[Date Prev][Date Next] [Chronological] [Thread] [Top]
Cannot get ldaps to work to 2.0.19 or 2.0.11

To: <openldap-software@OpenLDAP.org>
Subject: Cannot get ldaps to work to 2.0.19 or 2.0.11
From: "Prasad A. Chodavarapu" <chprasad@hotmail.com>
Date: Sun, 6 Jan 2002 04:34:15 -0500
I've been trying in vain to get my OpenLDAP installation (both 2.0.11
and 2.0.19) to work over SSL. I can get ldap:/// to work with all
clients i tried but ldaps:/// was a different story with every client.

I've searched the web, made sure that the hostname in my server
certificate resolves correctly but it didn't help either. One thing I
haven't done is configure any of the clients with any certificates.

My conf file contains the following TLS directives.

TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
#the following are not documented in the latest man page
TLSCACertificateFile /usr/share/ssl/certs/slapd.pem
TLSVerifyClient 0

and finally, here's my debug trace.

slapd starting
daemon: added 6r
daemon: added 7r
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: new connection on 10
ldap_pvt_gethostbyname_a: host=cherish.aalayance.com, r=0
daemon: conn=0 fd=10 connection from IP=127.0.0.1:34267
(IP=0.0.0.0:31746) accepted.
daemon: added 10r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
  0000:  80 7a 01 03 01 00 51 00  00 00 20                  .z....Q...
tls_read: want=113, got=113
  0000:  00 00 16 00 00 13 00 00  0a 07 00 c0 00 00 66 00
..............f.
  0010:  00 05 00 00 04 03 00 80  01 00 80 08 00 80 00 00
................
  0020:  65 00 00 64 00 00 63 00  00 62 00 00 61 00 00 60
e..d..c..b..a..`
  0030:  00 00 15 00 00 12 00 00  09 06 00 40 00 00 14 00
...........@....
  0040:  00 11 00 00 08 00 00 06  00 00 03 04 00 80 02 00
................
  0050:  80 06 5d 44 a0 bb d0 70  c0 ab 86 14 b5 20 6b ab
..]D...p..... k.
  0060:  57 03 57 e2 20 56 28 dd  b8 9f 41 fc 3b 54 4f ec   W.W.
V(...A.;TO.
  0070:  18                                                 .
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=875, written=875
  0000:  16 03 01 00 4a 02 00 00  46 03 01 3c 38 1d dd cd
....J...F..<8...
  0010:  e3 c0 c4 95 45 87 d1 4a  02 fe ea 22 26 0f 28 e2
....E..J..."&.(.
  0020:  49 28 9a ea 72 1a bd a4  15 1e ea 20 46 6d 43 61   I(..r......
FmCa
  0030:  10 89 b1 bb 5c 6e b9 d7  fe fb 3d 4d 79 a3 de 0b
....\n....=My...
  0040:  ca 0a ec 12 7e 61 bc 16  cc 30 98 4f 00 0a 00 16
....~a...0.O....
  0050:  03 01 03 0e 0b 00 03 0a  00 03 07 00 03 04 30 82
..............0.
  0060:  03 00 30 82 02 69 a0 03  02 01 02 02 01 00 30 0d
..0..i........0.
  0070:  06 09 2a 86 48 86 f7 0d  01 01 04 05 00 30 64 31
..*.H........0d1
  0080:  0b 30 09 06 03 55 04 06  13 02 55 53 31 12 30 10
.0...U....US1.0.
  0090:  06 03 55 04 0a 13 09 41  61 6c 61 79 61 6e 63 65
..U....Aalayance
