[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldaps: hangs after initial connection
ldap: on port 389 works as expected. I'm still not making
TLS connections on port 636. When a connection is attempted
from Outlook Express Addressbook on another machine, slapd
logs this:
Sep 22 15:03:20 sapphire slapd[12943]: daemon: conn=1 fd=11
connection from IP=192.168.5.38:3827
(IP=207.106.123.147:636) accepted.
And when Outlook is closed on the remote machine, slapd logs
this:
Sep 22 15:06:17 sapphire slapd[12943]: conn=-1 fd=11 closed
but nothing else happens. It doesn't receive the query.
I tried running slapd in debug mode, then substituting
openssl s_client in place of the client, and openssl
s_server in place of the server.
--------------------------------------------------------------------------
1. slapd 2.0.4 running in debug mode, Outlook Express
attempts connection on port 636.
$ /opt/openldap2/libexec/slapd -f
~directory/ldap/newearth.conf -d -1 -h
"ldap://ldap.newearth.org:389 ldap://localhost:389
ldaps://ldap.newearth.org:636"
--------------------------------------------------------------------------
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 11r
daemon: read activity on 11
connection_get(11)
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
80 j 01 03 01 00 Q 00 00 00 10
tls_read: want=97, got=97
8f 80 01 80 00 03 80 00 01 81 00 01 81 00 03 82
00 01 00 00 04 00 00 05 00 00 0a 83 00 04 84 80
@ 01 00 80 07 00 c0 03 00 80 00 00 09 06 00 @
00 00 d 00 00 b 00 00 03 00 00 06 83 00 04 84
( @ 02 00 80 04 00 80 00 00 13 00 00 12 00 00
c e a3 ea d0 83 J 0c ! 6 fb y 92 10 . b9
S
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
tls_write: want=1024, written=1024
[...lots left out...]
TLS trace: SSL_accept:SSLv3 write certificate request A
tls_write: want=13, written=13
, d 01 19 13 03 o r g 0e 00 00 00
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
--------------------------------------------------------------------------
2. OpenSSL s_client, using the same client certificate as
used by Outlook Express in connection above.
$ openssl s_client -host ldap.newearth.org -port 636 -CAfile
/opt/ssl/certs/ca.crt -cert ~michael/certs/michael.crt -key
~michael/certs/michael.key
--------------------------------------------------------------------------
CONNECTED(00000003)
depth=1 /CN=NewEarth CA/0.9.2342.19200300.100.1.3=ca@newearth.org/0.9.2342.19200300.100.1.1=ca/DC=newearth/DC=org
verify return:1
depth=0 /CN=ldap.newearth.org/0.9.2342.19200300.100.1.3=directory@newearth.org/0.9.2342.19200300.100.1.1=directory/DC=newearth/DC=org
verify return:1
---
Certificate chain
0 s:/CN=ldap.newearth.org/0.9.2342.19200300.100.1.3=directory@newearth.org/0.9.2342.19200300.100.1.1=directory/DC=newearth/DC=org
i:/CN=NewEarth CA/0.9.2342.19200300.100.1.3=ca@newearth.org/0.9.2342.19200300.100.1.1=ca/DC=newearth/DC=org
1 s:/CN=NewEarth CA/0.9.2342.19200300.100.1.3=ca@newearth.org/0.9.2342.19200300.100.1.1=ca/DC=newearth/DC=org
i:/CN=NewEarth CA/0.9.2342.19200300.100.1.3=ca@newearth.org/0.9.2342.19200300.100.1.1=ca/DC=newearth/DC=org
---
Server certificate
-----BEGIN CERTIFICATE-----
[...cert left out...]
