[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS not working with 2.0.14



On Thu, Sep 27, 2001 at 10:58:45AM -0700, David Wright wrote:
> 
> >     # ldapsearch -h clan -D cn=Manager,dc=example,dc=com -w secret -L -x -ZZ
> >     ldap_start_tls: Connect error
> 
> I ran into a simliar problem and it turned out to be my cert; more recent
> OpenLDAPs are less tolerant of nonconformant certificates. In particular,
> the name in your cert must be exactly the correct FQDN of your server as
> returned e.g. by nslookup; an IP address won't do.

I think I've got that right.

I've generated a new.cert.cert and new.cert.key by doing the following:

    # cd /usr/local/etc/openldap/SSL
    
Create key and request

    # openssl req -new > new.cert.csr
    Using configuration from /etc/ssl/openssl.cnf
    Generating a 1024 bit RSA private key
    .....++++++
    ......++++++
    writing new private key to 'privkey.pem'
    Enter PEM pass phrase:
    Verifying password - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:XX
    State or Province Name (full name) [Some-State]:XXXXXXXXX
    Locality Name (eg, city) []:XXXXXXXXXXXX
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:XXXXXXXXXXXXXXXXXXXXXXXXX
    Email Address []:nik@freebsd.org
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

I've used XXX's in the above to obliterate some personal information.
I set the "Common Name" to the name of the host, as returned by
"hostname".

Then I removed the pass phrase from the key

    # openssl rsa -in privkey.pem -out new.cert.key
    read RSA key
    Enter PEM pass phrase:
    writing RSA key

Then I turned this in to a signed certificate.

    # openssl x509 -in new.cert.csr -out new.cert.cert -req \ 
    	-signkey new.cert.key -days 365
    Signature ok
    subject=/C=XX/ST=XXXXXXXXX/L=XXXXXXXXXXXX/O=XXXXXXXXXXXXXXXXXX/CN=XXXXXXXXXXXXXXXXXXXXXXXXX/Email=nik@freebsd.org
    Getting Private key

This leaves me with four files

    new.cert.cert
    new.cert.csr
    new.cert.key
    privkey.pem

I added these three lines to slapd.conf

    TLSCipherSuite HIGH:MEDIUM:+SSLv2
    TLSCertificateFile /usr/local/etc/openldap/SSL/new.cert.cert
    TLSCertificateKeyFile /usr/local/etc/openldap/SSL/new.cert.key

and run slapd as

    # /usr/local/libexec/slapd -h 'ldap:/// ldaps:///' -d 9

> If this doesn't solve the problem, please:
> 1) Tell us whether ssl (ie ldaps) fails as well as tls.

Don't know.  I don't have anything here that speaks ldaps.  I'm trying
to get TLS working so that I can use

    http://www.rudedog.org/auth_ldap/

which can't use SSL with OpenLDAP, just TLS.

> 2) Include the log info, even if you don't understand it.

    @(#) $OpenLDAP: slapd 2.0.14-Release (Wed Sep 26 21:03:08 BST 2001) $
            nik@clan.nothing-going-on.org:/local/1/usr/ports/net/openldap2/work/openldap-2.0.14/servers/slapd
    daemon_init: listen on ldap:///
    daemon_init: listen on ldaps:///
    daemon_init: 2 listeners to open...
    ldap_url_parse_ext(ldap:///)
    daemon: initialized ldap:///
    ldap_url_parse_ext(ldaps:///)
    daemon: initialized ldaps:///
    daemon_init: 2 listeners opened
    slapd init: initiated server.
    slap_sasl_init: initialized!
    slapd startup: initiated.
    slapd starting
    daemon: added 8r
    daemon: added 9r
    daemon: select: listen=8 active_threads=0 tvp=NULL
    daemon: select: listen=9 active_threads=0 tvp=NULL

That's before I do the ldapsearch request.

