[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Out of ideas when troubleshooting TLS negotiation failure

To: Quanah Gibson-Mount <quanah@zimbra.com>, openldap-technical@openldap.org
Subject: Re: Out of ideas when troubleshooting TLS negotiation failure
From: Graham Allan <allan@physics.umn.edu>
Date: Fri, 8 Jan 2016 16:02:10 -0600
In-reply-to: <572E5311EECC9187B0A0596F@[192.168.1.9]>
Organization: Physics, University of Minnesota
References: <568D836B.6090509@physics.umn.edu> <56902C6E.1060703@physics.umn.edu> <572E5311EECC9187B0A0596F@[192.168.1.9]>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0

On 01/08/2016 03:45 PM, Quanah Gibson-Mount wrote:


Error in error is a pretty interesting.  What SSL libs is samba linked
to? What SSL libs is your test program linked to?

It did make me wonder! The failure right after "write client keyexchange A" does seem to correlate with my wireshark capture (clientsends a "decrypt error" (TLS alert code 51) to the ldap server afterreceiving the certificate).


The actual error from ldap_simple_bind_s is:
error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib

This is a FreeBSD 10.2 system, which uses openssl 1.0.1p. Both smbd andmy test should be linked to the same ldap and ssl libraries - here's lddoutput:

ldaptest:
        libldap-2.4.so.2 => /usr/local/lib/libldap-2.4.so.2 (0x800820000)
        libc.so.7 => /lib/libc.so.7 (0x800a66000)
        liblber-2.4.so.2 => /usr/local/lib/liblber-2.4.so.2 (0x800e12000)
        libssl.so.7 => /usr/lib/libssl.so.7 (0x801020000)
        libcrypto.so.7 => /lib/libcrypto.so.7 (0x80128c000)

and

/usr/local/sbin/smbd:
        libldap-2.4.so.2 => /usr/local/lib/libldap-2.4.so.2 (0x80103f000)
        liblber-2.4.so.2 => /usr/local/lib/liblber-2.4.so.2 (0x801285000)
        libcrypt.so.5 => /lib/libcrypt.so.5 (0x801493000)
        libpam.so.5 => /usr/lib/libpam.so.5 (0x8016b3000)
        libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x8018bf000)
        libmd.so.6 => /lib/libmd.so.6 (0x801ac2000)
        librt.so.1 => /usr/lib/librt.so.1 (0x801cd2000)
        libthr.so.3 => /lib/libthr.so.3 (0x801ed8000)
        libpopt.so.0 => /usr/local/lib/libpopt.so.0 (0x8020fc000)
        libtalloc.so.2 => /usr/local/lib/libtalloc.so.2 (0x802308000)
        libtevent.so.0 => /usr/local/lib/libtevent.so.0 (0x802515000)
        libtdb.so.1 => /usr/local/lib/libtdb.so.1 (0x802723000)
        libz.so.6 => /lib/libz.so.6 (0x802938000)
        libc.so.7 => /lib/libc.so.7 (0x802b4e000)
        libssl.so.7 => /usr/lib/libssl.so.7 (0x802efa000)
        libcrypto.so.7 => /lib/libcrypto.so.7 (0x803166000)
        libelf.so.1 => /usr/lib/libelf.so.1 (0x80355a000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x80376f000)
        libintl.so.8 => /usr/local/lib/libintl.so.8 (0x80397d000)


Thanks for any ideas!

Graham
--

References:
- Out of ideas when troubleshooting TLS negotiation failure
  - From: Graham Allan <allan@physics.umn.edu>
- Re: Out of ideas when troubleshooting TLS negotiation failure
  - From: Graham Allan <allan@physics.umn.edu>
- Re: Out of ideas when troubleshooting TLS negotiation failure
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: Out of ideas when troubleshooting TLS negotiation failure
Next by Date: Re: Out of ideas when troubleshooting TLS negotiation failure
Index(es):
- Chronological
- Thread