[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS headache



Hi.
Check if it helps you.
I have the folowing working config for TLS/SSL in Solaris 8/9.

slapd.conf
TLSCipherSuite          HIGH:MEDIUM:+SSLv3
TLSCertificateFile      /usr/local/etc/openldap/ldapcert.pem
TLSCertificateKeyFile   /usr/local/etc/openldap/ldapkey.pem
TLSCACertificateFile    /usr/local/etc/openldap/demoCA/cacert.pem

ldap.conf
ssl                     start_tls
tls_checkpeer           yes
TLS_CACERT              /usr/local/etc/openldap/demoCA/cacert.pem

TLS_CACERT file was copied to client manually before trying connection.

----- Original Message -----
From: "José M. Fandiño" <ldap@fadesa.es>
To: <openldap-software@OpenLDAP.org>
Sent: Monday, June 16, 2003 1:56 PM
Subject: TLS headache


> Hello,
>
> I'm trying to make a TLS conection work between ldap clients and slapd
> but I always get a ssl error. The configuration can't be simpler
> I'm using a self-issued certificate.
>
> please, can anyone tellme what's wrong with my configuration?
>
> thanks,
>
> /usr/local/openldap/libexec/slapd -4 -h "ldap:// ldaps://"
>
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> tcp        0      0 *:ldap                  *:*                     LISTEN
> tcp        0      0 *:ldaps                 *:*                     LISTEN
>
> slapd.conf excerpt
> ==================
> TLSVerifyClient true
> TLSCipherSuite  HIGH
> TLSCertificateKeyFile /usr/local/openldap/etc/openldap/slapd.key
> TLSCertificateFile /usr/local/openldap/etc/openldap/slapd.pem
> TLSCACertificateFile /usr/local/openldap/etc/openldap/slapd.pem
>
> ldap.conf excerpt
> ==================
> TLS_CACERT      /usr/local/openldap/etc/openldap/slapd.pem
> TLS_CERT        /usr/local/openldap/etc/openldap/slapd.pem
> TLS_KEY         /usr/local/openldap/etc/openldap/slapd.key
> TLS_REQCERT allow
>
> filemon:/usr/local/openldap/etc/openldap # openssl x509 -in
slapd.pem -noout -text
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 0 (0x0)
>         Signature Algorithm: md5WithRSAEncryption
>         Issuer: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
OU=informatica, CN=openldap/Email=none@fffff.ff
>         Validity
>             Not Before: Jun 16 11:09:22 2003 GMT
>             Not After : Jun 14 11:09:22 2008 GMT
>         Subject: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
OU=informatica, CN=openldap/Email=none@fffff.ff
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (2048 bit)
>                 Modulus (2048 bit):
>                     00:d7:38:ea:8e:a2:1d:56:de:38:05:c1:41:1f:c5:
>                     e1:06:27:28:1b:b6:86:56:7a:b2:bf:48:67:80:ab:
>                     15:89:61:0c:f9:c5:26:1b:f9:07:da:cc:da:c9:f1:
>                     64:0a:81:09:c3:6c:1d:26:1b:b9:35:0c:83:a6:0a:
>                     08:ef:02:ef:a5:9e:6f:17:23:20:72:0f:e3:62:88:
>                     40:f8:55:55:c2:75:7b:1d:b3:d8:bf:f2:50:f1:f9:
>                     45:d9:fa:ca:b5:df:b2:ed:8a:f9:8a:29:c2:48:b5:
>                     ad:4e:c2:d9:54:55:cf:5a:54:d8:3b:f9:3c:ea:d2:
>                     8d:eb:8d:d1:45:4c:c5:1e:87:9d:35:2a:d9:94:fd:
>                     a9:0d:17:3f:ca:15:8d:f6:48:80:1b:31:4b:46:99:
>                     cd:e7:93:cb:92:9c:25:22:f5:ab:9a:01:90:20:c6:
>                     70:6b:8d:d1:dd:3b:73:f1:7a:9f:d8:31:fc:b4:4d:
>                     e8:d9:53:1b:45:87:6d:51:4e:40:48:bd:0d:b1:a4:
>                     3f:51:37:0a:f1:0b:bb:18:be:02:69:a5:ce:67:85:
>                     91:25:3a:44:85:bf:6f:ee:cb:cc:44:71:6c:57:99:
>                     74:0a:15:ef:7b:e7:29:79:8a:5a:3b:6e:61:ba:09:
>                     7f:73:33:da:31:3d:e0:05:da:32:c9:0c:12:64:1a:
