[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS headache
I have tried the instructions in your HOWTO (very clear / thank you!), after
lot
of time and frustration trying to setting up an LDAP server with TLS, but
the
client seems not to like the server certificate. Here are my configuration
files for the openldap 2.1.21 on a RH8 linux box:
/etc/openldap/slapd.conf:
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/rfc822-MailMember.schema
include /etc/openldap/schema/redhat/autofs.schema
#include /etc/openldap/schema/redhat/kerberosobject.schema
loglevel 296
pidfile /var/run/slapd.pid
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/servercert.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSVerifyClient never
access to * by read
#######################################################################
# ldbm database definitions
#######################################################################
database bdb
suffix "dc=prisma,dc=com"
rootdn "cn=root,dc=prisma,dc=com"
rootpw {SSHA}vZddgTWTErSxFyNG2MC8fnp4k/9zNadi
directory /var/lib/ldap
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
/etc/ldap.conf:
HOST 127.0.0.1
PORT 389
TLS_CACERT /usr/share/ssl/misc/demoCA/cacert.pem
TLS_CACERTDIR /usr/share/ssl/misc/demoCA
TLS_REQCERT never
This is the result of the ldapsearch with -ZZ option in the slapd log:
conn=0 fd=12 ACCEPT from IP=127.0.0.1:32792 (IP=0.0.0.0:389)
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({m) ber:
do_extended: oid=1.3.6.1.4.1.1466.20037
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 7a 01 03 01 00 51 00 00 00 20 .z....Q...
tls_read: want=113, got=113
0000: 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 ..............f.
0010: 00 05 00 00 04 03 00 80 01 00 80 08 00 80 00 00 ................
0020: 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60 e..d..c..b..a..`
0030: 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 ...........@....
0040: 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00 ................
0050: 80 d6 47 98 b5 73 99 81 d2 68 e6 97 b8 90 c1 ed ..G..s...h......
0060: d0 76 73 9d a7 dc 96 f8 de 66 b0 ca c1 37 c2 65 .vs......f...7.e
0070: 0e .
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=1069, written=1069
0000: 16 03 01 00 4a 02 00 00 46 03 01 3e ee ad 0b 74 ....J...F..>...t
0010: d4 44 d8 fe 96 28 8b 8c e2 e4 f2 20 82 ef d4 13 .D...(..... ....
0020: 17 84 8c 13 56 d0 79 bc d8 b6 55 20 16 18 66 79 ....V.y...U ..fy
0030: 8e 19 5c d4 52 89 73 a7 96 d8 2f 22 9b f1 8c 5c ..\.R.s.../"...\
0040: 3a e4 c3 9c 13 ba 32 ab 51 06 09 dc 00 0a 00 16 :.....2.Q.......
0050: 03 01 03 d0 0b 00 03 cc 00 03 c9 00 03 c6 30 82 ..............0.
0060: 03 c2 30 82 03 2b a0 03 02 01 02 02 01 01 30 0d ..0..+........0.
0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 94 ..*.H........0..
0080: 31 0b 30 09 06 03 55 04 06 13 02 49 54 31 0f 30 1.0...U....IT1.0
0090: 0d 06 03 55 04 08 13 06 4d 69 6c 61 6e 6f 31 0f ...U....Milano1.
00a0: 30 0d 06 03 55 04 07 13 06 4d 69 6c 61 6e 6f 31 0...U....Milano1
00b0: 1f 30 1d 06 03 55 04 0a 13 16 50 72 69 73 6d 61 .0...U....Prisma
00c0: 20 45 6e 67 69 6e 65 65 72 69 6e 67 20 73 72 6c Engineering srl
00d0: 31 0d 30 0b 06 03 55 04 0b 13 04 4c 44 41 50 31 1.0...U....LDAP1
00e0: 13 30 11 06 03 55 04 03 13 0a 70 72 69 73 6d 61 .0...U....prisma
00f0: 2e 63 6f 6d 31 1e 30 1c 06 09 2a 86 48 86 f7 0d .com1.0...*.H...
