[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Out of ideas when troubleshooting TLS negotiation failure
On Fri, 8 Jan 2016, Graham Allan wrote:
> Replying to my own message here, but I continue to investigate my problem and
> can't explain what I see. I put together a small test program to connect to
> our ldap server using same parameters as smbd. Setting "ldap debug level = 1"
> in smb.conf, and the equivalent LDAP_DEBUG_TRACE in my test program shows the
> smbd output complaining of certificate signature failure.
>
> smbd output:
...
> > [LDAP] TLS certificate verification: depth: 0, err: 7, subject:
> > /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street
> > SE/O=University of Minnesota/OU=School of Physics and
> > Astronomy/CN=ldap.spa.umn.edu,[LDAP] issuer: /C=US/ST=MI/L=Ann
> > Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
> > [LDAP] TLS certificate verification: Error, certificate signature failure
Some certs verify, another doesn't: so what's different about that cert?
Different signature hash algorithm, sha256 perhaps?
...
> But my test program on same machine gives:
...
> > TLS certificate verification: depth: 0, err: 0, subject:
> > /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street
> > SE/O=University of Minnesota/OU=School of Physics and
> > Astronomy/CN=ldap.spa.umn.edu, issuer: /C=US/ST=MI/L=Ann
> > Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
...
> Same certificate chain, but one case verifies and the other doesn't...
>
> I also stepped through smbd with gdb and verified that the parameters to
> ldap_simple_bind_s are the same as my test case.
>
> Wonder if anyone can venture a guess how this might occur?
Are smbd and your test program linked against the same libldap version and
openssl version?
Philip Guenther