[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS headache



I have tried the instructions in your HOWTO (very clear / thank you!), after
lot

of time and frustration trying to setting up an LDAP server with TLS, but
the

client seems not to like the server certificate. Here are my configuration

files for the openldap 2.1.21 on a RH8 linux box:

/etc/openldap/slapd.conf:

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31
kurt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/inetorgperson.schema

include /etc/openldap/schema/nis.schema

include /etc/openldap/schema/redhat/rfc822-MailMember.schema

include /etc/openldap/schema/redhat/autofs.schema

#include /etc/openldap/schema/redhat/kerberosobject.schema



loglevel 296

pidfile /var/run/slapd.pid

TLSCipherSuite HIGH:MEDIUM:+SSLv2

TLSCACertificateFile /etc/openldap/cacert.pem

TLSCertificateFile /etc/openldap/servercert.pem

TLSCertificateKeyFile /etc/openldap/serverkey.pem

TLSVerifyClient never

access to * by read

#######################################################################

# ldbm database definitions

#######################################################################

database bdb

suffix "dc=prisma,dc=com"

rootdn "cn=root,dc=prisma,dc=com"

rootpw {SSHA}vZddgTWTErSxFyNG2MC8fnp4k/9zNadi

directory /var/lib/ldap

index objectClass,uid,uidNumber,gidNumber,memberUid eq

index cn,mail,surname,givenname eq,subinitial



/etc/ldap.conf:

HOST 127.0.0.1

PORT 389

TLS_CACERT /usr/share/ssl/misc/demoCA/cacert.pem

TLS_CACERTDIR /usr/share/ssl/misc/demoCA

TLS_REQCERT never



This is the result of the ldapsearch with -ZZ option in the slapd log:





conn=0 fd=12 ACCEPT from IP=127.0.0.1:32792 (IP=0.0.0.0:389)

connection_get(12)

connection_get(12): got connid=0

connection_read(12): checking for input on id=0

ber_get_next

ldap_read: want=8, got=8

0000: 30 1d 02 01 01 77 18 80 0....w..

ldap_read: want=23, got=23

0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146

0010: 36 2e 32 30 30 33 37 6.20037

ber_get_next: tag 0x30 len 29 contents:

ber_get_next

ldap_read: want=8 error=Resource temporarily unavailable

ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)

do_extended

ber_scanf fmt ({m) ber:

do_extended: oid=1.3.6.1.4.1.1466.20037

send_ldap_extended: err=0 oid= len=0

send_ldap_response: msgid=1 tag=120 err=0

ber_flush: 14 bytes to sd 12

0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........

ldap_write: want=14, written=14

0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........

connection_get(12)

connection_get(12): got connid=0

connection_read(12): checking for input on id=0

TLS trace: SSL_accept:before/accept initialization

tls_read: want=11, got=11

0000: 80 7a 01 03 01 00 51 00 00 00 20 .z....Q...

tls_read: want=113, got=113

0000: 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 ..............f.

0010: 00 05 00 00 04 03 00 80 01 00 80 08 00 80 00 00 ................

0020: 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60 e..d..c..b..a..`

0030: 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 ...........@....

0040: 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00 ................

0050: 80 d6 47 98 b5 73 99 81 d2 68 e6 97 b8 90 c1 ed ..G..s...h......

0060: d0 76 73 9d a7 dc 96 f8 de 66 b0 ca c1 37 c2 65 .vs......f...7.e

0070: 0e .

TLS trace: SSL_accept:SSLv3 read client hello A

TLS trace: SSL_accept:SSLv3 write server hello A

TLS trace: SSL_accept:SSLv3 write certificate A

TLS trace: SSL_accept:SSLv3 write server done A

tls_write: want=1069, written=1069

0000: 16 03 01 00 4a 02 00 00 46 03 01 3e ee ad 0b 74 ....J...F..>...t

0010: d4 44 d8 fe 96 28 8b 8c e2 e4 f2 20 82 ef d4 13 .D...(..... ....

0020: 17 84 8c 13 56 d0 79 bc d8 b6 55 20 16 18 66 79 ....V.y...U ..fy

0030: 8e 19 5c d4 52 89 73 a7 96 d8 2f 22 9b f1 8c 5c ..\.R.s.../"...\

0040: 3a e4 c3 9c 13 ba 32 ab 51 06 09 dc 00 0a 00 16 :.....2.Q.......