0100: 01 09 01 16 0f 6c 64 61 70 40 70 72 69 73 6d 61 .....ldap@prisma
0110: 2e 63 6f 6d 30 1e 17 0d 30 33 30 36 31 37 30 35 .com0...03061705
0120: 33 30 32 30 5a 17 0d 30 34 30 36 31 36 30 35 33 3020Z..040616053
0130: 30 32 30 5a 30 81 94 31 0b 30 09 06 03 55 04 06 020Z0..1.0...U..
0140: 13 02 49 54 31 0f 30 0d 06 03 55 04 08 13 06 4d ..IT1.0...U....M
0150: 69 6c 61 6e 6f 31 0f 30 0d 06 03 55 04 07 13 06 ilano1.0...U....
0160: 4d 69 6c 61 6e 6f 31 1f 30 1d 06 03 55 04 0a 13 Milano1.0...U...
0170: 16 50 72 69 73 6d 61 20 45 6e 67 69 6e 65 65 72 .Prisma Engineer
0180: 69 6e 67 20 73 72 6c 31 0d 30 0b 06 03 55 04 0b ing srl1.0...U..
0190: 13 04 4c 44 41 50 31 13 30 11 06 03 55 04 03 13 ..LDAP1.0...U...
01a0: 0a 70 72 69 73 6d 61 2e 63 6f 6d 31 1e 30 1c 06 .prisma.com1.0..
01b0: 09 2a 86 48 86 f7 0d 01 09 01 16 0f 6c 64 61 70 .*.H........ldap
01c0: 40 70 72 69 73 6d 61 2e 63 6f 6d 30 81 9f 30 0d @prisma.com0..0.
01d0: 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d ..*.H...........
01e0: 00 30 81 89 02 81 81 00 bd d9 8a d3 ce a6 89 35 .0.............5
01f0: c4 1d 79 3b 53 44 08 08 a7 92 2a e6 4d 5b db 35 ..y;SD....*.M[.5
0200: ec b7 2e ca 9b ea 4e 77 9e 98 8f de ff 67 ae d0 ......Nw.....g..
0210: f8 17 45 95 02 55 86 34 7a 2b a9 1f 23 3a cc 5e ..E..U.4z+..#:.^
0220: d9 5b 76 df 51 e6 07 fe b9 24 15 66 f8 9f 6d 29 .[v.Q....$.f..m)
0230: ea 96 21 66 a3 72 ef 20 d7 e7 6a fa f6 55 18 35 ..!f.r. ..j..U.5
0240: af c9 54 cf 84 f1 76 55 38 e5 5e 0f 95 53 b4 fd ..T...vU8.^..S..
0250: 1f 0a 3c 48 3b b4 cb 01 e1 ab 04 a6 70 a8 65 63 ..<H;.......p.ec
0260: 5f 8e 28 79 ff ca d1 61 02 03 01 00 01 a3 82 01 _.(y...a........
0270: 20 30 82 01 1c 30 09 06 03 55 1d 13 04 02 30 00 0...0...U....0.
0280: 30 2c 06 09 60 86 48 01 86 f8 42 01 0d 04 1f 16 0,..`.H...B.....
0290: 1d 4f 70 65 6e 53 53 4c 20 47 65 6e 65 72 61 74 .OpenSSL Generat
02a0: 65 64 20 43 65 72 74 69 66 69 63 61 74 65 30 1d ed Certificate0.
02b0: 06 03 55 1d 0e 04 16 04 14 24 59 e5 47 7e b2 95 ..U......$Y.G~..
02c0: c0 2c 62 ec 73 56 c1 ae b1 b1 77 f0 df 30 81 c1 .,b.sV....w..0..
02d0: 06 03 55 1d 23 04 81 b9 30 81 b6 80 14 1f 83 c3 ..U.#...0.......
02e0: e4 b0 f7 f9 eb bf de 5e 79 90 3d 73 64 18 c3 84 .......^y.=sd...
02f0: dd a1 81 9a a4 81 97 30 81 94 31 0b 30 09 06 03 .......0..1.0...
