Re: SSL client cert authc problems with OpenLDAP client and OpenDJ server

[Dan White <dwhite@olp.net>]

On 05/18/12 18:56 +0200, Michael Ströder wrote:
> HI!
>
> (cross-posted since OpenLDAP and OpenDJ are involved)
>
> I have some SSL client cert authc problems with a OpenLDAP 2.4.23 LDAP client
> (dynamically linked to OpenSSL 0.9.8e on RHEL 5.6) and OpenDJ 2.4.5 running
> under control of Java 1.6.0_31. I cross-checked all the cert and trust stuff
> several times. It seems to be correct. Unfortunately we're stuck with 2.4.23
> in this setup because of OpenLDAP's ITS#6997.
>
> (I manually obfuscated parameters and log lines herein.)
>
> At first glance OpenLDAP's ldapwhoami seems to work correctly with the first
> OpenDJ replica:
>
> $ LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=client.key ldapwhoami -H
> ldaps://master1.example.com -Y EXTERNAL
> SASL/EXTERNAL authentication started
> SASL username: cn=ldapclient,o=example,c=DE
> SASL SSF: 0
> dn:cn=ldapclient,ou=Users,cn=example

add a '-d -1' to your ldap client commands for debug output.

If your request for EXTERNAL authentication succeeded, then everything
appears to be successful from the perspective of your client. Perhaps the
error (on the server here) is a disagreement with how the connection should
be torn down.

Does it make a difference which SSL library you compile your client
utilities against?

> But in OpenDJ's access-log file there's written:
>
> [18/May/2012:16:52:00 +0200] CONNECT conn=15 from=x.x.x.x:33358
> to=x.x.x.x:63677 protocol=LDAPS
> [18/May/2012:16:52:00 +0200] BIND REQ conn=15 op=0 msgID=1 type=SASL
> mechanism=EXTERNAL dn=""
> [18/May/2012:16:52:00 +0200] BIND RES conn=15 op=0 msgID=1 result=0
> authDN="cn=ldapclient,o=example,c=DE" etime=0
> [18/May/2012:16:52:00 +0200] EXTENDED REQ conn=15 op=1 msgID=2 name="Who Am
> I?" oid="1.3.6.1.4.1.4203.1.11.3"
> [18/May/2012:16:52:00 +0200] EXTENDED RES conn=15 op=1 msgID=2 result=0
> additionalInfo="authzID="dn:cn=ldapclient,ou=Users,cn=example"" etime=1
> [18/May/2012:16:52:00 +0200] DISCONNECT conn=15 reason="Protocol Error"
> msg="The client sent a request to the Directory Server that could not be
> properly decoded as an LDAP message:  javax.net.ssl.SSLException: Inbound
> closed before receiving peer's close_notify: possible truncation attack?"
>
> The attempt to do the same on another OpenDJ replica fails completely (no
> differences in TLS configuration - checked cn=config for potential differences
> with diff):
>
> $ LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=client.key ldapwhoami -H
> ldaps://consumer1.example.com -Y EXTERNAL
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>
> In OpenDJ's access-log file there's written:
>
> [18/May/2012:16:52:38 +0200] CONNECT conn=6 from=x.x.x.x:61841
> to=x.x.x.x:63677 protocol=LDAPS
> [18/May/2012:16:52:38 +0200] DISCONNECT conn=6 reason="Protocol Error"
> msg="The client sent a request to the Directory Server that could not be
> properly decoded as an LDAP message: javax.net.ssl.SSLHandshakeException:
> General SSLEngine problem"
> [18/May/2012:16:53:06 +0200] CONNECT conn=7 from=x.x.x.x:61842
> to=x.x.x.x:63677 protocol=LDAPS
> [18/May/2012:16:53:07 +0200] DISCONNECT conn=7 reason="Protocol Error"
> msg="The client sent a request to the Directory Server that could not be
> properly decoded as an LDAP message: javax.net.ssl.SSLHandshakeException:
> General SSLEngine problem"

--
Dan White