[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS headache
Hi Jose,
I'm not sure whether you're trying to get server side TLS or server side
TLS with client side authentication working. If you are only setting up
server side TLS, then you don't need the TLSVerifyClient line in slapd.conf
or much of the ldap.conf file.
If you are trying to setup client authentication, then your user (client)
will also need the TLS_CERT and TLS_KEY entries moved from ldap.conf to
either a file called ldaprc or .ldaprc in the user's home directory or
current directory.
Please see the new doc
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html for various
TLS/SSL issues. It's full of examples too. Well written (tongue firmly in
cheek!!).
Cheers,
Kent Soper
"You don't stop playing because you grow old ...
you grow old because you stop playing."
Linux Technology Center, Linux Security
phone: 1-512-838-9216
e-mail: dksoper@us.ibm.com
"José M. Fandiño"
<ldap@fadesa.es> To: openldap-software@OpenLDAP.org
Sent by: cc:
owner-openldap-software@O Subject: TLS headache
penLDAP.org
06/16/2003 06:56 AM
Please respond to ldap
Hello,
I'm trying to make a TLS conection work between ldap clients and slapd
but I always get a ssl error. The configuration can't be simpler
I'm using a self-issued certificate.
please, can anyone tellme what's wrong with my configuration?
thanks,
/usr/local/openldap/libexec/slapd -4 -h "ldap:// ldaps://"
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ldap *:* LISTEN
tcp 0 0 *:ldaps *:* LISTEN
slapd.conf excerpt
==================
TLSVerifyClient true
TLSCipherSuite HIGH
TLSCertificateKeyFile /usr/local/openldap/etc/openldap/slapd.key
TLSCertificateFile /usr/local/openldap/etc/openldap/slapd.pem
TLSCACertificateFile /usr/local/openldap/etc/openldap/slapd.pem
ldap.conf excerpt
==================
TLS_CACERT /usr/local/openldap/etc/openldap/slapd.pem
TLS_CERT /usr/local/openldap/etc/openldap/slapd.pem
TLS_KEY /usr/local/openldap/etc/openldap/slapd.key
TLS_REQCERT allow
filemon:/usr/local/openldap/etc/openldap # openssl x509 -in slapd.pem
-noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
OU=informatica, CN=openldap/Email=none@fffff.ff
Validity
Not Before: Jun 16 11:09:22 2003 GMT
Not After : Jun 14 11:09:22 2008 GMT
Subject: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
OU=informatica, CN=openldap/Email=none@fffff.ff
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d7:38:ea:8e:a2:1d:56:de:38:05:c1:41:1f:c5:
e1:06:27:28:1b:b6:86:56:7a:b2:bf:48:67:80:ab:
15:89:61:0c:f9:c5:26:1b:f9:07:da:cc:da:c9:f1:
64:0a:81:09:c3:6c:1d:26:1b:b9:35:0c:83:a6:0a:
08:ef:02:ef:a5:9e:6f:17:23:20:72:0f:e3:62:88:
40:f8:55:55:c2:75:7b:1d:b3:d8:bf:f2:50:f1:f9:
45:d9:fa:ca:b5:df:b2:ed:8a:f9:8a:29:c2:48:b5:
ad:4e:c2:d9:54:55:cf:5a:54:d8:3b:f9:3c:ea:d2:
8d:eb:8d:d1:45:4c:c5:1e:87:9d:35:2a:d9:94:fd:
a9:0d:17:3f:ca:15:8d:f6:48:80:1b:31:4b:46:99:
cd:e7:93:cb:92:9c:25:22:f5:ab:9a:01:90:20:c6:
70:6b:8d:d1:dd:3b:73:f1:7a:9f:d8:31:fc:b4:4d:
e8:d9:53:1b:45:87:6d:51:4e:40:48:bd:0d:b1:a4:
3f:51:37:0a:f1:0b:bb:18:be:02:69:a5:ce:67:85:
91:25:3a:44:85:bf:6f:ee:cb:cc:44:71:6c:57:99:
74:0a:15:ef:7b:e7:29:79:8a:5a:3b:6e:61:ba:09:
7f:73:33:da:31:3d:e0:05:da:32:c9:0c:12:64:1a:
a1:87
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