0050: 03 01 03 d0 0b 00 03 cc 00 03 c9 00 03 c6 30 82 ..............0.

0060: 03 c2 30 82 03 2b a0 03 02 01 02 02 01 01 30 0d ..0..+........0.

0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 94 ..*.H........0..

0080: 31 0b 30 09 06 03 55 04 06 13 02 49 54 31 0f 30 1.0...U....IT1.0

0090: 0d 06 03 55 04 08 13 06 4d 69 6c 61 6e 6f 31 0f ...U....Milano1.

00a0: 30 0d 06 03 55 04 07 13 06 4d 69 6c 61 6e 6f 31 0...U....Milano1

00b0: 1f 30 1d 06 03 55 04 0a 13 16 50 72 69 73 6d 61 .0...U....Prisma

00c0: 20 45 6e 67 69 6e 65 65 72 69 6e 67 20 73 72 6c Engineering srl

00d0: 31 0d 30 0b 06 03 55 04 0b 13 04 4c 44 41 50 31 1.0...U....LDAP1

00e0: 13 30 11 06 03 55 04 03 13 0a 70 72 69 73 6d 61 .0...U....prisma

00f0: 2e 63 6f 6d 31 1e 30 1c 06 09 2a 86 48 86 f7 0d .com1.0...*.H...

0100: 01 09 01 16 0f 6c 64 61 70 40 70 72 69 73 6d 61 .....ldap@prisma

0110: 2e 63 6f 6d 30 1e 17 0d 30 33 30 36 31 37 30 35 .com0...03061705

0120: 33 30 32 30 5a 17 0d 30 34 30 36 31 36 30 35 33 3020Z..040616053

0130: 30 32 30 5a 30 81 94 31 0b 30 09 06 03 55 04 06 020Z0..1.0...U..

0140: 13 02 49 54 31 0f 30 0d 06 03 55 04 08 13 06 4d ..IT1.0...U....M

0150: 69 6c 61 6e 6f 31 0f 30 0d 06 03 55 04 07 13 06 ilano1.0...U....

0160: 4d 69 6c 61 6e 6f 31 1f 30 1d 06 03 55 04 0a 13 Milano1.0...U...

0170: 16 50 72 69 73 6d 61 20 45 6e 67 69 6e 65 65 72 .Prisma Engineer

0180: 69 6e 67 20 73 72 6c 31 0d 30 0b 06 03 55 04 0b ing srl1.0...U..

0190: 13 04 4c 44 41 50 31 13 30 11 06 03 55 04 03 13 ..LDAP1.0...U...

01a0: 0a 70 72 69 73 6d 61 2e 63 6f 6d 31 1e 30 1c 06 .prisma.com1.0..

01b0: 09 2a 86 48 86 f7 0d 01 09 01 16 0f 6c 64 61 70 .*.H........ldap

01c0: 40 70 72 69 73 6d 61 2e 63 6f 6d 30 81 9f 30 0d @prisma.com0..0.

01d0: 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d ..*.H...........

01e0: 00 30 81 89 02 81 81 00 bd d9 8a d3 ce a6 89 35 .0.............5

01f0: c4 1d 79 3b 53 44 08 08 a7 92 2a e6 4d 5b db 35 ..y;SD....*.M[.5

0200: ec b7 2e ca 9b ea 4e 77 9e 98 8f de ff 67 ae d0 ......Nw.....g..

0210: f8 17 45 95 02 55 86 34 7a 2b a9 1f 23 3a cc 5e ..E..U.4z+..#:.^

0220: d9 5b 76 df 51 e6 07 fe b9 24 15 66 f8 9f 6d 29 .[v.Q....$.f..m)

0230: ea 96 21 66 a3 72 ef 20 d7 e7 6a fa f6 55 18 35 ..!f.r. ..j..U.5

0240: af c9 54 cf 84 f1 76 55 38 e5 5e 0f 95 53 b4 fd ..T...vU8.^..S..

0250: 1f 0a 3c 48 3b b4 cb 01 e1 ab 04 a6 70 a8 65 63 ..<H;.......p.ec

0260: 5f 8e 28 79 ff ca d1 61 02 03 01 00 01 a3 82 01 _.(y...a........