  00a0:  31 1e 30 1c 06 03 55 04  03 13 15 63 68 65 72 69
1.0...U....cheri
  00b0:  73 68 2e 61 61 6c 61 79  61 6e 63 65 2e 63 6f 6d
sh.aalayance.com
  00c0:  31 21 30 1f 06 09 2a 86  48 86 f7 0d 01 09 01 16
1!0...*.H.......
  00d0:  12 63 68 61 70 40 61 61  6c 61 79 61 6e 63 65 2e
.chap@aalayance.
  00e0:  63 6f 6d 30 1e 17 0d 30  32 30 31 30 32 32 33 33
com0...020102233
  00f0:  39 35 35 5a 17 0d 30 33  30 31 30 32 32 33 33 39
955Z..0301022339
  0100:  35 35 5a 30 64 31 0b 30  09 06 03 55 04 06 13 02
55Z0d1.0...U....
  0110:  55 53 31 12 30 10 06 03  55 04 0a 13 09 41 61 6c
US1.0...U....Aal
  0120:  61 79 61 6e 63 65 31 1e  30 1c 06 03 55 04 03 13
ayance1.0...U...
  0130:  15 63 68 65 72 69 73 68  2e 61 61 6c 61 79 61 6e
.cherish.aalayan
  0140:  63 65 2e 63 6f 6d 31 21  30 1f 06 09 2a 86 48 86
ce.com1!0...*.H.
  0150:  f7 0d 01 09 01 16 12 63  68 61 70 40 61 61 6c 61
.......chap@aala
  0160:  79 61 6e 63 65 2e 63 6f  6d 30 81 9f 30 0d 06 09
yance.com0..0...
  0170:  2a 86 48 86 f7 0d 01 01  01 05 00 03 81 8d 00 30
*.H............0
  0180:  81 89 02 81 81 00 c3 60  b0 24 94 87 0a 4e bd 87
.......`.$...N..
  0190:  0d c6 44 16 d0 97 2a e0  32 72 68 c7 35 2e f8 4b
..D...*.2rh.5..K
  01a0:  1b fd 1f 90 59 ea 92 bd  a7 f9 f7 40 9b a5 1c a9
....Y......@....
  01b0:  6c b9 b0 fc 3e 13 c4 ba  7e 10 62 01 b8 6c d7 9b
l...>...~.b..l..
  01c0:  c3 c0 48 a9 f1 24 54 6a  4b 76 73 4e 20 38 81 b0   ..H..$TjKvsN
8..
  01d0:  07 39 f6 d4 6f 09 4d 28  40 7f db f4 cf f2 14 05
.9..o.M(@.......
  01e0:  29 1b 63 4d 98 5d ca a5  d3 30 5c 86 ad a8 f0
   ).cM.]...0\....5
  01f0:  54 ee a9 59 53 d2 42 72  fe 67 04 05 46 cf e8 54
T..YS.Br.g..F..T
  0200:  e2 04 bc aa 3f d5 02 03  01 00 01 a3 81 c1 30 81
....?.........0.
  0210:  be 30 1d 06 03 55 1d 0e  04 16 04 14 38 b3 c8 cb
.0...U......8...
  0220:  ad 7d c5 1c 70 81 2b 59  71 15 a4 e8 09 0c a1 8a
.}..p.+Yq.......
  0230:  30 81 8e 06 03 55 1d 23  04 81 86 30 81 83 80 14
0....U.#...0....
  0240:  38 b3 c8 cb ad 7d c5 1c  70 81 2b 59 71 15 a4 e8
8....}..p.+Yq...
  0250:  09 0c a1 8a a1 68 a4 66  30 64 31 0b 30 09 06 03
.....h.f0d1.0...
  0260:  55 04 06 13 02 55 53 31  12 30 10 06 03 55 04 0a
U....US1.0...U..
  0270:  13 09 41 61 6c 61 79 61  6e 63 65 31 1e 30 1c 06
..Aalayance1.0..
  0280:  03 55 04 03 13 15 63 68  65 72 69 73 68 2e 61 61
.U....cherish.aa
  0290:  6c 61 79 61 6e 63 65 2e  63 6f 6d 31 21 30 1f 06
layance.com1!0..
  02a0:  09 2a 86 48 86 f7 0d 01  09 01 16 12 63 68 61 70
.*.H........chap
  02b0:  40 61 61 6c 61 79 61 6e  63 65 2e 63 6f 6d 82 01
@aalayance.com..
  02c0:  00 30 0c 06 03 55 1d 13  04 05 30 03 01 01 ff 30
.0...U....0....0
  02d0:  0d 06 09 2a 86 48 86 f7  0d 01 01 04 05 00 03 81
...*.H..........
  02e0:  81 00 b7 ca 5d f5 19 73  23 8a be 37 70 27 72 d2
....]..s#..7p'r.
  02f0:  fc 27 a3 a0 3f 53 ec bd  c4 e3 73 5b c4 be 90 a6
.'..?S....s[....