X509v3 Authority Key Identifier:
keyid:25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
DirName:/C=ES/ST=La Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
90:81:6e:b2:72:4c:70:2f:c4:5a:41:90:70:0b:0c:77:d0:18:
af:e2:a5:13:4f:4b:41:23:87:05:a2:6c:f1:d5:8d:84:34:a6:
fd:5a:c0:93:9f:b2:a4:4d:0b:d6:fd:7b:28:45:f4:35:b4:a9:
2c:29:1f:6a:c4:5e:87:d2:59:e1:75:1d:9f:2b:3d:69:cd:d9:
da:b7:15:03:0d:2c:b4:1d:c2:8e:a2:45:47:a9:e7:2a:3d:28:
22:2b:41:49:25:0e:38:ee:0c:84:b9:e4:1b:f8:07:e8:3b:1a:
4c:de:68:50:20:fb:2e:f0:74:a2:db:c2:96:95:65:c1:de:e8:
a2:3d:f6:a9:48:9e:1f:e4:67:ba:59:e5:9a:cb:d6:79:34:7f:
4d:9a:8e:4a:66:68:d4:59:6f:d7:86:ac:32:8c:3c:f4:e4:60:
a0:3c:6a:e3:0c:e6:b8:46:b6:1e:c6:25:20:04:5a:93:4f:c2:
90:3c:b6:7f:88:08:d1:09:59:e7:a1:a7:b4:04:53:28:5b:b2:
8f:4d:08:58:d2:c2:37:ee:56:ee:23:15:e3:c7:e5:e0:f2:77:
cb:d9:58:43:53:be:18:1a:f3:8a:19:5b:36:30:49:3c:a4:cb:
58:78:fc:9f:92:c1:1d:f0:5e:d4:e3:da:8f:0c:5a:74:18:27:
30:8d:20:cc
/------/
ldapsearch -ZZ -d -1 -b "dc=fadesa"
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: -1
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=filemon.servidores.fadesa
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Jun 16 13:54:07 2003
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=9, got=9
0000: 30 0c 02 01 01 78 07 0a 01 0....x...
ldap_read: want=5, got=5
0000: 00 04 00 04 00 .....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x0807df08 ptr=0x0807df08 end=0x0807df14 len=12
0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
ber_scanf fmt (}) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df14 end=0x0807df14 len=0
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
tls_write: want=124, written=124
0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 16 00 00 .z....Q...
.....
0010: 13 00 00 0a 07 00 c0 00 00 66 00 00 05 00 00 04
.........f......
0020: 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00
...........e..d.
0030: 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00
.c..b..a..`.....
0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08
......@.........
0050: 00 00 06 00 00 03 04 00 80 02 00 80 39 13 8b a0
............9...
0060: 72 49 06 d9 a2 aa 96 66 d6 a7 cc a6 5b f3 c8 52
rI.....f....[..R
0070: b0 98 c2 d9 ea f4 d7 68 fb 1a 74 07 .......h..t.
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 16 03 01 00 4a 02 00 ....J..
tls_read: want=72, got=72
0000: 00 46 03 01 3e ed af df ac 36 d2 53 17 d5 a0 12
.F..>....6.S....
0010: d3 ed 59 a0 c1 76 d2 06 64 e6 06 8e 52 8e d9 85
..Y..v..d...R...
0020: 80 ce 6d 47 20 8c 89 00 18 6a 0c 2b d9 ff c5 44 ..mG
....j.+...D
0030: d5 65 79 1a 7a f8 26 99 b4 6a e3 fa c4 9c 49 10
.ey.z.&..j....I.
0040: 9f d1 77 2b 09 00 0a 00 ..w+....
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
0000: 16 03 01 04 93 .....
tls_read: want=1171, got=1171
0000: 0b 00 04 8f 00 04 8c 00 04 89 30 82 04 85 30 82
..........0...0.
0010: 03 6d a0 03 02 01 02 02 01 00 30 0d 06 09 2a 86
.m........0...*.
0020: 48 86 f7 0d 01 01 04 05 00 30 81 8d 31 0b 30 09
H........0..1.0.
0030: 06 03 55 04 06 13 02 45 53 31 12 30 10 06 03 55
..U....ES1.0...U
0040: 04 08 14 09 4c 61 20 43 6f 72 75 f1 61 31 12 30 ....La
Coru.a1.0
0050: 10 06 03 55 04 07 14 09 4c 61 20 43 6f 72 75 f1 ...U....La
Coru.
