[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problems with SSL

To: "Anthony Brock" <abrock@georgefox.edu>, "OpenLDAP Devel" <openldap-devel@OpenLDAP.org>
Subject: RE: Problems with SSL
From: "Howard Chu" <hyc@highlandsun.com>
Date: Tue, 23 Apr 2002 18:01:01 -0700
Importance: Normal
In-reply-to: <5.1.0.14.2.20020423131800.02cdfa70@localhost>

No idea. When I set "TLSVerifyClient never" I see absolutely nothing related
to client certificates in the trace. What version of the SSL library are you
using?

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: Anthony Brock [mailto:abrock@georgefox.edu]
> Sent: Tuesday, April 23, 2002 1:22 PM
> To: OpenLDAP Devel
> Cc: Howard Chu
> Subject: RE: Problems with SSL
>
>
> Okay,
>
> I now have an entry in slapd.conf of:
>
> TLSVerifyClient never
>
> However, I am still seeing with (-d -1) a local error. Advise?
>
> Tony
>
> Output from debug:
>
> TLS trace: SSL_accept:SSLv3 flush data
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: select: listen=8 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 9r
> daemon: read activity on 9
> connection_get(9)
> connection_get(9): got connid=0
> connection_read(9): checking for input on id=0
> ber_get_next
> tls_read: want=5, got=5
>    0000:  15 03 01 00 18                                     .....
> tls_read: want=24, got=24
>    0000:  b0 b7 cc c2 a4 3e c1 d1  1c b9 e1 2d 9b b8 ce 16
> .....>.....-....
>    0010:  d8 43 ce 4b 15 2a cf da                            XC.K.*.Z
> TLS trace: SSL3 alert read:warning:bad certificate
> tls_read: want=5, got=0
>
> ldap_read: want=9, got=0
>
> ber_get_next on fd 9 failed errno=0 (Error 0)
> connection_read(9): input error=-2 id=0, closing.
> connection_closing: readying conn=0 sd=9 for close
> connection_close: conn=0 sd=9
> daemon: removing 9
> conn=0 fd=9 closed
> tls_write: want=29, written=29
>    0000:  15 03 01 00 18 0c 25 db  88 74 7e cd 66 9b 6a cb
> ......%..t~.f.j.
>    0010:  19 0f 1d e5 61 59 9c 3b  3c ad 55 f5 8c            ...eaY.;<-U..
> TLS trace: SSL3 alert write:warning:close notify
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: select: listen=8 active_threads=0 tvp=NULL
> #
>
>
> At 07:48 PM 03/20/2002 -0800, you wrote:
> >Are you using TLSVerifyClient in your slapd.conf? The syntax of this
> >keyword
> >has changed. (Although the old behavior is supposed to still be
> supported,
> >perhaps there's a problem there.)
> >
> >   -- Howard Chu
> >   Chief Architect, Symas Corp.       Director, Highland Sun
> >   http://www.symas.com               http://highlandsun.com/hyc
> >   Symas: Premier OpenSource Development and Support
> >
> > >> -----Original Message-----
> > >> From: owner-openldap-devel@OpenLDAP.org
> > >> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Anthony Brock
> > >> Sent: Wednesday, March 20, 2002 5:50 PM
> > >> To: Open LDAP Devel
> > >> Subject: Problems with SSL
> > >>
> > >>
> > >> I am having two other problems now. First, I am not able to connect
> > >using
> > >> SSL (certificate issued by Thawte). This works perfectly if I
> > >> downgrade to
> > >> the 2.0.23 version of OpenLDAP. I am seeing the following in
> the debug
> > >> (level 1) log:
> > >>
> > >>
> > >> ********************
> > >> TLS trace: SSL_accept:before/accept initialization
> > >> TLS trace: SSL_accept:SSLv3 read client hello A
> > >> TLS trace: SSL_accept:SSLv3 write server hello A
> > >> TLS trace: SSL_accept:SSLv3 write certificate A
> > >> TLS trace: SSL_accept:SSLv3 write server done A
> > >> TLS trace: SSL_accept:SSLv3 flush data
> > >> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > >> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > >> connection_get(12): got connid=0
> > >> connection_read(12): checking for input on id=0
> > >> TLS trace: SSL_accept:SSLv3 read client key exchange A
> > >> TLS trace: SSL_accept:SSLv3 read finished A
> > >> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > >> TLS trace: SSL_accept:SSLv3 write finished A
> > >> TLS trace: SSL_accept:SSLv3 flush data
> > >> connection_get(12): got connid=0
> > >> connection_read(12): checking for input on id=0
> > >> ber_get_next
> > >> TLS trace: SSL3 alert read:warning:bad certificate
> > >> ber_get_next on fd 12 failed errno=11 (Resource temporarily
> unavailable)
> > >> ********************
> > >>
> > >>
> > >> Any ideas? I would appreciate some pointers on these. Thanks!
> > >>
> > >> Tony
> > >>
> > >> ******************************************************************
> > >> ************
> > >> * Anthony Brock
> > >> abrock@georgefox.edu *
> > >> * Director of Network Services                         George Fox
> > >> University *
> > >> ******************************************************************
> > >> ************
>
> ******************************************************************
> ************
> * Anthony Brock
> abrock@georgefox.edu *
> * Director of Network Services                         George Fox
> University *
> ******************************************************************
> ************

References:
- RE: Problems with SSL
  - From: Anthony Brock <abrock@georgefox.edu>

Prev by Date: RE: Problems with SSL
Next by Date: Re: current C API draft.
Index(es):
- Chronological
- Thread