>                     a1:87
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Subject Key Identifier:
>
25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
>             X509v3 Authority Key Identifier:
>
keyid:25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
>                 DirName:/C=ES/ST=La Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
>                 serial:00
>
>             X509v3 Basic Constraints:
>                 CA:TRUE
>     Signature Algorithm: md5WithRSAEncryption
>         90:81:6e:b2:72:4c:70:2f:c4:5a:41:90:70:0b:0c:77:d0:18:
>         af:e2:a5:13:4f:4b:41:23:87:05:a2:6c:f1:d5:8d:84:34:a6:
>         fd:5a:c0:93:9f:b2:a4:4d:0b:d6:fd:7b:28:45:f4:35:b4:a9:
>         2c:29:1f:6a:c4:5e:87:d2:59:e1:75:1d:9f:2b:3d:69:cd:d9:
>         da:b7:15:03:0d:2c:b4:1d:c2:8e:a2:45:47:a9:e7:2a:3d:28:
>         22:2b:41:49:25:0e:38:ee:0c:84:b9:e4:1b:f8:07:e8:3b:1a:
>         4c:de:68:50:20:fb:2e:f0:74:a2:db:c2:96:95:65:c1:de:e8:
>         a2:3d:f6:a9:48:9e:1f:e4:67:ba:59:e5:9a:cb:d6:79:34:7f:
>         4d:9a:8e:4a:66:68:d4:59:6f:d7:86:ac:32:8c:3c:f4:e4:60:
>         a0:3c:6a:e3:0c:e6:b8:46:b6:1e:c6:25:20:04:5a:93:4f:c2:
>         90:3c:b6:7f:88:08:d1:09:59:e7:a1:a7:b4:04:53:28:5b:b2:
>         8f:4d:08:58:d2:c2:37:ee:56:ee:23:15:e3:c7:e5:e0:f2:77:
>         cb:d9:58:43:53:be:18:1a:f3:8a:19:5b:36:30:49:3c:a4:cb:
>         58:78:fc:9f:92:c1:1d:f0:5e:d4:e3:da:8f:0c:5a:74:18:27:
>         30:8d:20:cc
>
> /------/
>
> ldapsearch -ZZ -d -1 -b "dc=fadesa"
> ldap_create
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host: TCP localhost:389
> ldap_new_socket: -1
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 127.0.0.1:389
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> ldap_ndelay_on: 3
> ldap_is_sock_ready: 3
> ldap_ndelay_off: 3
> ldap_int_sasl_open: host=filemon.servidores.fadesa
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_flush: 31 bytes to sd 3
>   0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
>   0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37
.4.1.1466.20037
> ldap_write: want=31, written=31
>   0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
>   0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37
.4.1.1466.20037
> ldap_result msgid 1
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> wait4msg (infinite timeout), msgid 1
> wait4msg continue, msgid 1, all 1
> ** Connections:
> * host: localhost  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Mon Jun 16 13:54:07 2003
>
> ** Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>    outstanding referrals 0, parent count 0
> ** Response Queue:
>    Empty
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> ldap_int_select
> read1msg: msgid 1, all 1
> ber_get_next
> ldap_read: want=9, got=9
>   0000:  30 0c 02 01 01 78 07 0a  01                        0....x...
> ldap_read: want=5, got=5
>   0000:  00 04 00 04 00                                     .....
> ber_get_next: tag 0x30 len 12 contents:
> ber_dump: buf=0x0807df08 ptr=0x0807df08 end=0x0807df14 len=12
>   0000:  02 01 01 78 07 0a 01 00  04 00 04 00               ...x........
> ldap_read: message type extended-result msgid 1, original id 1
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
>   0000:  78 07 0a 01 00 04 00 04  00                        x........
> read1msg:  0 new referrals
> read1msg:  mark request completed, id = 1
> request 1 done
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_free_connection
> ldap_free_connection: refcnt 1
> ldap_parse_extended_result
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
>   0000:  78 07 0a 01 00 04 00 04  00                        x........