0060: 61 31 0f 30 0d 06 03 55 04 0a 13 06 46 61 64 65
a1.0...U....Fade
0070: 73 61 31 14 30 12 06 03 55 04 0b 13 0b 69 6e 66
sa1.0...U....inf
0080: 6f 72 6d 61 74 69 63 61 31 11 30 0f 06 03 55 04
ormatica1.0...U.
0090: 03 13 08 6f 70 65 6e 6c 64 61 70 31 1c 30 1a 06
...openldap1.0..
00a0: 09 2a 86 48 86 f7 0d 01 09 01 16 0d 6e 6f 6e 65
.*.H........none
00b0: 40 66 66 66 66 66 2e 66 66 30 1e 17 0d 30 33 30
@fffff.ff0...030
00c0: 36 31 36 31 31 30 39 32 32 5a 17 0d 30 38 30 36
616110922Z..0806
00d0: 31 34 31 31 30 39 32 32 5a 30 81 8d 31 0b 30 09
14110922Z0..1.0.
00e0: 06 03 55 04 06 13 02 45 53 31 12 30 10 06 03 55
..U....ES1.0...U
00f0: 04 08 14 09 4c 61 20 43 6f 72 75 f1 61 31 12 30 ....La
Coru.a1.0
0100: 10 06 03 55 04 07 14 09 4c 61 20 43 6f 72 75 f1 ...U....La
Coru.
0110: 61 31 0f 30 0d 06 03 55 04 0a 13 06 46 61 64 65
a1.0...U....Fade
0120: 73 61 31 14 30 12 06 03 55 04 0b 13 0b 69 6e 66
sa1.0...U....inf
0130: 6f 72 6d 61 74 69 63 61 31 11 30 0f 06 03 55 04
ormatica1.0...U.
0140: 03 13 08 6f 70 65 6e 6c 64 61 70 31 1c 30 1a 06
...openldap1.0..
0150: 09 2a 86 48 86 f7 0d 01 09 01 16 0d 6e 6f 6e 65
.*.H........none
0160: 40 66 66 66 66 66 2e 66 66 30 82 01 22 30 0d 06
@fffff.ff0.."0..
0170: 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f
.*.H............
0180: 00 30 82 01 0a 02 82 01 01 00 d7 38 ea 8e a2 1d
.0.........8....
0190: 56 de 38 05 c1 41 1f c5 e1 06 27 28 1b b6 86 56
V.8..A....'(...V
01a0: 7a b2 bf 48 67 80 ab 15 89 61 0c f9 c5 26 1b f9
z..Hg....a...&..
01b0: 07 da cc da c9 f1 64 0a 81 09 c3 6c 1d 26 1b b9
......d....l.&..
01c0: 35 0c 83 a6 0a 08 ef 02 ef a5 9e 6f 17 23 20 72 5..........o.#
r
01d0: 0f e3 62 88 40 f8 55 55 c2 75 7b 1d b3 d8 bf f2
..b.@.UU.u{.....
01e0: 50 f1 f9 45 d9 fa ca b5 df b2 ed 8a f9 8a 29 c2
P..E..........).
01f0: 48 b5 ad 4e c2 d9 54 55 cf 5a 54 d8 3b f9 3c ea
H..N..TU.ZT.;.<.
0200: d2 8d eb 8d d1 45 4c c5 1e 87 9d 35 2a d9 94 fd
.....EL....5*...
0210: a9 0d 17 3f ca 15 8d f6 48 80 1b 31 4b 46 99 cd
...?....H..1KF..
0220: e7 93 cb 92 9c 25 22 f5 ab 9a 01 90 20 c6 70 6b .....%".....
.pk
0230: 8d d1 dd 3b 73 f1 7a 9f d8 31 fc b4 4d e8 d9 53
...;s.z..1..M..S
0240: 1b 45 87 6d 51 4e 40 48 bd 0d b1 a4 3f 51 37 0a
.E.mQN@H....?Q7.
0250: f1 0b bb 18 be 02 69 a5 ce 67 85 91 25 3a 44 85
......i..g..%:D.
0260: bf 6f ee cb cc 44 71 6c 57 99 74 0a 15 ef 7b e7
.o...DqlW.t...{.
0270: 29 79 8a 5a 3b 6e 61 ba 09 7f 73 33 da 31 3d e0
)y.Z;na...s3.1=.
