[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS headache
Hi.
Check if it helps you.
I have the folowing working config for TLS/SSL in Solaris 8/9.
slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/ldapcert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ldapkey.pem
TLSCACertificateFile /usr/local/etc/openldap/demoCA/cacert.pem
ldap.conf
ssl start_tls
tls_checkpeer yes
TLS_CACERT /usr/local/etc/openldap/demoCA/cacert.pem
TLS_CACERT file was copied to client manually before trying connection.
----- Original Message -----
From: "José M. Fandiño" <ldap@fadesa.es>
To: <openldap-software@OpenLDAP.org>
Sent: Monday, June 16, 2003 1:56 PM
Subject: TLS headache
> Hello,
>
> I'm trying to make a TLS conection work between ldap clients and slapd
> but I always get a ssl error. The configuration can't be simpler
> I'm using a self-issued certificate.
>
> please, can anyone tellme what's wrong with my configuration?
>
> thanks,
>
> /usr/local/openldap/libexec/slapd -4 -h "ldap:// ldaps://"
>
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 *:ldap *:* LISTEN
> tcp 0 0 *:ldaps *:* LISTEN
>
> slapd.conf excerpt
> ==================
> TLSVerifyClient true
> TLSCipherSuite HIGH
> TLSCertificateKeyFile /usr/local/openldap/etc/openldap/slapd.key
> TLSCertificateFile /usr/local/openldap/etc/openldap/slapd.pem
> TLSCACertificateFile /usr/local/openldap/etc/openldap/slapd.pem
>
> ldap.conf excerpt
> ==================
> TLS_CACERT /usr/local/openldap/etc/openldap/slapd.pem
> TLS_CERT /usr/local/openldap/etc/openldap/slapd.pem
> TLS_KEY /usr/local/openldap/etc/openldap/slapd.key
> TLS_REQCERT allow
>
> filemon:/usr/local/openldap/etc/openldap # openssl x509 -in
slapd.pem -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 0 (0x0)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
OU=informatica, CN=openldap/Email=none@fffff.ff
> Validity
> Not Before: Jun 16 11:09:22 2003 GMT
> Not After : Jun 14 11:09:22 2008 GMT
> Subject: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
OU=informatica, CN=openldap/Email=none@fffff.ff
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (2048 bit)
> Modulus (2048 bit):
> 00:d7:38:ea:8e:a2:1d:56:de:38:05:c1:41:1f:c5:
> e1:06:27:28:1b:b6:86:56:7a:b2:bf:48:67:80:ab:
> 15:89:61:0c:f9:c5:26:1b:f9:07:da:cc:da:c9:f1:
> 64:0a:81:09:c3:6c:1d:26:1b:b9:35:0c:83:a6:0a:
> 08:ef:02:ef:a5:9e:6f:17:23:20:72:0f:e3:62:88:
> 40:f8:55:55:c2:75:7b:1d:b3:d8:bf:f2:50:f1:f9:
> 45:d9:fa:ca:b5:df:b2:ed:8a:f9:8a:29:c2:48:b5:
> ad:4e:c2:d9:54:55:cf:5a:54:d8:3b:f9:3c:ea:d2:
> 8d:eb:8d:d1:45:4c:c5:1e:87:9d:35:2a:d9:94:fd:
> a9:0d:17:3f:ca:15:8d:f6:48:80:1b:31:4b:46:99:
> cd:e7:93:cb:92:9c:25:22:f5:ab:9a:01:90:20:c6:
> 70:6b:8d:d1:dd:3b:73:f1:7a:9f:d8:31:fc:b4:4d:
> e8:d9:53:1b:45:87:6d:51:4e:40:48:bd:0d:b1:a4:
> 3f:51:37:0a:f1:0b:bb:18:be:02:69:a5:ce:67:85:
> 91:25:3a:44:85:bf:6f:ee:cb:cc:44:71:6c:57:99:
> 74:0a:15:ef:7b:e7:29:79:8a:5a:3b:6e:61:ba:09:
> 7f:73:33:da:31:3d:e0:05:da:32:c9:0c:12:64:1a:
> a1:87
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Key Identifier:
>
25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