0300: 55 04 06 13 02 49 54 31 0f 30 0d 06 03 55 04 08 U....IT1.0...U..
0310: 13 06 4d 69 6c 61 6e 6f 31 0f 30 0d 06 03 55 04 ..Milano1.0...U.
0320: 07 13 06 4d 69 6c 61 6e 6f 31 1f 30 1d 06 03 55 ...Milano1.0...U
0330: 04 0a 13 16 50 72 69 73 6d 61 20 45 6e 67 69 6e ....Prisma Engin
0340: 65 65 72 69 6e 67 20 73 72 6c 31 0d 30 0b 06 03 eering srl1.0...
0350: 55 04 0b 13 04 4c 44 41 50 31 13 30 11 06 03 55 U....LDAP1.0...U
0360: 04 03 13 0a 70 72 69 73 6d 61 2e 63 6f 6d 31 1e ....prisma.com1.
0370: 30 1c 06 09 2a 86 48 86 f7 0d 01 09 01 16 0f 6c 0...*.H........l
0380: 64 61 70 40 70 72 69 73 6d 61 2e 63 6f 6d 82 01 dap@prisma.com..
0390: 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 .0...*.H........
03a0: 03 81 81 00 2d fb 74 28 0a 76 f5 b9 a3 cb ef 8c ....-.t(.v......
03b0: 0a df dd 67 8b 12 a3 7a b4 a6 28 83 6e 70 98 7b ...g...z..(.np.{
03c0: 7c 0c 68 4f d4 f4 f9 67 67 56 c9 e9 16 3a 28 8f |.hO...ggV...:(.
03d0: 37 fa 35 67 ae 1a a2 d5 82 c2 74 f6 a9 c0 cf f2 7.5g......t.....
03e0: 24 24 a0 fa bd bf 6e aa 15 e8 a6 8a 91 50 cd 18 $$....n......P..
03f0: 44 cc 4f be dd 69 e4 86 51 13 b2 68 66 a0 74 15 D.O..i..Q..hf.t.
0400: 7e 91 18 b4 36 33 97 d1 15 72 9c 1e 90 1b 72 5d ~...63...r....r]
0410: 80 43 d3 70 55 f0 b9 0c 46 99 2e 85 65 12 db 21 .C.pU...F...e..!
0420: 64 4b b3 c5 16 03 01 00 04 0e 00 00 00 dK...........
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 30 .0
TLS trace: SSL3 alert read:fatal:unknown
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1002
connection_read(12): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12
conn=0 fd=12 closed
Needless to say, without TLS ldapsearch is OK and returns the correct
search.
Sorry for the long mail, but I think this problem affects a lot of people.
Does it have to do with server name, CA names ? Documentation states that
the DN
of a server certificate must use the CN attribute to name the server, and
the CN
must carry the servers fully qualified domain name. What does it mean ?
Thank you
Paolo
----- Original Message -----
From: "Kent Soper" <dksoper@us.ibm.com>
To: <ldap@fadesa.es>
Cc: <openldap-software@OpenLDAP.org>
Sent: Monday, June 16, 2003 9:25 PM
Subject: Re: TLS headache
>
>
>
>
> Hi Jose,
>
> I'm not sure whether you're trying to get server side TLS or server side
> TLS with client side authentication working. If you are only setting up
> server side TLS, then you don't need the TLSVerifyClient line in
slapd.conf
> or much of the ldap.conf file.
>
> If you are trying to setup client authentication, then your user (client)
> will also need the TLS_CERT and TLS_KEY entries moved from ldap.conf to
> either a file called ldaprc or .ldaprc in the user's home directory or
> current directory.
>
> Please see the new doc
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html for various
> TLS/SSL issues. It's full of examples too. Well written (tongue firmly
in
> cheek!!).
>
> Cheers,
> Kent Soper
>
> "You don't stop playing because you grow old ...
> you grow old because you stop playing."
