[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Cannot get ldaps to work to 2.0.19 or 2.0.11
I've made some progress atlast! I can now get ldaps to work with
ldapsearch provided I use -H ldaps://hostname/ instead of -H ldaps:///.
However, I haven't gotten any of the other clients (Microsoft OE 5.5 or
Netscape 4.77) to work with secure access. In both cases,, the failure
seems to stem from an "error in SSLv3 read client certificate A." Here's
the debug trace (edited for clarity).
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
tls_read: want=113, got=113
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=875, written=875
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
One important difference might be that ldapsearch client (the only
successful one) was launched from the same host as the server where as
the rest of the clients were all remote.
Thanks in advance
prasad
----- Original Message -----
From: "James Bourne" <jbourne@MtRoyal.AB.CA>
To: "Prasad A. Chodavarapu" <chprasad@hotmail.com>
Cc: <openldap-software@OpenLDAP.org>
Sent: Sunday, January 06, 2002 4:21 PM
Subject: Re: Cannot get ldaps to work to 2.0.19 or 2.0.11
> On Sun, 6 Jan 2002, Prasad A. Chodavarapu wrote:
>
> > Hi James,
> > Thanks a lot for the reply. Unfortunately though, that doesn't
seem to
> > be the real problem. I've tried running 2.0.19 as root but to no
avail.
> > Also, 2.0.11 that I tested was actually on a pristine RH 7.2. Btw,
if it
> > matters, I am using openssl-0.9.6b-8 that comes with RH7.2. Any
other
> > ideas?
>
> hmm, not sure, as your debug trace doesn't show any errors... Try
running
> an ldap search against it, with -d 5. this should at least show an
error
> that you can start from.
>
> Regards
> Jim
>
> > Thanks in advance
> > prasad
> >
> > ----- Original Message -----
> > From: "James Bourne" <jbourne@MtRoyal.AB.CA>
> > To: "Prasad A. Chodavarapu" <chprasad@hotmail.com>
> > Cc: <openldap-software@OpenLDAP.org>
> > Sent: Sunday, January 06, 2002 1:04 PM
> > Subject: Re: Cannot get ldaps to work to 2.0.19 or 2.0.11
> >
> >
> > > On Sun, 6 Jan 2002, Prasad A. Chodavarapu wrote:
> > >
> > > > I've been trying in vain to get my OpenLDAP installation (both
> > 2.0.11
> > > > and 2.0.19) to work over SSL. I can get ldap:/// to work with
all
> > > > clients i tried but ldaps:/// was a different story with every
> > client.
> > > >
> > > > I've searched the web, made sure that the hostname in my server
> > > > certificate resolves correctly but it didn't help either. One
thing
> > I
> > > > haven't done is configure any of the clients with any
certificates.
> > >
> > > Hi,
> > > Try running the ldap server as root. There seems to be a bug,
either
> > with
> > > openssl 0.9.6(null,a,b) or with openldap (I think it is a problem
in
> > openssl
> > > more then openldap) which does not allow the server to run as a
> > non-root
> > > user and properly use TLS... The Red Hat 7.2 distributed RPMS do
work
> > > properly as a non-root user, and I've backported them (not very
> > difficult)
> > > to Red Hat 6.1 as well. You may want to look to those for your
build
> > tips.
> > >
> > > Regards
> > > James Bourne
> > >
> > > >
> > > > My conf file contains the following TLS directives.
> > > >
> > > > TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> > > > TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> > > > #the following are not documented in the latest man page
> > > > TLSCACertificateFile /usr/share/ssl/certs/slapd.pem
> > > > TLSVerifyClient 0
> > > >
> > > > and finally, here's my debug trace.