> X509v3 Authority Key Identifier:
>
keyid:25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
> DirName:/C=ES/ST=La Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
> serial:00
>
> X509v3 Basic Constraints:
> CA:TRUE
> Signature Algorithm: md5WithRSAEncryption
> 90:81:6e:b2:72:4c:70:2f:c4:5a:41:90:70:0b:0c:77:d0:18:
> af:e2:a5:13:4f:4b:41:23:87:05:a2:6c:f1:d5:8d:84:34:a6:
> fd:5a:c0:93:9f:b2:a4:4d:0b:d6:fd:7b:28:45:f4:35:b4:a9:
> 2c:29:1f:6a:c4:5e:87:d2:59:e1:75:1d:9f:2b:3d:69:cd:d9:
> da:b7:15:03:0d:2c:b4:1d:c2:8e:a2:45:47:a9:e7:2a:3d:28:
> 22:2b:41:49:25:0e:38:ee:0c:84:b9:e4:1b:f8:07:e8:3b:1a:
> 4c:de:68:50:20:fb:2e:f0:74:a2:db:c2:96:95:65:c1:de:e8:
> a2:3d:f6:a9:48:9e:1f:e4:67:ba:59:e5:9a:cb:d6:79:34:7f:
> 4d:9a:8e:4a:66:68:d4:59:6f:d7:86:ac:32:8c:3c:f4:e4:60:
> a0:3c:6a:e3:0c:e6:b8:46:b6:1e:c6:25:20:04:5a:93:4f:c2:
> 90:3c:b6:7f:88:08:d1:09:59:e7:a1:a7:b4:04:53:28:5b:b2:
> 8f:4d:08:58:d2:c2:37:ee:56:ee:23:15:e3:c7:e5:e0:f2:77:
> cb:d9:58:43:53:be:18:1a:f3:8a:19:5b:36:30:49:3c:a4:cb:
> 58:78:fc:9f:92:c1:1d:f0:5e:d4:e3:da:8f:0c:5a:74:18:27:
> 30:8d:20:cc
>
> /------/
>
> ldapsearch -ZZ -d -1 -b "dc=fadesa"
> ldap_create
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host: TCP localhost:389
> ldap_new_socket: -1
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 127.0.0.1:389
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> ldap_ndelay_on: 3
> ldap_is_sock_ready: 3
> ldap_ndelay_off: 3
> ldap_int_sasl_open: host=filemon.servidores.fadesa
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_flush: 31 bytes to sd 3
> 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
> 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
> ldap_write: want=31, written=31
> 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
> 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
> ldap_result msgid 1
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> wait4msg (infinite timeout), msgid 1
> wait4msg continue, msgid 1, all 1
> ** Connections:
> * host: localhost port: 389 (default)
> refcnt: 2 status: Connected
> last used: Mon Jun 16 13:54:07 2003
>
> ** Outstanding Requests:
> * msgid 1, origid 1, status InProgress
> outstanding referrals 0, parent count 0
> ** Response Queue:
> Empty
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> ldap_int_select
> read1msg: msgid 1, all 1
> ber_get_next
> ldap_read: want=9, got=9
> 0000: 30 0c 02 01 01 78 07 0a 01 0....x...
> ldap_read: want=5, got=5
> 0000: 00 04 00 04 00 .....
> ber_get_next: tag 0x30 len 12 contents:
> ber_dump: buf=0x0807df08 ptr=0x0807df08 end=0x0807df14 len=12
> 0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........
> ldap_read: message type extended-result msgid 1, original id 1
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
> 0000: 78 07 0a 01 00 04 00 04 00 x........
> read1msg: 0 new referrals
> read1msg: mark request completed, id = 1
> request 1 done
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_free_connection
> ldap_free_connection: refcnt 1
> ldap_parse_extended_result
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
> 0000: 78 07 0a 01 00 04 00 04 00 x........