-----END CERTIFICATE-----
subject=/CN=ldap.newearth.org/0.9.2342.19200300.100.1.3=directory@newearth.org/0.9.2342.19200300.100.1.1=directory/DC=newearth/DC=org
issuer=/CN=NewEarth CA/0.9.2342.19200300.100.1.3=ca@newearth.org/0.9.2342.19200300.100.1.1=ca/DC=newearth/DC=org
---
Acceptable client certificate CA names
/CN=NewEarth CA/0.9.2342.19200300.100.1.3=ca@newearth.org/0.9.2342.19200300.100.1.1=ca/DC=newearth/DC=org
---
SSL handshake has read 2112 bytes and written 2291 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 8E4BC4F3CB1A266BC032EF0CDB9B1B1FC339FA7455718606D8445547CFFC7525
Session-ID-ctx:
Master-Key: B6921E6E721B31C0F31B80CC927381AC53A9DC253B495F962AE5DF190FCF257AD0014D6490D38CEA9E3E3A1860CD5BCA
Key-Arg : None
Start Time: 969648278
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
--------------------------------------------------------------------------
3. OpenSSL s_server, running on port 636, using the same
server certificate as slapd in example 1.
#openssl s_server -accept 636 -CAfile /opt/ssl/certs/ca.crt
-cert /opt/ssl/certs/directory.crt -key
/opt/ssl/private/directory.key -state
--------------------------------------------------------------------------
Using default temp DH parameters
ACCEPT
SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
--------------------------------------------------------------------------
3. OpenSSL s_server, running on port 636, using the same
server certificate as slapd in example 1, with -debug switch
#openssl s_server -accept 636 -CAfile /opt/ssl/certs/ca.crt
-cert /opt/ssl/certs/directory.crt -key
/opt/ssl/private/directory.key -state -debug
--------------------------------------------------------------------------
Using default temp DH parameters
ACCEPT
SSL_accept:before/accept initialization
read from 08137BC8 [0813D170] (11 bytes => 11 (0xB))
0000 - 80 6a 01 03 01 00 51 00-00 00 10 .j....Q....
read from 08137BC8 [0813D17B] (97 bytes => 97 (0x61))
0000 - 8f 80 01 80 00 03 80 00-01 81 00 01 81 00 03 82 ................
0010 - 00 01 00 00 04 00 00 05-00 00 0a 83 00 04 84 80 ................
0020 - 40 01 00 80 07 00 c0 03-00 80 00 00 09 06 00 40 @..............@
0030 - 00 00 64 00 00 62 00 00-03 00 00 06 83 00 04 84 ..d..b..........
0040 - 28 40 02 00 80 04 00 80-00 00 13 00 00 12 00 00 (@..............
0050 - 63 6b 0d 40 a7 fa 81 f0-a9 59 c6 98 38 3f 1f 8b ck.@.....Y..8?..
0060 - 46 F
SSL_accept:SSLv3 read client hello A
write to 08137BC8 [08146608] (79 bytes => 79 (0x4F))
0000 - 16 03 01 00 4a 02 00 00-46 03 01 39 cb ab 83 37 ....J...F..9...7
0010 - 45 a9 4d f0 b0 d9 0b 2b-fe d2 83 a6 17 55 96 82 E.M....+.....U..
0020 - 18 2f 87 81 f4 cc 9f 45-5c 6a b1 20 54 76 ea 92 ./.....E\j. Tv..
0030 - be 9f f2 60 13 a0 b9 02-54 77 38 cf e0 c0 cb 3f ...`....Tw8....?
0040 - 3c dd 47 89 3e b7 07 f0-04 3c 7b bc 00 04 <.G.>....<{...
004f - <SPACES/NULS>
SSL_accept:SSLv3 write server hello A
write to 08137BC8 [08141980] (1838 bytes => 1838 (0x72E))
0000 - 16 03 01 07 29 0b 00 07-25 00 07 22 00 03 d6 30 ....)...%.."...0
[...a lot left out...]
0720 - 2c b4 ce 11 4e 7c 16 97-73 24 bf a1 5e a8 ,...N|..s$..^.
SSL_accept:SSLv3 write certificate A
write to 08137BC8 [08146608] (9 bytes => 9 (0x9))
0000 - 16 03 01 00 04 0e ......
0009 - <SPACES/NULS>
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
--------------------------------------------------------------------------
So far I am not seeing any information that tells me why the
connection to slapd gets stuck.
--
Michael V. David - MVD53 - michael@newearth.org - mvd@netaxs.com
WEB: http://www.netaxs.com/~mvd/mvd - http://www.newearth.org/~michael
IRC: irc.newearth.org#newearth - AIM: newearth7 - GPS: 40 07 53 N, 75 04 04 W
Quidquid latine dicitur, altum viditur.