>
> Linux Technology Center, Linux Security
> phone: 1-512-838-9216
> e-mail: dksoper@us.ibm.com
>
>
>
>
>
> "José M. Fandiño"
> <ldap@fadesa.es> To:
openldap-software@OpenLDAP.org
> Sent by: cc:
> owner-openldap-software@O Subject: TLS
headache
> penLDAP.org
>
>
> 06/16/2003 06:56 AM
> Please respond to ldap
>
>
>
>
>
>
> Hello,
>
> I'm trying to make a TLS conection work between ldap clients and slapd
> but I always get a ssl error. The configuration can't be simpler
> I'm using a self-issued certificate.
>
> please, can anyone tellme what's wrong with my configuration?
>
> thanks,
>
> /usr/local/openldap/libexec/slapd -4 -h "ldap:// ldaps://"
>
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 *:ldap *:* LISTEN
> tcp 0 0 *:ldaps *:* LISTEN
>
> slapd.conf excerpt
> ==================
> TLSVerifyClient true
> TLSCipherSuite HIGH
> TLSCertificateKeyFile /usr/local/openldap/etc/openldap/slapd.key
> TLSCertificateFile /usr/local/openldap/etc/openldap/slapd.pem
> TLSCACertificateFile /usr/local/openldap/etc/openldap/slapd.pem
>
> ldap.conf excerpt
> ==================
> TLS_CACERT /usr/local/openldap/etc/openldap/slapd.pem
> TLS_CERT /usr/local/openldap/etc/openldap/slapd.pem
> TLS_KEY /usr/local/openldap/etc/openldap/slapd.key
> TLS_REQCERT allow
>
> filemon:/usr/local/openldap/etc/openldap # openssl x509 -in slapd.pem
> -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 0 (0x0)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
> OU=informatica, CN=openldap/Email=none@fffff.ff
> Validity
> Not Before: Jun 16 11:09:22 2003 GMT
> Not After : Jun 14 11:09:22 2008 GMT
> Subject: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
> OU=informatica, CN=openldap/Email=none@fffff.ff
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (2048 bit)
> Modulus (2048 bit):
> 00:d7:38:ea:8e:a2:1d:56:de:38:05:c1:41:1f:c5:
> e1:06:27:28:1b:b6:86:56:7a:b2:bf:48:67:80:ab:
> 15:89:61:0c:f9:c5:26:1b:f9:07:da:cc:da:c9:f1:
> 64:0a:81:09:c3:6c:1d:26:1b:b9:35:0c:83:a6:0a:
> 08:ef:02:ef:a5:9e:6f:17:23:20:72:0f:e3:62:88:
> 40:f8:55:55:c2:75:7b:1d:b3:d8:bf:f2:50:f1:f9:
> 45:d9:fa:ca:b5:df:b2:ed:8a:f9:8a:29:c2:48:b5:
> ad:4e:c2:d9:54:55:cf:5a:54:d8:3b:f9:3c:ea:d2:
> 8d:eb:8d:d1:45:4c:c5:1e:87:9d:35:2a:d9:94:fd:
> a9:0d:17:3f:ca:15:8d:f6:48:80:1b:31:4b:46:99:
> cd:e7:93:cb:92:9c:25:22:f5:ab:9a:01:90:20:c6:
> 70:6b:8d:d1:dd:3b:73:f1:7a:9f:d8:31:fc:b4:4d:
> e8:d9:53:1b:45:87:6d:51:4e:40:48:bd:0d:b1:a4:
> 3f:51:37:0a:f1:0b:bb:18:be:02:69:a5:ce:67:85:
> 91:25:3a:44:85:bf:6f:ee:cb:cc:44:71:6c:57:99:
> 74:0a:15:ef:7b:e7:29:79:8a:5a:3b:6e:61:ba:09:
> 7f:73:33:da:31:3d:e0:05:da:32:c9:0c:12:64:1a:
> a1:87
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Key Identifier:
>
25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
> X509v3 Authority Key Identifier:
>
> keyid:25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
> DirName:/C=ES/ST=La Coru\xF1a/L=La
> Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
> serial:00
>
> X509v3 Basic Constraints:
> CA:TRUE
> Signature Algorithm: md5WithRSAEncryption
> 90:81:6e:b2:72:4c:70:2f:c4:5a:41:90:70:0b:0c:77:d0:18:
> af:e2:a5:13:4f:4b:41:23:87:05:a2:6c:f1:d5:8d:84:34:a6:
> fd:5a:c0:93:9f:b2:a4:4d:0b:d6:fd:7b:28:45:f4:35:b4:a9:
> 2c:29:1f:6a:c4:5e:87:d2:59:e1:75:1d:9f:2b:3d:69:cd:d9:
> da:b7:15:03:0d:2c:b4:1d:c2:8e:a2:45:47:a9:e7:2a:3d:28:
> 22:2b:41:49:25:0e:38:ee:0c:84:b9:e4:1b:f8:07:e8:3b:1a:
> 4c:de:68:50:20:fb:2e:f0:74:a2:db:c2:96:95:65:c1:de:e8:
> a2:3d:f6:a9:48:9e:1f:e4:67:ba:59:e5:9a:cb:d6:79:34:7f:
> 4d:9a:8e:4a:66:68:d4:59:6f:d7:86:ac:32:8c:3c:f4:e4:60:
> a0:3c:6a:e3:0c:e6:b8:46:b6:1e:c6:25:20:04:5a:93:4f:c2:
> 90:3c:b6:7f:88:08:d1:09:59:e7:a1:a7:b4:04:53:28:5b:b2:
> 8f:4d:08:58:d2:c2:37:ee:56:ee:23:15:e3:c7:e5:e0:f2:77:
> cb:d9:58:43:53:be:18:1a:f3:8a:19:5b:36:30:49:3c:a4:cb:
> 58:78:fc:9f:92:c1:1d:f0:5e:d4:e3:da:8f:0c:5a:74:18:27:
> 30:8d:20:cc
>
> /------/
>
> ldapsearch -ZZ -d -1 -b "dc=fadesa"
> ldap_create
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host: TCP localhost:389
> ldap_new_socket: -1
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 127.0.0.1:389
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> ldap_ndelay_on: 3
> ldap_is_sock_ready: 3
> ldap_ndelay_off: 3
> ldap_int_sasl_open: host=filemon.servidores.fadesa
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_flush: 31 bytes to sd 3
> 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
> 0....w...1.3.6.1
> 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
> ldap_write: want=31, written=31
> 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
> 0....w...1.3.6.1
> 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
> ldap_result msgid 1
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> wait4msg (infinite timeout), msgid 1
> wait4msg continue, msgid 1, all 1
> ** Connections:
> * host: localhost port: 389 (default)
> refcnt: 2 status: Connected
> last used: Mon Jun 16 13:54:07 2003
>
> ** Outstanding Requests:
> * msgid 1, origid 1, status InProgress
> outstanding referrals 0, parent count 0
> ** Response Queue:
> Empty
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> ldap_int_select
> read1msg: msgid 1, all 1
> ber_get_next
> ldap_read: want=9, got=9
> 0000: 30 0c 02 01 01 78 07 0a 01 0....x...
> ldap_read: want=5, got=5
> 0000: 00 04 00 04 00 .....
> ber_get_next: tag 0x30 len 12 contents:
> ber_dump: buf=0x0807df08 ptr=0x0807df08 end=0x0807df14 len=12
> 0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........
> ldap_read: message type extended-result msgid 1, original id 1
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
> 0000: 78 07 0a 01 00 04 00 04 00 x........
> read1msg: 0 new referrals
> read1msg: mark request completed, id = 1
> request 1 done
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_free_connection
> ldap_free_connection: refcnt 1
> ldap_parse_extended_result
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
> 0000: 78 07 0a 01 00 04 00 04 00 x........
> ldap_parse_result
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
> 0000: 78 07 0a 01 00 04 00 04 00 x........
> ber_scanf fmt (}) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df14 end=0x0807df14 len=0
>
> ldap_msgfree
> TLS trace: SSL_connect:before/connect initialization
> tls_write: want=124, written=124
> 0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 16 00 00 .z....Q...
> .....
> 0010: 13 00 00 0a 07 00 c0 00 00 66 00 00 05 00 00 04
> .........f......
> 0020: 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00
> ...........e..d.
> 0030: 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00
> .c..b..a..`.....
> 0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08
> ......@.........
> 0050: 00 00 06 00 00 03 04 00 80 02 00 80 39 13 8b a0
> ............9...
> 0060: 72 49 06 d9 a2 aa 96 66 d6 a7 cc a6 5b f3 c8 52
> rI.....f....[..R
> 0070: b0 98 c2 d9 ea f4 d7 68 fb 1a 74 07 .......h..t.
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> tls_read: want=7, got=7
> 0000: 16 03 01 00 4a 02 00 ....J..
> tls_read: want=72, got=72
> 0000: 00 46 03 01 3e ed af df ac 36 d2 53 17 d5 a0 12
> .F..>....6.S....
> 0010: d3 ed 59 a0 c1 76 d2 06 64 e6 06 8e 52 8e d9 85
> ..Y..v..d...R...
> 0020: 80 ce 6d 47 20 8c 89 00 18 6a 0c 2b d9 ff c5 44 ..mG
> ....j.+...D
> 0030: d5 65 79 1a 7a f8 26 99 b4 6a e3 fa c4 9c 49 10
> .ey.z.&..j....I.
> 0040: 9f d1 77 2b 09 00 0a 00 ..w+....
> TLS trace: SSL_connect:SSLv3 read server hello A
> tls_read: want=5, got=5
> 0000: 16 03 01 04 93 .....
> tls_read: want=1171, got=1171
> 0000: 0b 00 04 8f 00 04 8c 00 04 89 30 82 04 85 30 82
> ..........0...0.
> 0010: 03 6d a0 03 02 01 02 02 01 00 30 0d 06 09 2a 86
> .m........0...*.
> 0020: 48 86 f7 0d 01 01 04 05 00 30 81 8d 31 0b 30 09
> H........0..1.0.
> 0030: 06 03 55 04 06 13 02 45 53 31 12 30 10 06 03 55
> ..U....ES1.0...U
> 0040: 04 08 14 09 4c 61 20 43 6f 72 75 f1 61 31 12 30 ....La
> Coru.a1.0
> 0050: 10 06 03 55 04 07 14 09 4c 61 20 43 6f 72 75 f1 ...U....La
> Coru.
> 0060: 61 31 0f 30 0d 06 03 55 04 0a 13 06 46 61 64 65
> a1.0...U....Fade
> 0070: 73 61 31 14 30 12 06 03 55 04 0b 13 0b 69 6e 66
> sa1.0...U....inf
> 0080: 6f 72 6d 61 74 69 63 61 31 11 30 0f 06 03 55 04
> ormatica1.0...U.
> 0090: 03 13 08 6f 70 65 6e 6c 64 61 70 31 1c 30 1a 06
> ...openldap1.0..
> 00a0: 09 2a 86 48 86 f7 0d 01 09 01 16 0d 6e 6f 6e 65
> .*.H........none
> 00b0: 40 66 66 66 66 66 2e 66 66 30 1e 17 0d 30 33 30
> @fffff.ff0...030
> 00c0: 36 31 36 31 31 30 39 32 32 5a 17 0d 30 38 30 36
> 616110922Z..0806
> 00d0: 31 34 31 31 30 39 32 32 5a 30 81 8d 31 0b 30 09
> 14110922Z0..1.0.
> 00e0: 06 03 55 04 06 13 02 45 53 31 12 30 10 06 03 55
> ..U....ES1.0...U
> 00f0: 04 08 14 09 4c 61 20 43 6f 72 75 f1 61 31 12 30 ....La
> Coru.a1.0
> 0100: 10 06 03 55 04 07 14 09 4c 61 20 43 6f 72 75 f1 ...U....La
> Coru.