> ldap_parse_result
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
> 0000: 78 07 0a 01 00 04 00 04 00 x........
> ber_scanf fmt (}) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df14 end=0x0807df14 len=0
>
> ldap_msgfree
> TLS trace: SSL_connect:before/connect initialization
> tls_write: want=124, written=124
> 0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 16 00 00 .z....Q...
.....
> 0010: 13 00 00 0a 07 00 c0 00 00 66 00 00 05 00 00 04
.........f......
> 0020: 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00
...........e..d.
> 0030: 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00
.c..b..a..`.....
> 0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08
......@.........
> 0050: 00 00 06 00 00 03 04 00 80 02 00 80 39 13 8b a0
............9...
> 0060: 72 49 06 d9 a2 aa 96 66 d6 a7 cc a6 5b f3 c8 52
rI.....f....[..R
> 0070: b0 98 c2 d9 ea f4 d7 68 fb 1a 74 07 .......h..t.
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> tls_read: want=7, got=7
> 0000: 16 03 01 00 4a 02 00 ....J..
> tls_read: want=72, got=72
> 0000: 00 46 03 01 3e ed af df ac 36 d2 53 17 d5 a0 12
.F..>....6.S....
> 0010: d3 ed 59 a0 c1 76 d2 06 64 e6 06 8e 52 8e d9 85
..Y..v..d...R...
> 0020: 80 ce 6d 47 20 8c 89 00 18 6a 0c 2b d9 ff c5 44 ..mG
....j.+...D
> 0030: d5 65 79 1a 7a f8 26 99 b4 6a e3 fa c4 9c 49 10
.ey.z.&..j....I.
> 0040: 9f d1 77 2b 09 00 0a 00 ..w+....
> TLS trace: SSL_connect:SSLv3 read server hello A
> tls_read: want=5, got=5
> 0000: 16 03 01 04 93 .....
> tls_read: want=1171, got=1171
> 0000: 0b 00 04 8f 00 04 8c 00 04 89 30 82 04 85 30 82
..........0...0.
> 0010: 03 6d a0 03 02 01 02 02 01 00 30 0d 06 09 2a 86
.m........0...*.
> 0020: 48 86 f7 0d 01 01 04 05 00 30 81 8d 31 0b 30 09
H........0..1.0.
> 0030: 06 03 55 04 06 13 02 45 53 31 12 30 10 06 03 55
..U....ES1.0...U
> 0040: 04 08 14 09 4c 61 20 43 6f 72 75 f1 61 31 12 30 ....La
Coru.a1.0
> 0050: 10 06 03 55 04 07 14 09 4c 61 20 43 6f 72 75 f1 ...U....La
Coru.
> 0060: 61 31 0f 30 0d 06 03 55 04 0a 13 06 46 61 64 65
a1.0...U....Fade
> 0070: 73 61 31 14 30 12 06 03 55 04 0b 13 0b 69 6e 66
sa1.0...U....inf
> 0080: 6f 72 6d 61 74 69 63 61 31 11 30 0f 06 03 55 04
ormatica1.0...U.
> 0090: 03 13 08 6f 70 65 6e 6c 64 61 70 31 1c 30 1a 06
...openldap1.0..
> 00a0: 09 2a 86 48 86 f7 0d 01 09 01 16 0d 6e 6f 6e 65
.*.H........none
> 00b0: 40 66 66 66 66 66 2e 66 66 30 1e 17 0d 30 33 30
@fffff.ff0...030
> 00c0: 36 31 36 31 31 30 39 32 32 5a 17 0d 30 38 30 36
616110922Z..0806
> 00d0: 31 34 31 31 30 39 32 32 5a 30 81 8d 31 0b 30 09
14110922Z0..1.0.
> 00e0: 06 03 55 04 06 13 02 45 53 31 12 30 10 06 03 55
..U....ES1.0...U
> 00f0: 04 08 14 09 4c 61 20 43 6f 72 75 f1 61 31 12 30 ....La
Coru.a1.0
> 0100: 10 06 03 55 04 07 14 09 4c 61 20 43 6f 72 75 f1 ...U....La
Coru.