I then run

    # ldapsearch -h clan -D cn=Manager,dc=example,dc=com -w secret -L -x -ZZ
    ldap_start_tls: Connect error

in another window, and the following is logged:

    daemon: activity on 1 descriptors
    daemon: new connection on 10
    daemon: added 10r
    daemon: activity on:
    daemon: select: listen=8 active_threads=0 tvp=NULL
    daemon: select: listen=9 active_threads=0 tvp=NULL
    daemon: activity on 1 descriptors
    daemon: activity on: 10r
    daemon: read activity on 10
    connection_get(10): got connid=0
    connection_read(10): checking for input on id=0
    ber_get_next
    ber_get_next: tag 0x30 len 29 contents:
    ber_get_next
    ber_get_next on fd 10 failed errno=35 (Resource temporarily
    unavailable)
    do_extended
    ber_scanf fmt ({a) ber:
    send_ldap_extended 0: (0)
    send_ldap_response: msgid=1 tag=120 err=0
    ber_flush: 14 bytes to sd 10
    daemon: select: listen=8 active_threads=1 tvp=NULL
    daemon: select: listen=9 active_threads=1 tvp=NULL
    daemon: activity on 1 descriptors
    daemon: activity on: 10r
    daemon: read activity on 10
    connection_get(10): got connid=0
    connection_read(10): checking for input on id=0
    TLS trace: SSL_accept:before/accept initialization
    TLS trace: SSL_accept:SSLv3 read client hello A
    TLS trace: SSL_accept:SSLv3 write server hello A
    TLS trace: SSL_accept:SSLv3 write certificate A
    TLS trace: SSL_accept:SSLv3 write server done A
    TLS trace: SSL_accept:SSLv3 flush data
    TLS trace: SSL_accept:error in SSLv3 read client certificate A
    TLS trace: SSL_accept:error in SSLv3 read client certificate A
    daemon: select: listen=8 active_threads=0 tvp=NULL
    daemon: select: listen=9 active_threads=0 tvp=NULL
    daemon: activity on 1 descriptors
    daemon: activity on: 10r
    daemon: read activity on 10
    connection_get(10): got connid=0
    connection_read(10): checking for input on id=0
    TLS trace: SSL_accept:SSLv3 read client key exchange A
    TLS trace: SSL_accept:SSLv3 read finished A
    TLS trace: SSL_accept:SSLv3 write change cipher spec A
    TLS trace: SSL_accept:SSLv3 write finished A
    TLS trace: SSL_accept:SSLv3 flush data
    daemon: select: listen=8 active_threads=0 tvp=NULL
    daemon: select: listen=9 active_threads=0 tvp=NULL
    daemon: activity on 1 descriptors
    daemon: activity on: 10r
    daemon: read activity on 10
    connection_get(10): got connid=0
    connection_read(10): checking for input on id=0
    ber_get_next
    ber_get_next on fd 10 failed errno=0 (Undefined error: 0)
    connection_read(10): input error=-2 id=0, closing.
    connection_closing: readying conn=0 sd=10 for close
    connection_close: conn=0 sd=10
    daemon: removing 10
    TLS trace: SSL3 alert write:warning:close notify
    daemon: select: listen=8 active_threads=0 tvp=NULL
    daemon: select: listen=9 active_threads=0 tvp=NULL
    daemon: activity on 1 descriptors
    daemon: select: listen=8 active_threads=0 tvp=NULL
    daemon: select: listen=9 active_threads=0 tvp=NULL

Any suggestions gratefully received.

N
-- 
Internet connection, $19.95 a month.  Computer, $799.95.  Modem, $149.95.
Telephone line, $24.95 a month.  Software, free.  USENET transmission,
hundreds if not thousands of dollars.  Thinking before posting, priceless.
Somethings in life you can't buy.  For everything else, there's MasterCard.
  -- Graham Reed, in the Scary Devil Monastery

Attachment: pgpssAPMRHXi6.pgp
Description: PGP signature