0280: 05 da 32 c9 0c 12 64 1a a1 87 02 03 01 00 01 a3
..2...d.........
0290: 81 ed 30 81 ea 30 1d 06 03 55 1d 0e 04 16 04 14
..0..0...U......
02a0: 25 18 ef 9a 09 20 44 11 fc 3a b7 6c 67 7e 80 b4 %....
D..:.lg~..
02b0: 3c 21 ef 64 30 81 ba 06 03 55 1d 23 04 81 b2 30
<!.d0....U.#...0
02c0: 81 af 80 14 25 18 ef 9a 09 20 44 11 fc 3a b7 6c ....%....
D..:.l
02d0: 67 7e 80 b4 3c 21 ef 64 a1 81 93 a4 81 90 30 81
g~..<!.d......0.
02e0: 8d 31 0b 30 09 06 03 55 04 06 13 02 45 53 31 12
.1.0...U....ES1.
02f0: 30 10 06 03 55 04 08 14 09 4c 61 20 43 6f 72 75 0...U....La
Coru
0300: f1 61 31 12 30 10 06 03 55 04 07 14 09 4c 61 20 .a1.0...U....La
0310: 43 6f 72 75 f1 61 31 0f 30 0d 06 03 55 04 0a 13
Coru.a1.0...U...
0320: 06 46 61 64 65 73 61 31 14 30 12 06 03 55 04 0b
.Fadesa1.0...U..
0330: 13 0b 69 6e 66 6f 72 6d 61 74 69 63 61 31 11 30
..informatica1.0
0340: 0f 06 03 55 04 03 13 08 6f 70 65 6e 6c 64 61 70
...U....openldap
0350: 31 1c 30 1a 06 09 2a 86 48 86 f7 0d 01 09 01 16
1.0...*.H.......
0360: 0d 6e 6f 6e 65 40 66 66 66 66 66 2e 66 66 82 01
.none@fffff.ff..
0370: 00 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30
.0...U....0....0
0380: 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 82
...*.H..........
0390: 01 01 00 90 81 6e b2 72 4c 70 2f c4 5a 41 90 70
.....n.rLp/.ZA.p
03a0: 0b 0c 77 d0 18 af e2 a5 13 4f 4b 41 23 87 05 a2
..w......OKA#...
03b0: 6c f1 d5 8d 84 34 a6 fd 5a c0 93 9f b2 a4 4d 0b
l....4..Z.....M.
03c0: d6 fd 7b 28 45 f4 35 b4 a9 2c 29 1f 6a c4 5e 87
..{(E.5..,).j.^.
03d0: d2 59 e1 75 1d 9f 2b 3d 69 cd d9 da b7 15 03 0d
.Y.u..+=i.......
03e0: 2c b4 1d c2 8e a2 45 47 a9 e7 2a 3d 28 22 2b 41
,.....EG..*=("+A
03f0: 49 25 0e 38 ee 0c 84 b9 e4 1b f8 07 e8 3b 1a 4c
I%.8.........;.L
0400: de 68 50 20 fb 2e f0 74 a2 db c2 96 95 65 c1 de .hP
...t.....e..
0410: e8 a2 3d f6 a9 48 9e 1f e4 67 ba 59 e5 9a cb d6
..=..H...g.Y....
0420: 79 34 7f 4d 9a 8e 4a 66 68 d4 59 6f d7 86 ac 32
y4.M..Jfh.Yo...2
0430: 8c 3c f4 e4 60 a0 3c 6a e3 0c e6 b8 46 b6 1e c6
.<..`.<j....F...
0440: 25 20 04 5a 93 4f c2 90 3c b6 7f 88 08 d1 09 59 %
.Z.O..<......Y
0450: e7 a1 a7 b4 04 53 28 5b b2 8f 4d 08 58 d2 c2 37
.....S([..M.X..7
0460: ee 56 ee 23 15 e3 c7 e5 e0 f2 77 cb d9 58 43 53
.V.#......w..XCS
0470: be 18 1a f3 8a 19 5b 36 30 49 3c a4 cb 58 78 fc
......[60I<..Xx.
0480: 9f 92 c1 1d f0 5e d4 e3 da 8f 0c 5a 74 18 27 30
.....^.....Zt.'0
0490: 8d 20 cc . .
TLS certificate verification: depth: 0, err: 18, subject: /C=ES/ST=La
Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff, issuer:
/C=ES/ST=La Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------