0270: 20 30 82 01 1c 30 09 06 03 55 1d 13 04 02 30 00 0...0...U....0.

0280: 30 2c 06 09 60 86 48 01 86 f8 42 01 0d 04 1f 16 0,..`.H...B.....

0290: 1d 4f 70 65 6e 53 53 4c 20 47 65 6e 65 72 61 74 .OpenSSL Generat

02a0: 65 64 20 43 65 72 74 69 66 69 63 61 74 65 30 1d ed Certificate0.

02b0: 06 03 55 1d 0e 04 16 04 14 24 59 e5 47 7e b2 95 ..U......$Y.G~..

02c0: c0 2c 62 ec 73 56 c1 ae b1 b1 77 f0 df 30 81 c1 .,b.sV....w..0..

02d0: 06 03 55 1d 23 04 81 b9 30 81 b6 80 14 1f 83 c3 ..U.#...0.......

02e0: e4 b0 f7 f9 eb bf de 5e 79 90 3d 73 64 18 c3 84 .......^y.=sd...

02f0: dd a1 81 9a a4 81 97 30 81 94 31 0b 30 09 06 03 .......0..1.0...

0300: 55 04 06 13 02 49 54 31 0f 30 0d 06 03 55 04 08 U....IT1.0...U..

0310: 13 06 4d 69 6c 61 6e 6f 31 0f 30 0d 06 03 55 04 ..Milano1.0...U.

0320: 07 13 06 4d 69 6c 61 6e 6f 31 1f 30 1d 06 03 55 ...Milano1.0...U

0330: 04 0a 13 16 50 72 69 73 6d 61 20 45 6e 67 69 6e ....Prisma Engin

0340: 65 65 72 69 6e 67 20 73 72 6c 31 0d 30 0b 06 03 eering srl1.0...

0350: 55 04 0b 13 04 4c 44 41 50 31 13 30 11 06 03 55 U....LDAP1.0...U

0360: 04 03 13 0a 70 72 69 73 6d 61 2e 63 6f 6d 31 1e ....prisma.com1.

0370: 30 1c 06 09 2a 86 48 86 f7 0d 01 09 01 16 0f 6c 0...*.H........l

0380: 64 61 70 40 70 72 69 73 6d 61 2e 63 6f 6d 82 01 dap@prisma.com..

0390: 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 .0...*.H........

03a0: 03 81 81 00 2d fb 74 28 0a 76 f5 b9 a3 cb ef 8c ....-.t(.v......

03b0: 0a df dd 67 8b 12 a3 7a b4 a6 28 83 6e 70 98 7b ...g...z..(.np.{

03c0: 7c 0c 68 4f d4 f4 f9 67 67 56 c9 e9 16 3a 28 8f |.hO...ggV...:(.

03d0: 37 fa 35 67 ae 1a a2 d5 82 c2 74 f6 a9 c0 cf f2 7.5g......t.....

03e0: 24 24 a0 fa bd bf 6e aa 15 e8 a6 8a 91 50 cd 18 $$....n......P..

03f0: 44 cc 4f be dd 69 e4 86 51 13 b2 68 66 a0 74 15 D.O..i..Q..hf.t.

0400: 7e 91 18 b4 36 33 97 d1 15 72 9c 1e 90 1b 72 5d ~...63...r....r]

0410: 80 43 d3 70 55 f0 b9 0c 46 99 2e 85 65 12 db 21 .C.pU...F...e..!

0420: 64 4b b3 c5 16 03 01 00 04 0e 00 00 00 dK...........

TLS trace: SSL_accept:SSLv3 flush data

tls_read: want=5, got=5

0000: 15 03 01 00 02 .....

tls_read: want=2, got=2

0000: 02 30 .0

TLS trace: SSL3 alert read:fatal:unknown

TLS trace: SSL_accept:failed in SSLv3 read client certificate A

TLS: can't accept.

TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1002

connection_read(12): TLS accept error error=-1 id=0, closing

connection_closing: readying conn=0 sd=12 for close

connection_close: conn=0 sd=12

conn=0 fd=12 closed



Needless to say, without TLS ldapsearch is OK and returns the correct
search.

