[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL problems



Recompiling OpenSSL and OpenLDAP has no affect on this issue. Still persists.

Tomas Maly wrote:

> I also try to use the /usr/lib/ssl/misc/CA.sh script to create the CA, the
> request (with the '-nodes' option to hopefully keep it unencrypted), and
> the certificate itself, with the same problem.
>
> Tomas Maly wrote:
>
> > SSL doesn't work. TLS appears to (via the -ZZ option for ldap*).
> >
> > I've compiled OpenLDAP with OpenSSL and SASL support.
> >
> > I run the following command to add the key and to self sign it.
> >
> > openssl req -new -x509 -nodes -out tomas_mvista_com.pem -keyout
> > tomas_mvista_com.pem -days 999999
> >
> > I add the following config options to (the global section of) slapd.conf
> > and restart slapd with the "-h ldap:/// ldaps:///" option. First off, is
> > there a slapd.conf directive I can use to allow LDAPS to run, instead of
> > passing the command line argument?
> >
> > TLSCertificateFile
> > /usr/local/openldap/etc/openldap/tomas_mvista_com.pem
> > TLSCertificateKeyFile
> > /usr/local/openldap/etc/openldap/tomas_mvista_com.pem
> > TLSCACertificateFile
> > /usr/local/openldap/etc/openldap/tomas_mvista_com.pem
> >
> > Secondly, when I attempt to connect via anything, whether Outlook
> > Express, Netscape Communicator, or ldapsearch with the
> > "-H ldaps:///" option, it gives me an error (usually an unknown error
> > "0xFFFFFFFF"). I know Communicator needs to load the certificate if it's
> > self signed, so I go to https://host.com:636/, and go through the dialog
> > of accepting the cert. I then add the host to my Address Book, enable
> > SSL on the client, and try to connect. It gives an error such as "Failed
> > to bind to  'OpenLDAP Server' due to LDAP error 'Can't connect to
> > LDAP server' (0x5B)".
> >
> > "ldapsearch -H ldaps://hostname/ -x" just gives me a segmentation
> > fault. This is what I do/get.
> >
> > tomas:/etc/openldap # ldapsearch -H 'ldaps://tomas.mvista.com/' -x -d
> > 257
> > ldap_create
> > ldap_url_parse(ldaps://tomas.mvista.com/)
> > ldap_bind_s
> > ldap_simple_bind_s
> > ldap_sasl_bind_s
> > ldap_sasl_bind
> > ldap_send_initial_request
> > ldap_new_connection
> > ldap_int_open_connection
> > ldap_connect_to_host
> > ldap_new_socket: 3
> > ldap_prepare_socket: 3
> > ldap_connect_to_host: Trying 10.0.0.154:636
> > ldap_connect_timeout: fd: 3 tm: -1 async: 0
> > ldap_ndelay_on: 3
> > ldap_is_sock_ready: 3
> > ldap_ndelay_off: 3
> > ldap_int_sasl_open: tomas.mvista.com
> > TLS trace: SSL_connect:before/connect initialization
> > TLS trace: SSL_connect:SSLv2/v3 write client hello A
> > TLS trace: SSL_connect:SSLv3 read server hello A
> > TLS certificate verification: depth: 0, subject:
> > /C=US/ST=California/L=Sunnyvale/O=MontaVista Software,
> > Inc/CN=tomas.mvista.com/Email=it@mvista.com, issuer:
> > /C=US/ST=California/L=Sunnyvale/O=MontaVista Software,
> > Inc/CN=tomas.mvista.com/Email=it@mvista.com
> > TLS trace: SSL_connect:SSLv3 read server certificate A
> > TLS trace: SSL_connect:SSLv3 read server done A
> > TLS trace: SSL_connect:SSLv3 write client key exchange A
> > TLS trace: SSL_connect:SSLv3 write change cipher spec A
> > TLS trace: SSL_connect:SSLv3 write finished A
> > TLS trace: SSL_connect:SSLv3 flush data
> > TLS trace: SSL_connect:SSLv3 read finished A
> > Segmentation fault
> >
> > On the server side, it simply looks like:
> >
> > @(#) $OpenLDAP: slapd 2.0.7-Release (Mon Jan  8 10:42:03 PST 2001) $
> >         root@test3:/usr/src/openldap-2.0.7/servers/slapd
> > daemon_init: listen on ldap:///
> > daemon_init: listen on ldaps:///
> > daemon_init: 2 listeners to open...
> > ldap_url_parse(ldap:///)
> > daemon: socket() failed errno=97 (Address family not supported by
> > protocol)
> > daemon: initialized ldap:///
> > ldap_url_parse(ldaps:///)
> > daemon: socket() failed errno=97 (Address family not supported by
> > protocol)
> > daemon: initialized ldaps:///
> > daemon_init: 2 listeners opened
> > slapd init: initiated server.
> > slap_sasl_init: initialized!
> > slapd startup: initiated.
> > slapd starting
> > daemon: conn=0 fd=10 connection from IP=10.0.0.154:2964 (IP=0.0.0.0:636)
> > accepted.
> > connection_get(10): got connid=0
> > connection_read(10): checking for input on id=0
> > TLS trace: SSL_accept:before/accept initialization
> > TLS trace: SSL_accept:SSLv3 read client hello A
> > TLS trace: SSL_accept:SSLv3 write server hello A
> > TLS trace: SSL_accept:SSLv3 write certificate A
> > TLS trace: SSL_accept:SSLv3 write server done A
> > TLS trace: SSL_accept:SSLv3 flush data
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > connection_get(10): got connid=0
> > connection_read(10): checking for input on id=0
> > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > TLS trace: SSL_accept:SSLv3 read finished A
> > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > TLS trace: SSL_accept:SSLv3 write finished A
> > TLS trace: SSL_accept:SSLv3 flush data
> > connection_get(10): got connid=0
> > connection_read(10): checking for input on id=0
> > ber_get_next
> > ber_get_next on fd 10 failed errno=0 (Success)
> > connection_read(10): input error=-2 id=0, closing.
> > connection_closing: readying conn=0 sd=10 for close
> > connection_close: conn=0 sd=10
> > conn=-1 fd=10 closed
> > TLS trace: SSL3 alert write:warning:close notify
> >
> > Any thoughts? Including a DN to bind to (with proper
> > authentication) doesn't help either. I also tend to get from Netscape
> > (when SSL is disabled) the "unknown error (0xFFFFFFFF)" when I sometimes
> > try to authenticate first. It's not 100%, and it seems random. It
> > perhaps happens when I switch from SSL to non-SSL without restarting
> > Netscape. Restarting seems to affect it as well (fix it, actually). Any
> > ideas on this?
> >
> > I don't recall what Outlook does, but it's not productive either.
> >
> > Anyone have ideas what I can do to check this more in depth? Such as
> > SSL tools to verify that the certificate is set up correctly, etc...
> >
> > BTW, when replying, please reply to my "Reply-To" address
> > (tmaly@mvista.com). Thanks.