> ldap_parse_result
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
>   0000:  78 07 0a 01 00 04 00 04  00                        x........
> ber_scanf fmt (}) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df14 end=0x0807df14 len=0
>
> ldap_msgfree
> TLS trace: SSL_connect:before/connect initialization
> tls_write: want=124, written=124
>   0000:  80 7a 01 03 01 00 51 00  00 00 20 00 00 16 00 00   .z....Q...
.....
>   0010:  13 00 00 0a 07 00 c0 00  00 66 00 00 05 00 00 04
.........f......
>   0020:  03 00 80 01 00 80 08 00  80 00 00 65 00 00 64 00
...........e..d.
>   0030:  00 63 00 00 62 00 00 61  00 00 60 00 00 15 00 00
.c..b..a..`.....
>   0040:  12 00 00 09 06 00 40 00  00 14 00 00 11 00 00 08
......@.........
>   0050:  00 00 06 00 00 03 04 00  80 02 00 80 39 13 8b a0
............9...
>   0060:  72 49 06 d9 a2 aa 96 66  d6 a7 cc a6 5b f3 c8 52
rI.....f....[..R
>   0070:  b0 98 c2 d9 ea f4 d7 68  fb 1a 74 07               .......h..t.
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> tls_read: want=7, got=7
>   0000:  16 03 01 00 4a 02 00                               ....J..
> tls_read: want=72, got=72
>   0000:  00 46 03 01 3e ed af df  ac 36 d2 53 17 d5 a0 12
.F..>....6.S....
>   0010:  d3 ed 59 a0 c1 76 d2 06  64 e6 06 8e 52 8e d9 85
..Y..v..d...R...
>   0020:  80 ce 6d 47 20 8c 89 00  18 6a 0c 2b d9 ff c5 44   ..mG
....j.+...D
>   0030:  d5 65 79 1a 7a f8 26 99  b4 6a e3 fa c4 9c 49 10
.ey.z.&..j....I.
>   0040:  9f d1 77 2b 09 00 0a 00                            ..w+....
> TLS trace: SSL_connect:SSLv3 read server hello A
> tls_read: want=5, got=5
>   0000:  16 03 01 04 93                                     .....
> tls_read: want=1171, got=1171
>   0000:  0b 00 04 8f 00 04 8c 00  04 89 30 82 04 85 30 82
..........0...0.
>   0010:  03 6d a0 03 02 01 02 02  01 00 30 0d 06 09 2a 86
.m........0...*.
>   0020:  48 86 f7 0d 01 01 04 05  00 30 81 8d 31 0b 30 09
H........0..1.0.
>   0030:  06 03 55 04 06 13 02 45  53 31 12 30 10 06 03 55
..U....ES1.0...U
>   0040:  04 08 14 09 4c 61 20 43  6f 72 75 f1 61 31 12 30   ....La
Coru.a1.0
>   0050:  10 06 03 55 04 07 14 09  4c 61 20 43 6f 72 75 f1   ...U....La
Coru.
>   0060:  61 31 0f 30 0d 06 03 55  04 0a 13 06 46 61 64 65
a1.0...U....Fade
>   0070:  73 61 31 14 30 12 06 03  55 04 0b 13 0b 69 6e 66
sa1.0...U....inf
>   0080:  6f 72 6d 61 74 69 63 61  31 11 30 0f 06 03 55 04
ormatica1.0...U.
>   0090:  03 13 08 6f 70 65 6e 6c  64 61 70 31 1c 30 1a 06
...openldap1.0..
>   00a0:  09 2a 86 48 86 f7 0d 01  09 01 16 0d 6e 6f 6e 65
.*.H........none
>   00b0:  40 66 66 66 66 66 2e 66  66 30 1e 17 0d 30 33 30
@fffff.ff0...030
>   00c0:  36 31 36 31 31 30 39 32  32 5a 17 0d 30 38 30 36
616110922Z..0806
>   00d0:  31 34 31 31 30 39 32 32  5a 30 81 8d 31 0b 30 09
14110922Z0..1.0.
>   00e0:  06 03 55 04 06 13 02 45  53 31 12 30 10 06 03 55
..U....ES1.0...U
>   00f0:  04 08 14 09 4c 61 20 43  6f 72 75 f1 61 31 12 30   ....La
Coru.a1.0
>   0100:  10 06 03 55 04 07 14 09  4c 61 20 43 6f 72 75 f1   ...U....La
Coru.
>   0110:  61 31 0f 30 0d 06 03 55  04 0a 13 06 46 61 64 65
a1.0...U....Fade
>   0120:  73 61 31 14 30 12 06 03  55 04 0b 13 0b 69 6e 66
sa1.0...U....inf
>   0130:  6f 72 6d 61 74 69 63 61  31 11 30 0f 06 03 55 04
ormatica1.0...U.
>   0140:  03 13 08 6f 70 65 6e 6c  64 61 70 31 1c 30 1a 06
...openldap1.0..
>   0150:  09 2a 86 48 86 f7 0d 01  09 01 16 0d 6e 6f 6e 65
.*.H........none
>   0160:  40 66 66 66 66 66 2e 66  66 30 82 01 22 30 0d 06
@fffff.ff0.."0..
>   0170:  09 2a 86 48 86 f7 0d 01  01 01 05 00 03 82 01 0f
.*.H............
>   0180:  00 30 82 01 0a 02 82 01  01 00 d7 38 ea 8e a2 1d
.0.........8....
>   0190:  56 de 38 05 c1 41 1f c5  e1 06 27 28 1b b6 86 56
V.8..A....'(...V
>   01a0:  7a b2 bf 48 67 80 ab 15  89 61 0c f9 c5 26 1b f9
z..Hg....a...&..
>   01b0:  07 da cc da c9 f1 64 0a  81 09 c3 6c 1d 26 1b b9
......d....l.&..
>   01c0:  35 0c 83 a6 0a 08 ef 02  ef a5 9e 6f 17 23 20 72   5..........o.#
r
>   01d0:  0f e3 62 88 40 f8 55 55  c2 75 7b 1d b3 d8 bf f2
..b.@.UU.u{.....
>   01e0:  50 f1 f9 45 d9 fa ca b5  df b2 ed 8a f9 8a 29 c2
P..E..........).
>   01f0:  48 b5 ad 4e c2 d9 54 55  cf 5a 54 d8 3b f9 3c ea
H..N..TU.ZT.;.<.
>   0200:  d2 8d eb 8d d1 45 4c c5  1e 87 9d 35 2a d9 94 fd
.....EL....5*...
>   0210:  a9 0d 17 3f ca 15 8d f6  48 80 1b 31 4b 46 99 cd
...?....H..1KF..
>   0220:  e7 93 cb 92 9c 25 22 f5  ab 9a 01 90 20 c6 70 6b   .....%".....
.pk
>   0230:  8d d1 dd 3b 73 f1 7a 9f  d8 31 fc b4 4d e8 d9 53
...;s.z..1..M..S
>   0240:  1b 45 87 6d 51 4e 40 48  bd 0d b1 a4 3f 51 37 0a
.E.mQN@H....?Q7.
>   0250:  f1 0b bb 18 be 02 69 a5  ce 67 85 91 25 3a 44 85
......i..g..%:D.
>   0260:  bf 6f ee cb cc 44 71 6c  57 99 74 0a 15 ef 7b e7
.o...DqlW.t...{.
>   0270:  29 79 8a 5a 3b 6e 61 ba  09 7f 73 33 da 31 3d
   )y.Z;na...s3.1=.
>   0280:  05 da 32 c9 0c 12 64 1a  a1 87 02 03 01 00 01 a3
..2...d.........
>   0290:  81 ed 30 81 ea 30 1d 06  03 55 1d 0e 04 16 04 14
..0..0...U......
>   02a0:  25 18 ef 9a 09 20 44 11  fc 3a b7 6c 67 7e 80 b4   %....
D..:.lg~..
>   02b0:  3c 21 ef 64 30 81 ba 06  03 55 1d 23 04 81 b2 30
<!.d0....U.#...0
>   02c0:  81 af 80 14 25 18 ef 9a  09 20 44 11 fc 3a b7 6c   ....%....
D..:.l
>   02d0:  67 7e 80 b4 3c 21 ef 64  a1 81 93 a4 81 90 30 81
g~..<!.d......0.