> 0110: 61 31 0f 30 0d 06 03 55 04 0a 13 06 46 61 64 65
> a1.0...U....Fade
> 0120: 73 61 31 14 30 12 06 03 55 04 0b 13 0b 69 6e 66
> sa1.0...U....inf
> 0130: 6f 72 6d 61 74 69 63 61 31 11 30 0f 06 03 55 04
> ormatica1.0...U.
> 0140: 03 13 08 6f 70 65 6e 6c 64 61 70 31 1c 30 1a 06
> ...openldap1.0..
> 0150: 09 2a 86 48 86 f7 0d 01 09 01 16 0d 6e 6f 6e 65
> .*.H........none
> 0160: 40 66 66 66 66 66 2e 66 66 30 82 01 22 30 0d 06
> @fffff.ff0.."0..
> 0170: 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f
> .*.H............
> 0180: 00 30 82 01 0a 02 82 01 01 00 d7 38 ea 8e a2 1d
> .0.........8....
> 0190: 56 de 38 05 c1 41 1f c5 e1 06 27 28 1b b6 86 56
> V.8..A....'(...V
> 01a0: 7a b2 bf 48 67 80 ab 15 89 61 0c f9 c5 26 1b f9
> z..Hg....a...&..
> 01b0: 07 da cc da c9 f1 64 0a 81 09 c3 6c 1d 26 1b b9
> ......d....l.&..
> 01c0: 35 0c 83 a6 0a 08 ef 02 ef a5 9e 6f 17 23 20 72 5..........o.#
> r
> 01d0: 0f e3 62 88 40 f8 55 55 c2 75 7b 1d b3 d8 bf f2
> ..b.@.UU.u{.....
> 01e0: 50 f1 f9 45 d9 fa ca b5 df b2 ed 8a f9 8a 29 c2
> P..E..........).
> 01f0: 48 b5 ad 4e c2 d9 54 55 cf 5a 54 d8 3b f9 3c ea
> H..N..TU.ZT.;.<.
> 0200: d2 8d eb 8d d1 45 4c c5 1e 87 9d 35 2a d9 94 fd
> .....EL....5*...
> 0210: a9 0d 17 3f ca 15 8d f6 48 80 1b 31 4b 46 99 cd
> ...?....H..1KF..
> 0220: e7 93 cb 92 9c 25 22 f5 ab 9a 01 90 20 c6 70 6b .....%".....
> .pk
> 0230: 8d d1 dd 3b 73 f1 7a 9f d8 31 fc b4 4d e8 d9 53
> ...;s.z..1..M..S
> 0240: 1b 45 87 6d 51 4e 40 48 bd 0d b1 a4 3f 51 37 0a
> .E.mQN@H....?Q7.
> 0250: f1 0b bb 18 be 02 69 a5 ce 67 85 91 25 3a 44 85
> ......i..g..%:D.
> 0260: bf 6f ee cb cc 44 71 6c 57 99 74 0a 15 ef 7b e7
> .o...DqlW.t...{.
> 0270: 29 79 8a 5a 3b 6e 61 ba 09 7f 73 33 da 31 3d e0
> )y.Z;na...s3.1=.
> 0280: 05 da 32 c9 0c 12 64 1a a1 87 02 03 01 00 01 a3
> ..2...d.........
> 0290: 81 ed 30 81 ea 30 1d 06 03 55 1d 0e 04 16 04 14
> ..0..0...U......
> 02a0: 25 18 ef 9a 09 20 44 11 fc 3a b7 6c 67 7e 80 b4 %....
> D..:.lg~..
> 02b0: 3c 21 ef 64 30 81 ba 06 03 55 1d 23 04 81 b2 30
> <!.d0....U.#...0
> 02c0: 81 af 80 14 25 18 ef 9a 09 20 44 11 fc 3a b7 6c ....%....
> D..:.l
> 02d0: 67 7e 80 b4 3c 21 ef 64 a1 81 93 a4 81 90 30 81
> g~..<!.d......0.
> 02e0: 8d 31 0b 30 09 06 03 55 04 06 13 02 45 53 31 12
> .1.0...U....ES1.