Sorry for the long mail, but I think this problem affects a lot of people.

Does it have to do with server name, CA names ? Documentation states that
the DN

of a server certificate must use the CN attribute to name the server, and
the CN

must carry the servers fully qualified domain name. What does it mean ?

Thank you

Paolo

----- Original Message ----- 
From: "Kent Soper" <dksoper@us.ibm.com>
To: <ldap@fadesa.es>
Cc: <openldap-software@OpenLDAP.org>
Sent: Monday, June 16, 2003 9:25 PM
Subject: Re: TLS headache


>
>
>
>
> Hi Jose,
>
> I'm not sure whether you're trying to get server side TLS or server side
> TLS with client side authentication working.  If you are only setting up
> server side TLS, then you don't need the TLSVerifyClient line in
slapd.conf
> or much of the ldap.conf file.
>
> If you are trying to setup client authentication, then your user (client)
> will also need the TLS_CERT and TLS_KEY entries moved from ldap.conf to
> either a file called ldaprc or .ldaprc in the user's home directory or
> current directory.
>
> Please see the new doc
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html for various
> TLS/SSL issues.  It's full of examples too.  Well written (tongue firmly
in
> cheek!!).
>
> Cheers,
> Kent Soper
>
> "You don't stop playing because you grow old ...
>        you grow old because you stop playing."
>
> Linux Technology Center, Linux Security
> phone:  1-512-838-9216
> e-mail:  dksoper@us.ibm.com
>
>
>
>
>
>                       "José M. Fandiño"
>                       <ldap@fadesa.es>                 To:
openldap-software@OpenLDAP.org
>                       Sent by:                         cc:
>                       owner-openldap-software@O        Subject:  TLS
headache
>                       penLDAP.org
>
>
>                       06/16/2003 06:56 AM
>                       Please respond to ldap
>
>
>
>
>
>
> Hello,
>
> I'm trying to make a TLS conection work between ldap clients and slapd
> but I always get a ssl error. The configuration can't be simpler
> I'm using a self-issued certificate.
>
> please, can anyone tellme what's wrong with my configuration?
>
> thanks,
>
> /usr/local/openldap/libexec/slapd -4 -h "ldap:// ldaps://"
>
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> tcp        0      0 *:ldap                  *:*                     LISTEN
> tcp        0      0 *:ldaps                 *:*                     LISTEN
>
> slapd.conf excerpt
> ==================
> TLSVerifyClient true
> TLSCipherSuite  HIGH
> TLSCertificateKeyFile /usr/local/openldap/etc/openldap/slapd.key
> TLSCertificateFile /usr/local/openldap/etc/openldap/slapd.pem
> TLSCACertificateFile /usr/local/openldap/etc/openldap/slapd.pem
>
> ldap.conf excerpt
> ==================
> TLS_CACERT      /usr/local/openldap/etc/openldap/slapd.pem
> TLS_CERT        /usr/local/openldap/etc/openldap/slapd.pem
> TLS_KEY         /usr/local/openldap/etc/openldap/slapd.key
> TLS_REQCERT allow
>
> filemon:/usr/local/openldap/etc/openldap # openssl x509 -in slapd.pem
> -noout -text
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 0 (0x0)
