[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5353) openssl vs gnutls: gnutls doesn't fit
Read ITS#5341. It has the fix.
--Quanah
--On February 6, 2008 5:44:26 PM +0000 korsani@caramail.com wrote:
> Full_Name: GG
> Version: 2.4.7
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (194.2.41.131)
>
>
> I was investigated a problem: I couldn't ldapsearch to my ldap directory
> in TLS:
> ldapsearch -Z -H ldap://127.0.0.1 -x uid=gab returns:
>
> ldap_start_tls: Connect error (-11)
> ldap_result: Can't contact LDAP server (-1)
>
> It is an openldap 2.4.7 on Debian (Etch). It is built against gnutls. And
> as it was working with openldap 2.3.30, and it works with openldap 2.4.7
> built on Crux (self-made package, built against openssl), I tried to
> compile it on my gentoo ('cause it has the .h of everything, and much
> more CPU :) ), from sources.
>
> When built with --with-tls=openssl, the ldapsearch above is ok.
> When built with --with-tls=gnutls, it fails:
>
> I modify slapd.conf accordingly to match the syntax of tlsciphersuite with
> gnutls or openssl
>
> Debugs
> slapd:
> [ ... ]
> TLS: gnutls_certificate_verify_peers2 failed -49
> connection_read(12): TLS accept failure error=-1 id=1, closing
> connection_closing: readying conn=1 sd=12 for close
> daemon: activity on 1 descriptor
> daemon: activity on:
> daemon: epoll: listen=7 active_threads=0 tvp=NULL
> connection_close: conn=1 sd=12
> daemon: removing 12
> tls_write: want=181, written=181
> 0000: 15 03 01 00 b0 0f 12 bd 11 3a 31 7b 10 f9 c3 f7
> .........:1{.... 0010: 87 dd 18 94 3d 19 52 5b 9a 30 8a 9c f6 a0 ac
> c7 ....=.R[.0...... 0020: 2f 7d 10 6a 21 55 aa b3 25 72 50 a1 c6 2e
> 16 e8 /}.j!U..%rP..... 0030: 50 89 bc 65 d0 2a 5e 61 b5 44 8a e9 b0
> 01 cb 9f P..e.*^a.D...... 0040: e4 85 81 9e 33 16 57 8b a8 32 ce 14
> 2f 5a 38 0e ....3.W..2../Z8. 0050: 12 f0 85 75 77 df 1b 57 56 c1 fb
> ae 2a cc 72 29 ...uw..WV...*.r) 0060: c7 38 eb d3 3c 3b d4 8e ba 29
> e6 8d 09 15 70 5f .8..<;...)....p_ 0070: 79 07 3e 8e 5a 9e c1 82 9f
> 39 73 ac b0 22 a4 31 y.>.Z....9s..".1 0080: d2 43 3a 09 b5 3d 07 b6
> e7 17 14 5e 65 d5 ed 2d .C:..=.....^e..- 0090: 71 09 c2 ea b9 c8 6a
> 35 2c b7 18 4b 33 7e 72 52 q.....j5,..K3~rR 00a0: bb b9 f4 bc 0a 23
> 4b f0 be dc 64 ef 3f bd a6 3a .....#K...d.?..: 00b0: 71 8e 07 64 90
> q..d. tls_read: want=5 error=Ressource temporairement non disponible
> conn=1 fd=12 closed (TLS negotiation failure)
>
> ldapsearch:
> [ ... ]
> ldap_chkResponseList ld 0x8057dd8 msgid 2 all 1
> ldap_chkResponseList returns ld 0x8057dd8 NULL
> ldap_int_select
> read1msg: ld 0x8057dd8 msgid 2 all 1
> ber_get_next
> tls_read: want=5, got=5
> 0000: 15 03 01 00 b0 .....
> tls_read: want=176, got=176
> 0000: 0f 12 bd 11 3a 31 7b 10 f9 c3 f7 87 dd 18 94 3d
> ....:1{........= 0010: 19 52 5b 9a 30 8a 9c f6 a0 ac c7 2f 7d 10 6a
> 21 .R[.0....../}.j! 0020: 55 aa b3 25 72 50 a1 c6 2e 16 e8 50 89 bc
> 65 d0 U..%rP.....P..e. 0030: 2a 5e 61 b5 44 8a e9 b0 01 cb 9f e4 85
> 81 9e 33 *^a.D..........3 0040: 16 57 8b a8 32 ce 14 2f 5a 38 0e 12
> f0 85 75 77 .W..2../Z8....uw 0050: df 1b 57 56 c1 fb ae 2a cc 72 29
> c7 38 eb d3 3c ..WV...*.r).8..< 0060: 3b d4 8e ba 29 e6 8d 09 15 70
> 5f 79 07 3e 8e 5a ;...)....p_y.>.Z 0070: 9e c1 82 9f 39 73 ac b0 22
> a4 31 d2 43 3a 09 b5 ....9s..".1.C:.. 0080: 3d 07 b6 e7 17 14 5e 65
> d5 ed 2d 71 09 c2 ea b9 =.....^e..-q.... 0090: c8 6a 35 2c b7 18 4b
> 33 7e 72 52 bb b9 f4 bc 0a .j5,..K3~rR..... 00a0: 23 4b f0 be dc 64
> ef 3f bd a6 3a 71 8e 07 64 90 #K...d.?..:q..d. TLS trace: SSL3 alert
> read:warning:close notify
> ldap_read: want=8, got=0
>
> ber_get_next failed.
> ldap_perror
> ldap_result: Can't contact LDAP server (-1)
>
> Versions:
> gnutls: 2.0.4
> openssl: 0.9.8g
>
>
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration