[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS headache
Hello,
I'm trying to make a TLS conection work between ldap clients and slapd
but I always get a ssl error. The configuration can't be simpler
I'm using a self-issued certificate.
please, can anyone tellme what's wrong with my configuration?
thanks,
/usr/local/openldap/libexec/slapd -4 -h "ldap:// ldaps://"
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ldap *:* LISTEN
tcp 0 0 *:ldaps *:* LISTEN
slapd.conf excerpt
==================
TLSVerifyClient true
TLSCipherSuite HIGH
TLSCertificateKeyFile /usr/local/openldap/etc/openldap/slapd.key
TLSCertificateFile /usr/local/openldap/etc/openldap/slapd.pem
TLSCACertificateFile /usr/local/openldap/etc/openldap/slapd.pem
ldap.conf excerpt
==================
TLS_CACERT /usr/local/openldap/etc/openldap/slapd.pem
TLS_CERT /usr/local/openldap/etc/openldap/slapd.pem
TLS_KEY /usr/local/openldap/etc/openldap/slapd.key
TLS_REQCERT allow
filemon:/usr/local/openldap/etc/openldap # openssl x509 -in slapd.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa, OU=informatica, CN=openldap/Email=none@fffff.ff
Validity
Not Before: Jun 16 11:09:22 2003 GMT
Not After : Jun 14 11:09:22 2008 GMT
Subject: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa, OU=informatica, CN=openldap/Email=none@fffff.ff
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d7:38:ea:8e:a2:1d:56:de:38:05:c1:41:1f:c5:
e1:06:27:28:1b:b6:86:56:7a:b2:bf:48:67:80:ab:
15:89:61:0c:f9:c5:26:1b:f9:07:da:cc:da:c9:f1:
64:0a:81:09:c3:6c:1d:26:1b:b9:35:0c:83:a6:0a:
08:ef:02:ef:a5:9e:6f:17:23:20:72:0f:e3:62:88:
40:f8:55:55:c2:75:7b:1d:b3:d8:bf:f2:50:f1:f9:
45:d9:fa:ca:b5:df:b2:ed:8a:f9:8a:29:c2:48:b5:
ad:4e:c2:d9:54:55:cf:5a:54:d8:3b:f9:3c:ea:d2:
8d:eb:8d:d1:45:4c:c5:1e:87:9d:35:2a:d9:94:fd:
a9:0d:17:3f:ca:15:8d:f6:48:80:1b:31:4b:46:99:
cd:e7:93:cb:92:9c:25:22:f5:ab:9a:01:90:20:c6:
70:6b:8d:d1:dd:3b:73:f1:7a:9f:d8:31:fc:b4:4d:
e8:d9:53:1b:45:87:6d:51:4e:40:48:bd:0d:b1:a4:
3f:51:37:0a:f1:0b:bb:18:be:02:69:a5:ce:67:85:
91:25:3a:44:85:bf:6f:ee:cb:cc:44:71:6c:57:99:
74:0a:15:ef:7b:e7:29:79:8a:5a:3b:6e:61:ba:09:
7f:73:33:da:31:3d:e0:05:da:32:c9:0c:12:64:1a:
a1:87
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
X509v3 Authority Key Identifier:
keyid:25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
DirName:/C=ES/ST=La Coru\xF1a/L=La Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
90:81:6e:b2:72:4c:70:2f:c4:5a:41:90:70:0b:0c:77:d0:18:
af:e2:a5:13:4f:4b:41:23:87:05:a2:6c:f1:d5:8d:84:34:a6:
fd:5a:c0:93:9f:b2:a4:4d:0b:d6:fd:7b:28:45:f4:35:b4:a9:
2c:29:1f:6a:c4:5e:87:d2:59:e1:75:1d:9f:2b:3d:69:cd:d9:
da:b7:15:03:0d:2c:b4:1d:c2:8e:a2:45:47:a9:e7:2a:3d:28:
22:2b:41:49:25:0e:38:ee:0c:84:b9:e4:1b:f8:07:e8:3b:1a:
4c:de:68:50:20:fb:2e:f0:74:a2:db:c2:96:95:65:c1:de:e8:
a2:3d:f6:a9:48:9e:1f:e4:67:ba:59:e5:9a:cb:d6:79:34:7f:
4d:9a:8e:4a:66:68:d4:59:6f:d7:86:ac:32:8c:3c:f4:e4:60:
a0:3c:6a:e3:0c:e6:b8:46:b6:1e:c6:25:20:04:5a:93:4f:c2:
90:3c:b6:7f:88:08:d1:09:59:e7:a1:a7:b4:04:53:28:5b:b2:
8f:4d:08:58:d2:c2:37:ee:56:ee:23:15:e3:c7:e5:e0:f2:77:
cb:d9:58:43:53:be:18:1a:f3:8a:19:5b:36:30:49:3c:a4:cb:
58:78:fc:9f:92:c1:1d:f0:5e:d4:e3:da:8f:0c:5a:74:18:27:
30:8d:20:cc
/------/
ldapsearch -ZZ -d -1 -b "dc=fadesa"
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: -1
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=filemon.servidores.fadesa
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Jun 16 13:54:07 2003
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=9, got=9
0000: 30 0c 02 01 01 78 07 0a 01 0....x...
ldap_read: want=5, got=5
0000: 00 04 00 04 00 .....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x0807df08 ptr=0x0807df08 end=0x0807df14 len=12
0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
0000: 78 07 0a 01 00 04 00 04 00 x........
ber_scanf fmt (}) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df14 end=0x0807df14 len=0
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
tls_write: want=124, written=124
0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 16 00 00 .z....Q... .....
0010: 13 00 00 0a 07 00 c0 00 00 66 00 00 05 00 00 04 .........f......
0020: 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00 ...........e..d.
0030: 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00 .c..b..a..`.....
0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 ......@.........
0050: 00 00 06 00 00 03 04 00 80 02 00 80 39 13 8b a0 ............9...
0060: 72 49 06 d9 a2 aa 96 66 d6 a7 cc a6 5b f3 c8 52 rI.....f....[..R
0070: b0 98 c2 d9 ea f4 d7 68 fb 1a 74 07 .......h..t.
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 16 03 01 00 4a 02 00 ....J..
tls_read: want=72, got=72
0000: 00 46 03 01 3e ed af df ac 36 d2 53 17 d5 a0 12 .F..>....6.S....
0010: d3 ed 59 a0 c1 76 d2 06 64 e6 06 8e 52 8e d9 85 ..Y..v..d...R...
0020: 80 ce 6d 47 20 8c 89 00 18 6a 0c 2b d9 ff c5 44 ..mG ....j.+...D
0030: d5 65 79 1a 7a f8 26 99 b4 6a e3 fa c4 9c 49 10 .ey.z.&..j....I.
0040: 9f d1 77 2b 09 00 0a 00 ..w+....
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
0000: 16 03 01 04 93 .....
tls_read: want=1171, got=1171
0000: 0b 00 04 8f 00 04 8c 00 04 89 30 82 04 85 30 82 ..........0...0.
0010: 03 6d a0 03 02 01 02 02 01 00 30 0d 06 09 2a 86 .m........0...*.
0020: 48 86 f7 0d 01 01 04 05 00 30 81 8d 31 0b 30 09 H........0..1.0.
0030: 06 03 55 04 06 13 02 45 53 31 12 30 10 06 03 55 ..U....ES1.0...U
0040: 04 08 14 09 4c 61 20 43 6f 72 75 f1 61 31 12 30 ....La Coru.a1.0
0050: 10 06 03 55 04 07 14 09 4c 61 20 43 6f 72 75 f1 ...U....La Coru.
0060: 61 31 0f 30 0d 06 03 55 04 0a 13 06 46 61 64 65 a1.0...U....Fade
0070: 73 61 31 14 30 12 06 03 55 04 0b 13 0b 69 6e 66 sa1.0...U....inf
0080: 6f 72 6d 61 74 69 63 61 31 11 30 0f 06 03 55 04 ormatica1.0...U.
0090: 03 13 08 6f 70 65 6e 6c 64 61 70 31 1c 30 1a 06 ...openldap1.0..
00a0: 09 2a 86 48 86 f7 0d 01 09 01 16 0d 6e 6f 6e 65 .*.H........none
00b0: 40 66 66 66 66 66 2e 66 66 30 1e 17 0d 30 33 30 @fffff.ff0...030
00c0: 36 31 36 31 31 30 39 32 32 5a 17 0d 30 38 30 36 616110922Z..0806
00d0: 31 34 31 31 30 39 32 32 5a 30 81 8d 31 0b 30 09 14110922Z0..1.0.
00e0: 06 03 55 04 06 13 02 45 53 31 12 30 10 06 03 55 ..U....ES1.0...U
00f0: 04 08 14 09 4c 61 20 43 6f 72 75 f1 61 31 12 30 ....La Coru.a1.0
0100: 10 06 03 55 04 07 14 09 4c 61 20 43 6f 72 75 f1 ...U....La Coru.
0110: 61 31 0f 30 0d 06 03 55 04 0a 13 06 46 61 64 65 a1.0...U....Fade
0120: 73 61 31 14 30 12 06 03 55 04 0b 13 0b 69 6e 66 sa1.0...U....inf
0130: 6f 72 6d 61 74 69 63 61 31 11 30 0f 06 03 55 04 ormatica1.0...U.
0140: 03 13 08 6f 70 65 6e 6c 64 61 70 31 1c 30 1a 06 ...openldap1.0..
0150: 09 2a 86 48 86 f7 0d 01 09 01 16 0d 6e 6f 6e 65 .*.H........none
0160: 40 66 66 66 66 66 2e 66 66 30 82 01 22 30 0d 06 @fffff.ff0.."0..
0170: 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f .*.H............
0180: 00 30 82 01 0a 02 82 01 01 00 d7 38 ea 8e a2 1d .0.........8....
0190: 56 de 38 05 c1 41 1f c5 e1 06 27 28 1b b6 86 56 V.8..A....'(...V
01a0: 7a b2 bf 48 67 80 ab 15 89 61 0c f9 c5 26 1b f9 z..Hg....a...&..
01b0: 07 da cc da c9 f1 64 0a 81 09 c3 6c 1d 26 1b b9 ......d....l.&..
01c0: 35 0c 83 a6 0a 08 ef 02 ef a5 9e 6f 17 23 20 72 5..........o.# r
01d0: 0f e3 62 88 40 f8 55 55 c2 75 7b 1d b3 d8 bf f2 ..b.@.UU.u{.....
01e0: 50 f1 f9 45 d9 fa ca b5 df b2 ed 8a f9 8a 29 c2 P..E..........).
01f0: 48 b5 ad 4e c2 d9 54 55 cf 5a 54 d8 3b f9 3c ea H..N..TU.ZT.;.<.
0200: d2 8d eb 8d d1 45 4c c5 1e 87 9d 35 2a d9 94 fd .....EL....5*...
0210: a9 0d 17 3f ca 15 8d f6 48 80 1b 31 4b 46 99 cd ...?....H..1KF..
0220: e7 93 cb 92 9c 25 22 f5 ab 9a 01 90 20 c6 70 6b .....%"..... .pk
0230: 8d d1 dd 3b 73 f1 7a 9f d8 31 fc b4 4d e8 d9 53 ...;s.z..1..M..S
0240: 1b 45 87 6d 51 4e 40 48 bd 0d b1 a4 3f 51 37 0a .E.mQN@H....?Q7.
0250: f1 0b bb 18 be 02 69 a5 ce 67 85 91 25 3a 44 85 ......i..g..%:D.
0260: bf 6f ee cb cc 44 71 6c 57 99 74 0a 15 ef 7b e7 .o...DqlW.t...{.
0270: 29 79 8a 5a 3b 6e 61 ba 09 7f 73 33 da 31 3d e0 )y.Z;na...s3.1=.
0280: 05 da 32 c9 0c 12 64 1a a1 87 02 03 01 00 01 a3 ..2...d.........
0290: 81 ed 30 81 ea 30 1d 06 03 55 1d 0e 04 16 04 14 ..0..0...U......
02a0: 25 18 ef 9a 09 20 44 11 fc 3a b7 6c 67 7e 80 b4 %.... D..:.lg~..
02b0: 3c 21 ef 64 30 81 ba 06 03 55 1d 23 04 81 b2 30 <!.d0....U.#...0
02c0: 81 af 80 14 25 18 ef 9a 09 20 44 11 fc 3a b7 6c ....%.... D..:.l
02d0: 67 7e 80 b4 3c 21 ef 64 a1 81 93 a4 81 90 30 81 g~..<!.d......0.
02e0: 8d 31 0b 30 09 06 03 55 04 06 13 02 45 53 31 12 .1.0...U....ES1.
02f0: 30 10 06 03 55 04 08 14 09 4c 61 20 43 6f 72 75 0...U....La Coru
0300: f1 61 31 12 30 10 06 03 55 04 07 14 09 4c 61 20 .a1.0...U....La
0310: 43 6f 72 75 f1 61 31 0f 30 0d 06 03 55 04 0a 13 Coru.a1.0...U...
0320: 06 46 61 64 65 73 61 31 14 30 12 06 03 55 04 0b .Fadesa1.0...U..
0330: 13 0b 69 6e 66 6f 72 6d 61 74 69 63 61 31 11 30 ..informatica1.0
0340: 0f 06 03 55 04 03 13 08 6f 70 65 6e 6c 64 61 70 ...U....openldap
0350: 31 1c 30 1a 06 09 2a 86 48 86 f7 0d 01 09 01 16 1.0...*.H.......
0360: 0d 6e 6f 6e 65 40 66 66 66 66 66 2e 66 66 82 01 .none@fffff.ff..
0370: 00 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30 .0...U....0....0
0380: 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 82 ...*.H..........
0390: 01 01 00 90 81 6e b2 72 4c 70 2f c4 5a 41 90 70 .....n.rLp/.ZA.p
03a0: 0b 0c 77 d0 18 af e2 a5 13 4f 4b 41 23 87 05 a2 ..w......OKA#...
03b0: 6c f1 d5 8d 84 34 a6 fd 5a c0 93 9f b2 a4 4d 0b l....4..Z.....M.
03c0: d6 fd 7b 28 45 f4 35 b4 a9 2c 29 1f 6a c4 5e 87 ..{(E.5..,).j.^.
03d0: d2 59 e1 75 1d 9f 2b 3d 69 cd d9 da b7 15 03 0d .Y.u..+=i.......
03e0: 2c b4 1d c2 8e a2 45 47 a9 e7 2a 3d 28 22 2b 41 ,.....EG..*=("+A
03f0: 49 25 0e 38 ee 0c 84 b9 e4 1b f8 07 e8 3b 1a 4c I%.8.........;.L
0400: de 68 50 20 fb 2e f0 74 a2 db c2 96 95 65 c1 de .hP ...t.....e..
0410: e8 a2 3d f6 a9 48 9e 1f e4 67 ba 59 e5 9a cb d6 ..=..H...g.Y....
0420: 79 34 7f 4d 9a 8e 4a 66 68 d4 59 6f d7 86 ac 32 y4.M..Jfh.Yo...2
0430: 8c 3c f4 e4 60 a0 3c 6a e3 0c e6 b8 46 b6 1e c6 .<..`.<j....F...
0440: 25 20 04 5a 93 4f c2 90 3c b6 7f 88 08 d1 09 59 % .Z.O..<......Y
0450: e7 a1 a7 b4 04 53 28 5b b2 8f 4d 08 58 d2 c2 37 .....S([..M.X..7
0460: ee 56 ee 23 15 e3 c7 e5 e0 f2 77 cb d9 58 43 53 .V.#......w..XCS
0470: be 18 1a f3 8a 19 5b 36 30 49 3c a4 cb 58 78 fc ......[60I<..Xx.
0480: 9f 92 c1 1d f0 5e d4 e3 da 8f 0c 5a 74 18 27 30 .....^.....Zt.'0
0490: 8d 20 cc . .
TLS certificate verification: depth: 0, err: 18, subject: /C=ES/ST=La Coru\xF1a/L=La Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff, issuer: /C=ES/ST=La Coru\xF1a/L=La Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------