  0300:  2c 9b 04 89 c5 44 77 f4  b8 80 95 8f eb b0 ca dc
,....Dw.........
  0310:  b1 79 c3 28 67 69 0a 37  fb 0f 08 b3 b1 06 88 4d
.y.(gi.7.......M
  0320:  44 a8 59 a6 5e 31 79 2b  80 2b 2a 9c 66 ba 1f a9
D.Y.^1y+.+*.f...
  0330:  d0 87 06 23 41 3e 34 60  61 7a 0e d1 9b c9 ba ef
...#A>4`az......
  0340:  0e 4e f5 c8 52 96 82 80  04 6a 5a cf af 9b 16 78
.N..R....jZ....x
  0350:  48 4d 59 a0 64 cb 51 5c  cd c4 d7 b5 33 6d 71 ee
HMY.d.Q\....3mq.
  0360:  de ef 16 03 01 00 04 0e  00 00 00                  ...........
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
tls_read: want=5, got=5
  0000:  16 03 01 00 86                                     .....
tls_read: want=134, got=134
  0000:  10 00 00 82 00 80 9d 7f  0f 7c 68 77 f5 dc 25 11
.........|hw..%.
  0010:  67 85 b9 c9 af e1 86 f3  0d e8 01 de 62 81 c1 0f
g...........b...
  0020:  bf c3 c6 46 d9 d2 6a 57  fa 44 6a 39 e9 e7 5a 82
...F..jW.Dj9..Z.
  0030:  bb 6e 26 bf 38 4e ba 1c  6c 93 69 45 b4 df ed 97
.n&.8N..l.iE....
  0040:  b8 b7 5d 99 cf 33 d7 ab  7b a5 ca f9 59 49 a7 95
..]..3..{...YI..
  0050:  e3 26 72 40 1b 1a b0 4b  83 72 cd 97 b7 9a b2 6c
.&r@...K.r.....l
  0060:  b7 3c 12 94 af 80 e0 38  7d 03 95 98 57 98 04 46
.<.....8}...W..F
  0070:  93 b7 93 9c 9b 57 f0 b8  62 45 6f a6 0e bd b4 63
.....W..bEo....c
  0080:  b3 a4 6c ba 52 81                                  ..l.R.
TLS trace: SSL_accept:SSLv3 read client key exchange A
tls_read: want=5, got=5
  0000:  14 03 01 00 01                                     .....
tls_read: want=1, got=1
  0000:  01                                                 .
tls_read: want=5, got=5
  0000:  16 03 01 00 28                                     ....(
tls_read: want=40, got=40
  0000:  47 d9 a3 21 e4 15 4e 2f  0e 27 d9 d3 21 1a 8d c0
G..!..N/.'..!...
  0010:  44 26 0b 84 8f 28 84 aa  3b 5a 33 4f 12 b7 73 e8
D&...(..;Z3O..s.
  0020:  1f 7c 20 d7 8e 04 cb 3f                            .| ....?
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
tls_write: want=51, written=51
  0000:  14 03 01 00 01 01 16 03  01 00 28 c3 b2 49 93 b8
..........(..I..
  0010:  91 05 2c e4 74 ec 7b 28  bd 93 7c dd d4 1d 88 24
..,.t.{(..|....$
  0020:  c3 5d 4c 6b 90 ba 3f 5b  3a 52 37 0b 60 ca 05 ff
.]Lk..?[:R7.`...
  0030:  3d f6 98                                           =..
TLS trace: SSL_accept:SSLv3 flush data
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
tls_read: want=5, got=0

ldap_read: want=1, got=0

ber_get_next on fd 10 failed errno=0 (Success)
connection_read(10): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
daemon: removing 10
conn=-1 fd=10 closed

Thanks in advance
prasad
Follow-Ups:
- Re: Cannot get ldaps to work to 2.0.19 or 2.0.11
  - From: James Bourne <jbourne@MtRoyal.AB.CA>
Prev by Date: ldap_sasl_interactive_bind_s: no such object
Next by Date: JLDAP bug
Index(es):
- Chronological
- Thread