> > > >
> > > > slapd starting
> > > > daemon: added 6r
> > > > daemon: added 7r
> > > > daemon: select: listen=6 active_threads=0 tvp=NULL
> > > > daemon: select: listen=7 active_threads=0 tvp=NULL
> > > > daemon: activity on 1 descriptors
> > > > daemon: new connection on 10
> > > > ldap_pvt_gethostbyname_a: host=cherish.aalayance.com, r=0
> > > > daemon: conn=0 fd=10 connection from IP=127.0.0.1:34267
> > > > (IP=0.0.0.0:31746) accepted.
> > > > daemon: added 10r
> > > > daemon: activity on:
> > > > daemon: select: listen=6 active_threads=0 tvp=NULL
> > > > daemon: select: listen=7 active_threads=0 tvp=NULL
> > > > daemon: activity on 1 descriptors
> > > > daemon: activity on: 10r
> > > > daemon: read activity on 10
> > > > connection_get(10)
> > > > connection_get(10): got connid=0
> > > > connection_read(10): checking for input on id=0
> > > > TLS trace: SSL_accept:before/accept initialization
> > > > tls_read: want=11, got=11
> > > > 0000: 80 7a 01 03 01 00 51 00 00 00 20
> > .z....Q...
> > > > tls_read: want=113, got=113
> > > > 0000: 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00
> > > > ..............f.
> > > > 0010: 00 05 00 00 04 03 00 80 01 00 80 08 00 80 00 00
> > > > ................
> > > > 0020: 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60
> > > > e..d..c..b..a..`
> > > > 0030: 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00
> > > > ...........@....
> > > > 0040: 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00
> > > > ................
> > > > 0050: 80 06 5d 44 a0 bb d0 70 c0 ab 86 14 b5 20 6b ab
> > > > ..]D...p..... k.
> > > > 0060: 57 03 57 e2 20 56 28 dd b8 9f 41 fc 3b 54 4f ec W.W.
> > > > V(...A.;TO.
> > > > 0070: 18 .
> > > > TLS trace: SSL_accept:SSLv3 read client hello A
> > > > TLS trace: SSL_accept:SSLv3 write server hello A
> > > > TLS trace: SSL_accept:SSLv3 write certificate A
> > > > TLS trace: SSL_accept:SSLv3 write server done A
> > > > tls_write: want=875, written=875
> > > > 0000: 16 03 01 00 4a 02 00 00 46 03 01 3c 38 1d dd cd
> > > > ....J...F..<8...
> > > > 0010: e3 c0 c4 95 45 87 d1 4a 02 fe ea 22 26 0f 28 e2
> > > > ....E..J..."&.(.
> > > > 0020: 49 28 9a ea 72 1a bd a4 15 1e ea 20 46 6d 43 61
> > I(..r......
> > > > FmCa
> > > > 0030: 10 89 b1 bb 5c 6e b9 d7 fe fb 3d 4d 79 a3 de 0b
> > > > ....\n....=My...
> > > > 0040: ca 0a ec 12 7e 61 bc 16 cc 30 98 4f 00 0a 00 16
> > > > ....~a...0.O....
> > > > 0050: 03 01 03 0e 0b 00 03 0a 00 03 07 00 03 04 30 82
> > > > ..............0.
> > > > 0060: 03 00 30 82 02 69 a0 03 02 01 02 02 01 00 30 0d
> > > > ..0..i........0.
> > > > 0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 64 31
> > > > ..*.H........0d1
> > > > 0080: 0b 30 09 06 03 55 04 06 13 02 55 53 31 12 30 10
> > > > .0...U....US1.0.
> > > > 0090: 06 03 55 04 0a 13 09 41 61 6c 61 79 61 6e 63 65
> > > > ..U....Aalayance
> > > > 00a0: 31 1e 30 1c 06 03 55 04 03 13 15 63 68 65 72 69
> > > > 1.0...U....cheri
> > > > 00b0: 73 68 2e 61 61 6c 61 79 61 6e 63 65 2e 63 6f 6d
> > > > sh.aalayance.com
> > > > 00c0: 31 21 30 1f 06 09 2a 86 48 86 f7 0d 01 09 01 16
> > > > 1!0...*.H.......