> 0110: 61 31 0f 30 0d 06 03 55 04 0a 13 06 46 61 64 65
a1.0...U....Fade
> 0120: 73 61 31 14 30 12 06 03 55 04 0b 13 0b 69 6e 66
sa1.0...U....inf
> 0130: 6f 72 6d 61 74 69 63 61 31 11 30 0f 06 03 55 04
ormatica1.0...U.
> 0140: 03 13 08 6f 70 65 6e 6c 64 61 70 31 1c 30 1a 06
...openldap1.0..
> 0150: 09 2a 86 48 86 f7 0d 01 09 01 16 0d 6e 6f 6e 65
.*.H........none
> 0160: 40 66 66 66 66 66 2e 66 66 30 82 01 22 30 0d 06
@fffff.ff0.."0..
> 0170: 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f
.*.H............
> 0180: 00 30 82 01 0a 02 82 01 01 00 d7 38 ea 8e a2 1d
.0.........8....
> 0190: 56 de 38 05 c1 41 1f c5 e1 06 27 28 1b b6 86 56
V.8..A....'(...V
> 01a0: 7a b2 bf 48 67 80 ab 15 89 61 0c f9 c5 26 1b f9
z..Hg....a...&..
> 01b0: 07 da cc da c9 f1 64 0a 81 09 c3 6c 1d 26 1b b9
......d....l.&..
> 01c0: 35 0c 83 a6 0a 08 ef 02 ef a5 9e 6f 17 23 20 72 5..........o.#
r
> 01d0: 0f e3 62 88 40 f8 55 55 c2 75 7b 1d b3 d8 bf f2
..b.@.UU.u{.....
> 01e0: 50 f1 f9 45 d9 fa ca b5 df b2 ed 8a f9 8a 29 c2
P..E..........).
> 01f0: 48 b5 ad 4e c2 d9 54 55 cf 5a 54 d8 3b f9 3c ea
H..N..TU.ZT.;.<.
> 0200: d2 8d eb 8d d1 45 4c c5 1e 87 9d 35 2a d9 94 fd
.....EL....5*...
> 0210: a9 0d 17 3f ca 15 8d f6 48 80 1b 31 4b 46 99 cd
...?....H..1KF..
> 0220: e7 93 cb 92 9c 25 22 f5 ab 9a 01 90 20 c6 70 6b .....%".....
.pk
> 0230: 8d d1 dd 3b 73 f1 7a 9f d8 31 fc b4 4d e8 d9 53
...;s.z..1..M..S
> 0240: 1b 45 87 6d 51 4e 40 48 bd 0d b1 a4 3f 51 37 0a
.E.mQN@H....?Q7.
> 0250: f1 0b bb 18 be 02 69 a5 ce 67 85 91 25 3a 44 85
......i..g..%:D.
> 0260: bf 6f ee cb cc 44 71 6c 57 99 74 0a 15 ef 7b e7
.o...DqlW.t...{.
> 0270: 29 79 8a 5a 3b 6e 61 ba 09 7f 73 33 da 31 3d
)y.Z;na...s3.1=.
> 0280: 05 da 32 c9 0c 12 64 1a a1 87 02 03 01 00 01 a3
..2...d.........
> 0290: 81 ed 30 81 ea 30 1d 06 03 55 1d 0e 04 16 04 14
..0..0...U......
> 02a0: 25 18 ef 9a 09 20 44 11 fc 3a b7 6c 67 7e 80 b4 %....
D..:.lg~..
> 02b0: 3c 21 ef 64 30 81 ba 06 03 55 1d 23 04 81 b2 30
<!.d0....U.#...0
> 02c0: 81 af 80 14 25 18 ef 9a 09 20 44 11 fc 3a b7 6c ....%....
D..:.l
> 02d0: 67 7e 80 b4 3c 21 ef 64 a1 81 93 a4 81 90 30 81
g~..<!.d......0.
