[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Out of ideas when troubleshooting TLS negotiation failure

On 01/08/2016 04:03 PM, Philip Guenther wrote:
On Fri, 8 Jan 2016, Graham Allan wrote:
Replying to my own message here, but I continue to investigate my problem and
can't explain what I see. I put together a small test program to connect to
our ldap server using same parameters as smbd. Setting "ldap debug level = 1"
in smb.conf, and the equivalent LDAP_DEBUG_TRACE in my test program shows the
smbd output complaining of certificate signature failure.

smbd output:
[LDAP] TLS certificate verification: depth: 0, err: 7, subject:
/C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street
SE/O=University of Minnesota/OU=School of Physics and
Astronomy/CN=ldap.spa.umn.edu,[LDAP]  issuer: /C=US/ST=MI/L=Ann
Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
[LDAP] TLS certificate verification: Error, certificate signature failure

Some certs verify, another doesn't: so what's different about that cert?
Different signature hash algorithm, sha256 perhaps?

The cert is sha256 as it happens, but both smbd and the test case are connecting to the same ldap server, so receive the same certificate. I'm calling the same ldap library functions with the same parameters, which is what makes this so odd.

The smbd code does potentially call a few other ldap_set_option settings, eg referral behaviour, timeouts, attempt to upgrade to LDAPv3, but I don't see much really happening there in gdb - FWIW I tested skipping over these calls with no difference in result.

Are smbd and your test program linked against the same libldap version and
openssl version?

They are, yes (I just posted ldd output in response to Quanah's reply).

Thanks for the ideas,