>   02e0:  8d 31 0b 30 09 06 03 55  04 06 13 02 45 53 31 12
.1.0...U....ES1.
>   02f0:  30 10 06 03 55 04 08 14  09 4c 61 20 43 6f 72 75   0...U....La
Coru
>   0300:  f1 61 31 12 30 10 06 03  55 04 07 14 09 4c 61 20
.a1.0...U....La
>   0310:  43 6f 72 75 f1 61 31 0f  30 0d 06 03 55 04 0a 13
Coru.a1.0...U...
>   0320:  06 46 61 64 65 73 61 31  14 30 12 06 03 55 04 0b
.Fadesa1.0...U..
>   0330:  13 0b 69 6e 66 6f 72 6d  61 74 69 63 61 31 11 30
..informatica1.0
>   0340:  0f 06 03 55 04 03 13 08  6f 70 65 6e 6c 64 61 70
...U....openldap
>   0350:  31 1c 30 1a 06 09 2a 86  48 86 f7 0d 01 09 01 16
1.0...*.H.......
>   0360:  0d 6e 6f 6e 65 40 66 66  66 66 66 2e 66 66 82 01
.none@fffff.ff..
>   0370:  00 30 0c 06 03 55 1d 13  04 05 30 03 01 01 ff 30
.0...U....0....0
>   0380:  0d 06 09 2a 86 48 86 f7  0d 01 01 04 05 00 03 82
...*.H..........
>   0390:  01 01 00 90 81 6e b2 72  4c 70 2f c4 5a 41 90 70
.....n.rLp/.ZA.p
>   03a0:  0b 0c 77 d0 18 af e2 a5  13 4f 4b 41 23 87 05 a2
..w......OKA#...
>   03b0:  6c f1 d5 8d 84 34 a6 fd  5a c0 93 9f b2 a4 4d 0b
l....4..Z.....M.
>   03c0:  d6 fd 7b 28 45 f4 35 b4  a9 2c 29 1f 6a c4 5e 87
..{(E.5..,).j.^.
>   03d0:  d2 59 e1 75 1d 9f 2b 3d  69 cd d9 da b7 15 03 0d
.Y.u..+=i.......
>   03e0:  2c b4 1d c2 8e a2 45 47  a9 e7 2a 3d 28 22 2b 41
,.....EG..*=("+A
>   03f0:  49 25 0e 38 ee 0c 84 b9  e4 1b f8 07 e8 3b 1a 4c
I%.8.........;.L
>   0400:  de 68 50 20 fb 2e f0 74  a2 db c2 96 95 65 c1 de   .hP
...t.....e..
>   0410:  e8 a2 3d f6 a9 48 9e 1f  e4 67 ba 59 e5 9a cb d6
..=..H...g.Y....
>   0420:  79 34 7f 4d 9a 8e 4a 66  68 d4 59 6f d7 86 ac 32
y4.M..Jfh.Yo...2
>   0430:  8c 3c f4 e4 60 a0 3c 6a  e3 0c e6 b8 46 b6 1e c6
.<..`.<j....F...
>   0440:  25 20 04 5a 93 4f c2 90  3c b6 7f 88 08 d1 09 59   %
.Z.O..<......Y
>   0450:  e7 a1 a7 b4 04 53 28 5b  b2 8f 4d 08 58 d2 c2 37
.....S([..M.X..7
>   0460:  ee 56 ee 23 15 e3 c7 e5  e0 f2 77 cb d9 58 43 53
.V.#......w..XCS
>   0470:  be 18 1a f3 8a 19 5b 36  30 49 3c a4 cb 58 78 fc
......[60I<..Xx.
>   0480:  9f 92 c1 1d f0 5e d4 e3  da 8f 0c 5a 74 18 27 30
.....^.....Zt.'0
>   0490:  8d 20 cc                                           . .
> TLS certificate verification: depth: 0, err: 18, subject: /C=ES/ST=La
Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff, issuer:
/C=ES/ST=La Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
> TLS certificate verification: Error, self signed certificate
> tls_write: want=7, written=7
>   0000:  15 03 01 00 02 02 30                               ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (91)
>         additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> --
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
> O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
> G++ e- h+(++) !r !z
> ------END GEEK CODE BLOCK------