>         Signature Algorithm: md5WithRSAEncryption
>         Issuer: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
> OU=informatica, CN=openldap/Email=none@fffff.ff
>         Validity
>             Not Before: Jun 16 11:09:22 2003 GMT
>             Not After : Jun 14 11:09:22 2008 GMT
>         Subject: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
> OU=informatica, CN=openldap/Email=none@fffff.ff
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (2048 bit)
>                 Modulus (2048 bit):
>                     00:d7:38:ea:8e:a2:1d:56:de:38:05:c1:41:1f:c5:
>                     e1:06:27:28:1b:b6:86:56:7a:b2:bf:48:67:80:ab:
>                     15:89:61:0c:f9:c5:26:1b:f9:07:da:cc:da:c9:f1:
>                     64:0a:81:09:c3:6c:1d:26:1b:b9:35:0c:83:a6:0a:
>                     08:ef:02:ef:a5:9e:6f:17:23:20:72:0f:e3:62:88:
>                     40:f8:55:55:c2:75:7b:1d:b3:d8:bf:f2:50:f1:f9:
>                     45:d9:fa:ca:b5:df:b2:ed:8a:f9:8a:29:c2:48:b5:
>                     ad:4e:c2:d9:54:55:cf:5a:54:d8:3b:f9:3c:ea:d2:
>                     8d:eb:8d:d1:45:4c:c5:1e:87:9d:35:2a:d9:94:fd:
>                     a9:0d:17:3f:ca:15:8d:f6:48:80:1b:31:4b:46:99:
>                     cd:e7:93:cb:92:9c:25:22:f5:ab:9a:01:90:20:c6:
>                     70:6b:8d:d1:dd:3b:73:f1:7a:9f:d8:31:fc:b4:4d:
>                     e8:d9:53:1b:45:87:6d:51:4e:40:48:bd:0d:b1:a4:
>                     3f:51:37:0a:f1:0b:bb:18:be:02:69:a5:ce:67:85:
>                     91:25:3a:44:85:bf:6f:ee:cb:cc:44:71:6c:57:99:
>                     74:0a:15:ef:7b:e7:29:79:8a:5a:3b:6e:61:ba:09:
>                     7f:73:33:da:31:3d:e0:05:da:32:c9:0c:12:64:1a:
>                     a1:87
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Subject Key Identifier:
>
25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
>             X509v3 Authority Key Identifier:
>
> keyid:25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
>                 DirName:/C=ES/ST=La Coru\xF1a/L=La
> Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
>                 serial:00
>
>             X509v3 Basic Constraints:
>                 CA:TRUE
>     Signature Algorithm: md5WithRSAEncryption
>         90:81:6e:b2:72:4c:70:2f:c4:5a:41:90:70:0b:0c:77:d0:18:
>         af:e2:a5:13:4f:4b:41:23:87:05:a2:6c:f1:d5:8d:84:34:a6:
>         fd:5a:c0:93:9f:b2:a4:4d:0b:d6:fd:7b:28:45:f4:35:b4:a9:
>         2c:29:1f:6a:c4:5e:87:d2:59:e1:75:1d:9f:2b:3d:69:cd:d9:
>         da:b7:15:03:0d:2c:b4:1d:c2:8e:a2:45:47:a9:e7:2a:3d:28:
>         22:2b:41:49:25:0e:38:ee:0c:84:b9:e4:1b:f8:07:e8:3b:1a:
>         4c:de:68:50:20:fb:2e:f0:74:a2:db:c2:96:95:65:c1:de:e8:
>         a2:3d:f6:a9:48:9e:1f:e4:67:ba:59:e5:9a:cb:d6:79:34:7f:
>         4d:9a:8e:4a:66:68:d4:59:6f:d7:86:ac:32:8c:3c:f4:e4:60:
>         a0:3c:6a:e3:0c:e6:b8:46:b6:1e:c6:25:20:04:5a:93:4f:c2:
>         90:3c:b6:7f:88:08:d1:09:59:e7:a1:a7:b4:04:53:28:5b:b2:
>         8f:4d:08:58:d2:c2:37:ee:56:ee:23:15:e3:c7:e5:e0:f2:77:
>         cb:d9:58:43:53:be:18:1a:f3:8a:19:5b:36:30:49:3c:a4:cb:
>         58:78:fc:9f:92:c1:1d:f0:5e:d4:e3:da:8f:0c:5a:74:18:27:
>         30:8d:20:cc
>
>              /------/
>
> ldapsearch -ZZ -d -1 -b "dc=fadesa"
> ldap_create
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host: TCP localhost:389
> ldap_new_socket: -1
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 127.0.0.1:389
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> ldap_ndelay_on: 3
> ldap_is_sock_ready: 3
> ldap_ndelay_off: 3
> ldap_int_sasl_open: host=filemon.servidores.fadesa
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_flush: 31 bytes to sd 3
>   0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31
> 0....w...1.3.6.1
>   0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37
.4.1.1466.20037
> ldap_write: want=31, written=31
>   0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31
> 0....w...1.3.6.1
>   0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37
.4.1.1466.20037
> ldap_result msgid 1
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> wait4msg (infinite timeout), msgid 1
> wait4msg continue, msgid 1, all 1
> ** Connections:
> * host: localhost  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Mon Jun 16 13:54:07 2003
>
> ** Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>    outstanding referrals 0, parent count 0
> ** Response Queue:
>    Empty
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> ldap_int_select
> read1msg: msgid 1, all 1
> ber_get_next
> ldap_read: want=9, got=9
>   0000:  30 0c 02 01 01 78 07 0a  01                        0....x...
> ldap_read: want=5, got=5
>   0000:  00 04 00 04 00                                     .....
> ber_get_next: tag 0x30 len 12 contents:
> ber_dump: buf=0x0807df08 ptr=0x0807df08 end=0x0807df14 len=12
>   0000:  02 01 01 78 07 0a 01 00  04 00 04 00               ...x........
> ldap_read: message type extended-result msgid 1, original id 1
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
>   0000:  78 07 0a 01 00 04 00 04  00                        x........
> read1msg:  0 new referrals
> read1msg:  mark request completed, id = 1
> request 1 done
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_free_connection
> ldap_free_connection: refcnt 1
> ldap_parse_extended_result
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
>   0000:  78 07 0a 01 00 04 00 04  00                        x........
> ldap_parse_result
> ber_scanf fmt ({iaa) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
>   0000:  78 07 0a 01 00 04 00 04  00                        x........
> ber_scanf fmt (}) ber:
> ber_dump: buf=0x0807df08 ptr=0x0807df14 end=0x0807df14 len=0
>
> ldap_msgfree
> TLS trace: SSL_connect:before/connect initialization
> tls_write: want=124, written=124
>   0000:  80 7a 01 03 01 00 51 00  00 00 20 00 00 16 00 00   .z....Q...
> .....
>   0010:  13 00 00 0a 07 00 c0 00  00 66 00 00 05 00 00 04
> .........f......
>   0020:  03 00 80 01 00 80 08 00  80 00 00 65 00 00 64 00
> ...........e..d.
>   0030:  00 63 00 00 62 00 00 61  00 00 60 00 00 15 00 00
> .c..b..a..`.....
>   0040:  12 00 00 09 06 00 40 00  00 14 00 00 11 00 00 08
> ......@.........