> 02f0: 30 10 06 03 55 04 08 14 09 4c 61 20 43 6f 72 75 0...U....La
> Coru
> 0300: f1 61 31 12 30 10 06 03 55 04 07 14 09 4c 61 20
.a1.0...U....La
> 0310: 43 6f 72 75 f1 61 31 0f 30 0d 06 03 55 04 0a 13
> Coru.a1.0...U...
> 0320: 06 46 61 64 65 73 61 31 14 30 12 06 03 55 04 0b
> .Fadesa1.0...U..
> 0330: 13 0b 69 6e 66 6f 72 6d 61 74 69 63 61 31 11 30
> ..informatica1.0
> 0340: 0f 06 03 55 04 03 13 08 6f 70 65 6e 6c 64 61 70
> ...U....openldap
> 0350: 31 1c 30 1a 06 09 2a 86 48 86 f7 0d 01 09 01 16
> 1.0...*.H.......
> 0360: 0d 6e 6f 6e 65 40 66 66 66 66 66 2e 66 66 82 01
> .none@fffff.ff..
> 0370: 00 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30
> .0...U....0....0
> 0380: 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 82
> ...*.H..........
> 0390: 01 01 00 90 81 6e b2 72 4c 70 2f c4 5a 41 90 70
> .....n.rLp/.ZA.p
> 03a0: 0b 0c 77 d0 18 af e2 a5 13 4f 4b 41 23 87 05 a2
> ..w......OKA#...
> 03b0: 6c f1 d5 8d 84 34 a6 fd 5a c0 93 9f b2 a4 4d 0b
> l....4..Z.....M.
> 03c0: d6 fd 7b 28 45 f4 35 b4 a9 2c 29 1f 6a c4 5e 87
> ..{(E.5..,).j.^.
> 03d0: d2 59 e1 75 1d 9f 2b 3d 69 cd d9 da b7 15 03 0d
> .Y.u..+=i.......
> 03e0: 2c b4 1d c2 8e a2 45 47 a9 e7 2a 3d 28 22 2b 41
> ,.....EG..*=("+A
> 03f0: 49 25 0e 38 ee 0c 84 b9 e4 1b f8 07 e8 3b 1a 4c
> I%.8.........;.L
> 0400: de 68 50 20 fb 2e f0 74 a2 db c2 96 95 65 c1 de .hP
> ...t.....e..
> 0410: e8 a2 3d f6 a9 48 9e 1f e4 67 ba 59 e5 9a cb d6
> ..=..H...g.Y....
> 0420: 79 34 7f 4d 9a 8e 4a 66 68 d4 59 6f d7 86 ac 32
> y4.M..Jfh.Yo...2
> 0430: 8c 3c f4 e4 60 a0 3c 6a e3 0c e6 b8 46 b6 1e c6
> .<..`.<j....F...
> 0440: 25 20 04 5a 93 4f c2 90 3c b6 7f 88 08 d1 09 59 %
> .Z.O..<......Y
> 0450: e7 a1 a7 b4 04 53 28 5b b2 8f 4d 08 58 d2 c2 37
> .....S([..M.X..7
> 0460: ee 56 ee 23 15 e3 c7 e5 e0 f2 77 cb d9 58 43 53
> .V.#......w..XCS
> 0470: be 18 1a f3 8a 19 5b 36 30 49 3c a4 cb 58 78 fc
> ......[60I<..Xx.
> 0480: 9f 92 c1 1d f0 5e d4 e3 da 8f 0c 5a 74 18 27 30
> .....^.....Zt.'0
> 0490: 8d 20 cc . .
> TLS certificate verification: depth: 0, err: 18, subject: /C=ES/ST=La
> Coru\xF1a/L=La
> Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff, issuer:
> /C=ES/ST=La Coru\xF1a/L=La
> Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
> TLS certificate verification: Error, self signed certificate
> tls_write: want=7, written=7
> 0000: 15 03 01 00 02 02 30 ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (91)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> --
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
> O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
> G++ e- h+(++) !r !z
> ------END GEEK CODE BLOCK------
>
>
>
>
>