edu>
Date: Fri, 8 Jan 2016 15:38:54 -0600
In-reply-to: <568D836B.6090509@physics.umn.edu>
Organization: Physics, University of Minnesota
References: <568D836B.6090509@physics.umn.edu>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0

Replying to my own message here, but I continue to investigate myproblem and can't explain what I see. I put together a small testprogram to connect to our ldap server using same parameters as smbd.Setting "ldap debug level = 1" in smb.conf, and the equivalentLDAP_DEBUG_TRACE in my test program shows the smbd output complaining ofcertificate signature failure.


smbd output:

[LDAP] ldap_simple_bind_s
[LDAP] ldap_sasl_bind_s
[LDAP] ldap_sasl_bind
[LDAP] ldap_send_initial_request
[LDAP] ldap_new_connection 1 1 0
[LDAP] ldap_int_open_connection
[LDAP] ldap_connect_to_host: TCP ldap.spa.umn.edu:636
[LDAP] ldap_new_socket: 9
[LDAP] ldap_prepare_socket: 9
[LDAP] ldap_connect_to_host: Trying 128.101.220.24:636
[LDAP] ldap_pvt_connect: fd: 9 tm: -1 async: 0
[LDAP] attempting to connect:
[LDAP] connect success
[LDAP] TLS trace: SSL_connect:before/connect initialization
[LDAP] TLS trace: SSL_connect:SSLv2/v3 write client hello A
[LDAP] TLS trace: SSL_connect:SSLv3 read server hello A
[LDAP] TLS certificate verification: depth: 3, err: 0, subject: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root,[LDAP]  issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
[LDAP] TLS certificate verification: depth: 2, err: 0, subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority,[LDAP]  issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
[LDAP] TLS certificate verification: depth: 1, err: 0, subject: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA,[LDAP]  issuer: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
[LDAP] TLS certificate verification: depth: 0, err: 7, subject: /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street SE/O=University of Minnesota/OU=School of Physics and Astronomy/CN=ldap.spa.umn.edu,[LDAP]  issuer: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
[LDAP] TLS certificate verification: Error, certificate signature failure
[LDAP] TLS certificate verification: depth: 0, err: 7, subject: /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street SE/O=University of Minnesota/OU=School of Physics and Astronomy/CN=ldap.spa.umn.edu,[LDAP]  issuer: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
[LDAP] TLS trace: SSL_connect:SSLv3 read server certificate A
[LDAP] TLS trace: SSL_connect:SSLv3 read server done A
[LDAP] TLS trace: SSL_connect:SSLv3 write client key exchange A
[LDAP] TLS trace: SSL_connect:error in error
[LDAP] TLS trace: SSL_connect:error in error
[LDAP] TLS: can't connect: .


But my test program on same machine gives:

ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.spa.umn.edu:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 128.101.220.24:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 3, err: 0, subject: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
TLS certificate verification: depth: 2, err: 0, subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
TLS certificate verification: depth: 1, err: 0, subject: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA, issuer: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
TLS certificate verification: depth: 0, err: 0, subject: /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street SE/O=University of Minnesota/OU=School of Physics and Astronomy/CN=ldap.spa.umn.edu, issuer: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read server session ticket A
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request


Same certificate chain, but one case verifies and the other doesn't...

I also stepped through smbd with gdb and verified that the parameters toldap_simple_bind_s are the same as my test case.


Wonder if anyone can venture a guess how this might occur?

G.

Follow-Ups:
- Re: Out of ideas when troubleshooting TLS negotiation failure
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Out of ideas when troubleshooting TLS negotiation failure
  - From: Philip Guenther <pguenther@proofpoint.com>

References:
- Out of ideas when troubleshooting TLS negotiation failure
  - From: Graham Allan <allan@physics.umn.edu>

Prev by Date: Re: Merging databases with translucent
Next by Date: Re: Merging databases with translucent
Index(es):
- Chronological
- Thread