> > > > 00d0: 12 63 68 61 70 40 61 61 6c 61 79 61 6e 63 65 2e
> > > > .chap@aalayance.
> > > > 00e0: 63 6f 6d 30 1e 17 0d 30 32 30 31 30 32 32 33 33
> > > > com0...020102233
> > > > 00f0: 39 35 35 5a 17 0d 30 33 30 31 30 32 32 33 33 39
> > > > 955Z..0301022339
> > > > 0100: 35 35 5a 30 64 31 0b 30 09 06 03 55 04 06 13 02
> > > > 55Z0d1.0...U....
> > > > 0110: 55 53 31 12 30 10 06 03 55 04 0a 13 09 41 61 6c
> > > > US1.0...U....Aal
> > > > 0120: 61 79 61 6e 63 65 31 1e 30 1c 06 03 55 04 03 13
> > > > ayance1.0...U...
> > > > 0130: 15 63 68 65 72 69 73 68 2e 61 61 6c 61 79 61 6e
> > > > .cherish.aalayan
> > > > 0140: 63 65 2e 63 6f 6d 31 21 30 1f 06 09 2a 86 48 86
> > > > ce.com1!0...*.H.
> > > > 0150: f7 0d 01 09 01 16 12 63 68 61 70 40 61 61 6c 61
> > > > .......chap@aala
> > > > 0160: 79 61 6e 63 65 2e 63 6f 6d 30 81 9f 30 0d 06 09
> > > > yance.com0..0...
> > > > 0170: 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30
> > > > *.H............0
> > > > 0180: 81 89 02 81 81 00 c3 60 b0 24 94 87 0a 4e bd 87
> > > > .......`.$...N..
> > > > 0190: 0d c6 44 16 d0 97 2a e0 32 72 68 c7 35 2e f8 4b
> > > > ..D...*.2rh.5..K
> > > > 01a0: 1b fd 1f 90 59 ea 92 bd a7 f9 f7 40 9b a5 1c a9
> > > > ....Y......@....
> > > > 01b0: 6c b9 b0 fc 3e 13 c4 ba 7e 10 62 01 b8 6c d7 9b
> > > > l...>...~.b..l..
> > > > 01c0: c3 c0 48 a9 f1 24 54 6a 4b 76 73 4e 20 38 81 b0
> > ..H..$TjKvsN
> > > > 8..
> > > > 01d0: 07 39 f6 d4 6f 09 4d 28 40 7f db f4 cf f2 14 05
> > > > .9..o.M(@.......
> > > > 01e0: 29 1b 63 4d 98 5d ca a5 d3 30 5c 86 ad a8 f0
> > > > ).cM.]...0\....5
> > > > 01f0: 54 ee a9 59 53 d2 42 72 fe 67 04 05 46 cf e8 54
> > > > T..YS.Br.g..F..T
> > > > 0200: e2 04 bc aa 3f d5 02 03 01 00 01 a3 81 c1 30 81
> > > > ....?.........0.
> > > > 0210: be 30 1d 06 03 55 1d 0e 04 16 04 14 38 b3 c8 cb
> > > > .0...U......8...
> > > > 0220: ad 7d c5 1c 70 81 2b 59 71 15 a4 e8 09 0c a1 8a
> > > > .}..p.+Yq.......
> > > > 0230: 30 81 8e 06 03 55 1d 23 04 81 86 30 81 83 80 14
> > > > 0....U.#...0....
> > > > 0240: 38 b3 c8 cb ad 7d c5 1c 70 81 2b 59 71 15 a4 e8
> > > > 8....}..p.+Yq...
> > > > 0250: 09 0c a1 8a a1 68 a4 66 30 64 31 0b 30 09 06 03
> > > > .....h.f0d1.0...
> > > > 0260: 55 04 06 13 02 55 53 31 12 30 10 06 03 55 04 0a
> > > > U....US1.0...U..
> > > > 0270: 13 09 41 61 6c 61 79 61 6e 63 65 31 1e 30 1c 06
> > > > ..Aalayance1.0..