> 02e0: 8d 31 0b 30 09 06 03 55 04 06 13 02 45 53 31 12
.1.0...U....ES1.
> 02f0: 30 10 06 03 55 04 08 14 09 4c 61 20 43 6f 72 75 0...U....La
Coru
> 0300: f1 61 31 12 30 10 06 03 55 04 07 14 09 4c 61 20
.a1.0...U....La
> 0310: 43 6f 72 75 f1 61 31 0f 30 0d 06 03 55 04 0a 13
Coru.a1.0...U...
> 0320: 06 46 61 64 65 73 61 31 14 30 12 06 03 55 04 0b
.Fadesa1.0...U..
> 0330: 13 0b 69 6e 66 6f 72 6d 61 74 69 63 61 31 11 30
..informatica1.0
> 0340: 0f 06 03 55 04 03 13 08 6f 70 65 6e 6c 64 61 70
...U....openldap
> 0350: 31 1c 30 1a 06 09 2a 86 48 86 f7 0d 01 09 01 16
1.0...*.H.......
> 0360: 0d 6e 6f 6e 65 40 66 66 66 66 66 2e 66 66 82 01
.none@fffff.ff..
> 0370: 00 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30
.0...U....0....0
> 0380: 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 82
...*.H..........
> 0390: 01 01 00 90 81 6e b2 72 4c 70 2f c4 5a 41 90 70
.....n.rLp/.ZA.p
> 03a0: 0b 0c 77 d0 18 af e2 a5 13 4f 4b 41 23 87 05 a2
..w......OKA#...
> 03b0: 6c f1 d5 8d 84 34 a6 fd 5a c0 93 9f b2 a4 4d 0b
l....4..Z.....M.
> 03c0: d6 fd 7b 28 45 f4 35 b4 a9 2c 29 1f 6a c4 5e 87
..{(E.5..,).j.^.
> 03d0: d2 59 e1 75 1d 9f 2b 3d 69 cd d9 da b7 15 03 0d
.Y.u..+=i.......
> 03e0: 2c b4 1d c2 8e a2 45 47 a9 e7 2a 3d 28 22 2b 41
,.....EG..*=("+A
> 03f0: 49 25 0e 38 ee 0c 84 b9 e4 1b f8 07 e8 3b 1a 4c
I%.8.........;.L
> 0400: de 68 50 20 fb 2e f0 74 a2 db c2 96 95 65 c1 de .hP
...t.....e..
> 0410: e8 a2 3d f6 a9 48 9e 1f e4 67 ba 59 e5 9a cb d6
..=..H...g.Y....
> 0420: 79 34 7f 4d 9a 8e 4a 66 68 d4 59 6f d7 86 ac 32
y4.M..Jfh.Yo...2
> 0430: 8c 3c f4 e4 60 a0 3c 6a e3 0c e6 b8 46 b6 1e c6
.<..`.<j....F...
> 0440: 25 20 04 5a 93 4f c2 90 3c b6 7f 88 08 d1 09 59 %
.Z.O..<......Y
> 0450: e7 a1 a7 b4 04 53 28 5b b2 8f 4d 08 58 d2 c2 37
.....S([..M.X..7
> 0460: ee 56 ee 23 15 e3 c7 e5 e0 f2 77 cb d9 58 43 53
.V.#......w..XCS
> 0470: be 18 1a f3 8a 19 5b 36 30 49 3c a4 cb 58 78 fc
......[60I<..Xx.
> 0480: 9f 92 c1 1d f0 5e d4 e3 da 8f 0c 5a 74 18 27 30
.....^.....Zt.'0
> 0490: 8d 20 cc . .
> TLS certificate verification: depth: 0, err: 18, subject: /C=ES/ST=La
Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff, issuer:
/C=ES/ST=La Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
> TLS certificate verification: Error, self signed certificate
> tls_write: want=7, written=7
> 0000: 15 03 01 00 02 02 30 ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (91)
> additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> --
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
> O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
> G++ e- h+(++) !r !z
> ------END GEEK CODE BLOCK------