Re: Out of ideas when troubleshooting TLS negotiation failure

[Graham Allan <allan@physics.umn.edu>]

On 01/08/2016 04:03 PM, Philip Guenther wrote:
> On Fri, 8 Jan 2016, Graham Allan wrote:
> > Replying to my own message here, but I continue to investigate my problem and
> > can't explain what I see. I put together a small test program to connect to
> > our ldap server using same parameters as smbd. Setting "ldap debug level = 1"
> > in smb.conf, and the equivalent LDAP_DEBUG_TRACE in my test program shows the
> > smbd output complaining of certificate signature failure.
> >
> > smbd output:
> ...
> > > [LDAP] TLS certificate verification: depth: 0, err: 7, subject:
> > > /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street
> > > SE/O=University of Minnesota/OU=School of Physics and
> > > Astronomy/CN=ldap.spa.umn.edu,[LDAP]  issuer: /C=US/ST=MI/L=Ann
> > > Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
> > > [LDAP] TLS certificate verification: Error, certificate signature failure
>
> Some certs verify, another doesn't: so what's different about that cert?
> Different signature hash algorithm, sha256 perhaps?

The cert is sha256 as it happens, but both smbd and the test case are 
connecting to the same ldap server, so receive the same certificate. I'm 
calling the same ldap library functions with the same parameters, which 
is what makes this so odd.

The smbd code does potentially call a few other ldap_set_option 
settings, eg referral behaviour, timeouts, attempt to upgrade to LDAPv3, 
but I don't see much really happening there in gdb - FWIW I tested 
skipping over these calls with no difference in result.

> Are smbd and your test program linked against the same libldap version and
> openssl version?

They are, yes (I just posted ldd output in response to Quanah's reply).

Thanks for the ideas,

Graham