> > > > 0280: 03 55 04 03 13 15 63 68 65 72 69 73 68 2e 61 61
> > > > .U....cherish.aa
> > > > 0290: 6c 61 79 61 6e 63 65 2e 63 6f 6d 31 21 30 1f 06
> > > > layance.com1!0..
> > > > 02a0: 09 2a 86 48 86 f7 0d 01 09 01 16 12 63 68 61 70
> > > > .*.H........chap
> > > > 02b0: 40 61 61 6c 61 79 61 6e 63 65 2e 63 6f 6d 82 01
> > > > @aalayance.com..
> > > > 02c0: 00 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30
> > > > .0...U....0....0
> > > > 02d0: 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81
> > > > ...*.H..........
> > > > 02e0: 81 00 b7 ca 5d f5 19 73 23 8a be 37 70 27 72 d2
> > > > ....]..s#..7p'r.
> > > > 02f0: fc 27 a3 a0 3f 53 ec bd c4 e3 73 5b c4 be 90 a6
> > > > .'..?S....s[....
> > > > 0300: 2c 9b 04 89 c5 44 77 f4 b8 80 95 8f eb b0 ca dc
> > > > ,....Dw.........
> > > > 0310: b1 79 c3 28 67 69 0a 37 fb 0f 08 b3 b1 06 88 4d
> > > > .y.(gi.7.......M
> > > > 0320: 44 a8 59 a6 5e 31 79 2b 80 2b 2a 9c 66 ba 1f a9
> > > > D.Y.^1y+.+*.f...
> > > > 0330: d0 87 06 23 41 3e 34 60 61 7a 0e d1 9b c9 ba ef
> > > > ...#A>4`az......
> > > > 0340: 0e 4e f5 c8 52 96 82 80 04 6a 5a cf af 9b 16 78
> > > > .N..R....jZ....x
> > > > 0350: 48 4d 59 a0 64 cb 51 5c cd c4 d7 b5 33 6d 71 ee
> > > > HMY.d.Q\....3mq.
> > > > 0360: de ef 16 03 01 00 04 0e 00 00 00
> > ...........
> > > > TLS trace: SSL_accept:SSLv3 flush data
> > > > tls_read: want=5 error=Resource temporarily unavailable
> > > > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > > > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > > > daemon: select: listen=6 active_threads=0 tvp=NULL
> > > > daemon: select: listen=7 active_threads=0 tvp=NULL
> > > > daemon: activity on 1 descriptors
> > > > daemon: activity on: 10r
> > > > daemon: read activity on 10
> > > > connection_get(10)
> > > > connection_get(10): got connid=0
> > > > connection_read(10): checking for input on id=0
> > > > tls_read: want=5, got=5
> > > > 0000: 16 03 01 00 86
.....
> > > > tls_read: want=134, got=134
> > > > 0000: 10 00 00 82 00 80 9d 7f 0f 7c 68 77 f5 dc 25 11
> > > > .........|hw..%.
> > > > 0010: 67 85 b9 c9 af e1 86 f3 0d e8 01 de 62 81 c1 0f
> > > > g...........b...
> > > > 0020: bf c3 c6 46 d9 d2 6a 57 fa 44 6a 39 e9 e7 5a 82
> > > > ...F..jW.Dj9..Z.
> > > > 0030: bb 6e 26 bf 38 4e ba 1c 6c 93 69 45 b4 df ed 97
> > > > .n&.8N..l.iE....
> > > > 0040: b8 b7 5d 99 cf 33 d7 ab 7b a5 ca f9 59 49 a7 95
> > > > ..]..3..{...YI..
> > > > 0050: e3 26 72 40 1b 1a b0 4b 83 72 cd 97 b7 9a b2 6c
> > > > .&r@...K.r.....l
> > > > 0060: b7 3c 12 94 af 80 e0 38 7d 03 95 98 57 98 04 46
> > > > .<.....8}...W..F
> > > > 0070: 93 b7 93 9c 9b 57 f0 b8 62 45 6f a6 0e bd b4 63
> > > > .....W..bEo....c
> > > > 0080: b3 a4 6c ba 52 81
..l.R.
> > > > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > > > tls_read: want=5, got=5
> > > > 0000: 14 03 01 00 01
.....
> > > > tls_read: want=1, got=1
> > > > 0000: 01 .
> > > > tls_read: want=5, got=5
> > > > 0000: 16 03 01 00 28
....(
> > > > tls_read: want=40, got=40
> > > > 0000: 47 d9 a3 21 e4 15 4e 2f 0e 27 d9 d3 21 1a 8d c0
> > > > G..!..N/.'..!...
> > > > 0010: 44 26 0b 84 8f 28 84 aa 3b 5a 33 4f 12 b7 73 e8
> > > > D&...(..;Z3O..s.
> > > > 0020: 1f 7c 20 d7 8e 04 cb 3f .|
....?
> > > > TLS trace: SSL_accept:SSLv3 read finished A
> > > > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > > > TLS trace: SSL_accept:SSLv3 write finished A
> > > > tls_write: want=51, written=51
> > > > 0000: 14 03 01 00 01 01 16 03 01 00 28 c3 b2 49 93 b8
> > > > ..........(..I..
> > > > 0010: 91 05 2c e4 74 ec 7b 28 bd 93 7c dd d4 1d 88 24
> > > > ..,.t.{(..|....$
> > > > 0020: c3 5d 4c 6b 90 ba 3f 5b 3a 52 37 0b 60 ca 05 ff
> > > > .]Lk..?[:R7.`...
> > > > 0030: 3d f6 98 =..
> > > > TLS trace: SSL_accept:SSLv3 flush data
> > > > daemon: select: listen=6 active_threads=0 tvp=NULL
> > > > daemon: select: listen=7 active_threads=0 tvp=NULL
> > > > daemon: activity on 1 descriptors
> > > > daemon: activity on: 10r
> > > > daemon: read activity on 10
> > > > connection_get(10)
> > > > connection_get(10): got connid=0
> > > > connection_read(10): checking for input on id=0
> > > > ber_get_next
> > > > tls_read: want=5, got=0
> > > >
> > > > ldap_read: want=1, got=0
> > > >
> > > > ber_get_next on fd 10 failed errno=0 (Success)
> > > > connection_read(10): input error=-2 id=0, closing.
> > > > connection_closing: readying conn=0 sd=10 for close
> > > > connection_close: conn=0 sd=10
> > > > daemon: removing 10
> > > > conn=-1 fd=10 closed
> > > >
> > > > Thanks in advance
> > > > prasad
> > > >
> > >
> > > --
> > > James Bourne, Supervisor Data Centre Operations
> > > Mount Royal College, Calgary, AB, CA
> > > www.mtroyal.ab.ca
> > >
> > >
> >
************************************************************************
> > ******
> > > This communication is intended for the use of the recipient to
which
> > it is
> > > addressed, and may contain confidential, personal, and or
privileged
> > > information. Please contact the sender immediately if you are not
the
> > > intended recipient of this communication, and do not copy,
distribute,
> > or
> > > take action relying on it. Any communication received in error, or
> > > subsequent reply, should be deleted or destroyed.
> > >
> >
************************************************************************
> > ******
> > >
> > >
> >
>
> --
> James Bourne, Supervisor Data Centre Operations
> Mount Royal College, Calgary, AB, CA
> www.mtroyal.ab.ca
>
>
************************************************************************
******
> This communication is intended for the use of the recipient to which
it is
> addressed, and may contain confidential, personal, and or privileged
> information. Please contact the sender immediately if you are not the
> intended recipient of this communication, and do not copy, distribute,
or
> take action relying on it. Any communication received in error, or
> subsequent reply, should be deleted or destroyed.
>
************************************************************************
******
>
>