>   0050:  00 00 06 00 00 03 04 00  80 02 00 80 39 13 8b a0
> ............9...
>   0060:  72 49 06 d9 a2 aa 96 66  d6 a7 cc a6 5b f3 c8 52
> rI.....f....[..R
>   0070:  b0 98 c2 d9 ea f4 d7 68  fb 1a 74 07               .......h..t.
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> tls_read: want=7, got=7
>   0000:  16 03 01 00 4a 02 00                               ....J..
> tls_read: want=72, got=72
>   0000:  00 46 03 01 3e ed af df  ac 36 d2 53 17 d5 a0 12
> .F..>....6.S....
>   0010:  d3 ed 59 a0 c1 76 d2 06  64 e6 06 8e 52 8e d9 85
> ..Y..v..d...R...
>   0020:  80 ce 6d 47 20 8c 89 00  18 6a 0c 2b d9 ff c5 44   ..mG
> ....j.+...D
>   0030:  d5 65 79 1a 7a f8 26 99  b4 6a e3 fa c4 9c 49 10
> .ey.z.&..j....I.
>   0040:  9f d1 77 2b 09 00 0a 00                            ..w+....
> TLS trace: SSL_connect:SSLv3 read server hello A
> tls_read: want=5, got=5
>   0000:  16 03 01 04 93                                     .....
> tls_read: want=1171, got=1171
>   0000:  0b 00 04 8f 00 04 8c 00  04 89 30 82 04 85 30 82
> ..........0...0.
>   0010:  03 6d a0 03 02 01 02 02  01 00 30 0d 06 09 2a 86
> .m........0...*.
>   0020:  48 86 f7 0d 01 01 04 05  00 30 81 8d 31 0b 30 09
> H........0..1.0.
>   0030:  06 03 55 04 06 13 02 45  53 31 12 30 10 06 03 55
> ..U....ES1.0...U
>   0040:  04 08 14 09 4c 61 20 43  6f 72 75 f1 61 31 12 30   ....La
> Coru.a1.0
>   0050:  10 06 03 55 04 07 14 09  4c 61 20 43 6f 72 75 f1   ...U....La
> Coru.
>   0060:  61 31 0f 30 0d 06 03 55  04 0a 13 06 46 61 64 65
> a1.0...U....Fade
>   0070:  73 61 31 14 30 12 06 03  55 04 0b 13 0b 69 6e 66
> sa1.0...U....inf
>   0080:  6f 72 6d 61 74 69 63 61  31 11 30 0f 06 03 55 04
> ormatica1.0...U.
>   0090:  03 13 08 6f 70 65 6e 6c  64 61 70 31 1c 30 1a 06
> ...openldap1.0..
>   00a0:  09 2a 86 48 86 f7 0d 01  09 01 16 0d 6e 6f 6e 65
> .*.H........none
>   00b0:  40 66 66 66 66 66 2e 66  66 30 1e 17 0d 30 33 30
> @fffff.ff0...030
>   00c0:  36 31 36 31 31 30 39 32  32 5a 17 0d 30 38 30 36
> 616110922Z..0806
>   00d0:  31 34 31 31 30 39 32 32  5a 30 81 8d 31 0b 30 09
> 14110922Z0..1.0.
>   00e0:  06 03 55 04 06 13 02 45  53 31 12 30 10 06 03 55
> ..U....ES1.0...U
>   00f0:  04 08 14 09 4c 61 20 43  6f 72 75 f1 61 31 12 30   ....La
> Coru.a1.0
>   0100:  10 06 03 55 04 07 14 09  4c 61 20 43 6f 72 75 f1   ...U....La
> Coru.
>   0110:  61 31 0f 30 0d 06 03 55  04 0a 13 06 46 61 64 65
> a1.0...U....Fade
>   0120:  73 61 31 14 30 12 06 03  55 04 0b 13 0b 69 6e 66
> sa1.0...U....inf
>   0130:  6f 72 6d 61 74 69 63 61  31 11 30 0f 06 03 55 04
> ormatica1.0...U.
>   0140:  03 13 08 6f 70 65 6e 6c  64 61 70 31 1c 30 1a 06
> ...openldap1.0..
>   0150:  09 2a 86 48 86 f7 0d 01  09 01 16 0d 6e 6f 6e 65
> .*.H........none
>   0160:  40 66 66 66 66 66 2e 66  66 30 82 01 22 30 0d 06
> @fffff.ff0.."0..
>   0170:  09 2a 86 48 86 f7 0d 01  01 01 05 00 03 82 01 0f
> .*.H............
>   0180:  00 30 82 01 0a 02 82 01  01 00 d7 38 ea 8e a2 1d
> .0.........8....
>   0190:  56 de 38 05 c1 41 1f c5  e1 06 27 28 1b b6 86 56
> V.8..A....'(...V
>   01a0:  7a b2 bf 48 67 80 ab 15  89 61 0c f9 c5 26 1b f9
