[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP TLS/SSL Security problem
/usr/local/bin/ldapsearch -d 1 -x -b "dc=********,dc=com" -H
'ldaps://ldaptest.*********.com' -ZZ
worden:/etc# x -b "dc=*********,dc=com" -H 'ldaps://ldaptest.
**********.com' -*
ldap_create
ldap_url_parse_ext(ldaps://ldaptest.***********.com)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldaptest.*********.com:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ##.##.##.##:636
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.*********.com, issuer:
/C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.************.com
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
slapd log
connection_get(11): got connid=14
connection_read(11): checking for input on id=14
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=14
connection_read(11): checking for input on id=14
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1052
connection_read(11): TLS accept error error=-1 id=14, closing
connection_closing: readying conn=14 sd=11 for close
connection_close: conn=14 sd=11
Stephen Worden
BNE NMS Engineer
Focal Communications
Tel: 847-954-8306
Fax: 847-954-7710
Email: sworden@focal.com
Kirk Turner-Rustin
<ktrustin@owu.edu> To: sworden@focal.com
Sent by: cc: Openldap list <openldap-software@OpenLDAP.org>,
owner-openldap-software@O owner-openldap-software@OpenLDAP.org
penLDAP.org Subject: Re: LDAP TLS/SSL Security problem
06/30/2004 09:57 AM
On Wed, 30 Jun 2004 sworden@focal.com wrote:
> Slapd debug error messages when a client tries to login:
>
> connection_get(10): got connid=6
> connection_read(10): checking for input on id=6
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
> TLS: can't accept.
> TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> s23_srvr.c:585
Is the client in question trying to StartTLS on an already encrypted
channel (port 636, ldaps:///)?
Can you replicate the problem using ldapsearch? If so, would you
post your ldapsearch command line?
--
Kirk Turner-Rustin
Programmer/Analyst
Libraries and Information Services
Ohio Wesleyan University
http://www.owu.edu