> z..Hg....a...&..
>   01b0:  07 da cc da c9 f1 64 0a  81 09 c3 6c 1d 26 1b b9
> ......d....l.&..
>   01c0:  35 0c 83 a6 0a 08 ef 02  ef a5 9e 6f 17 23 20 72   5..........o.#
> r
>   01d0:  0f e3 62 88 40 f8 55 55  c2 75 7b 1d b3 d8 bf f2
> ..b.@.UU.u{.....
>   01e0:  50 f1 f9 45 d9 fa ca b5  df b2 ed 8a f9 8a 29 c2
> P..E..........).
>   01f0:  48 b5 ad 4e c2 d9 54 55  cf 5a 54 d8 3b f9 3c ea
> H..N..TU.ZT.;.<.
>   0200:  d2 8d eb 8d d1 45 4c c5  1e 87 9d 35 2a d9 94 fd
> .....EL....5*...
>   0210:  a9 0d 17 3f ca 15 8d f6  48 80 1b 31 4b 46 99 cd
> ...?....H..1KF..
>   0220:  e7 93 cb 92 9c 25 22 f5  ab 9a 01 90 20 c6 70 6b   .....%".....
> .pk
>   0230:  8d d1 dd 3b 73 f1 7a 9f  d8 31 fc b4 4d e8 d9 53
> ...;s.z..1..M..S
>   0240:  1b 45 87 6d 51 4e 40 48  bd 0d b1 a4 3f 51 37 0a
> .E.mQN@H....?Q7.
>   0250:  f1 0b bb 18 be 02 69 a5  ce 67 85 91 25 3a 44 85
> ......i..g..%:D.
>   0260:  bf 6f ee cb cc 44 71 6c  57 99 74 0a 15 ef 7b e7
> .o...DqlW.t...{.
>   0270:  29 79 8a 5a 3b 6e 61 ba  09 7f 73 33 da 31 3d e0
> )y.Z;na...s3.1=.
>   0280:  05 da 32 c9 0c 12 64 1a  a1 87 02 03 01 00 01 a3
> ..2...d.........
>   0290:  81 ed 30 81 ea 30 1d 06  03 55 1d 0e 04 16 04 14
> ..0..0...U......
>   02a0:  25 18 ef 9a 09 20 44 11  fc 3a b7 6c 67 7e 80 b4   %....
> D..:.lg~..
>   02b0:  3c 21 ef 64 30 81 ba 06  03 55 1d 23 04 81 b2 30
> <!.d0....U.#...0
>   02c0:  81 af 80 14 25 18 ef 9a  09 20 44 11 fc 3a b7 6c   ....%....
> D..:.l
>   02d0:  67 7e 80 b4 3c 21 ef 64  a1 81 93 a4 81 90 30 81
> g~..<!.d......0.
>   02e0:  8d 31 0b 30 09 06 03 55  04 06 13 02 45 53 31 12
> .1.0...U....ES1.
>   02f0:  30 10 06 03 55 04 08 14  09 4c 61 20 43 6f 72 75   0...U....La
> Coru
>   0300:  f1 61 31 12 30 10 06 03  55 04 07 14 09 4c 61 20
.a1.0...U....La
>   0310:  43 6f 72 75 f1 61 31 0f  30 0d 06 03 55 04 0a 13
> Coru.a1.0...U...
>   0320:  06 46 61 64 65 73 61 31  14 30 12 06 03 55 04 0b
> .Fadesa1.0...U..
>   0330:  13 0b 69 6e 66 6f 72 6d  61 74 69 63 61 31 11 30
> ..informatica1.0
>   0340:  0f 06 03 55 04 03 13 08  6f 70 65 6e 6c 64 61 70
> ...U....openldap
>   0350:  31 1c 30 1a 06 09 2a 86  48 86 f7 0d 01 09 01 16
> 1.0...*.H.......
>   0360:  0d 6e 6f 6e 65 40 66 66  66 66 66 2e 66 66 82 01
> .none@fffff.ff..
>   0370:  00 30 0c 06 03 55 1d 13  04 05 30 03 01 01 ff 30
> .0...U....0....0
>   0380:  0d 06 09 2a 86 48 86 f7  0d 01 01 04 05 00 03 82
> ...*.H..........
>   0390:  01 01 00 90 81 6e b2 72  4c 70 2f c4 5a 41 90 70
> .....n.rLp/.ZA.p
>   03a0:  0b 0c 77 d0 18 af e2 a5  13 4f 4b 41 23 87 05 a2
> ..w......OKA#...
>   03b0:  6c f1 d5 8d 84 34 a6 fd  5a c0 93 9f b2 a4 4d 0b
> l....4..Z.....M.
>   03c0:  d6 fd 7b 28 45 f4 35 b4  a9 2c 29 1f 6a c4 5e 87
> ..{(E.5..,).j.^.
>   03d0:  d2 59 e1 75 1d 9f 2b 3d  69 cd d9 da b7 15 03 0d
> .Y.u..+=i.......
>   03e0:  2c b4 1d c2 8e a2 45 47  a9 e7 2a 3d 28 22 2b 41
> ,.....EG..*=("+A
>   03f0:  49 25 0e 38 ee 0c 84 b9  e4 1b f8 07 e8 3b 1a 4c
> I%.8.........;.L
>   0400:  de 68 50 20 fb 2e f0 74  a2 db c2 96 95 65 c1 de   .hP
> ...t.....e..
>   0410:  e8 a2 3d f6 a9 48 9e 1f  e4 67 ba 59 e5 9a cb d6
> ..=..H...g.Y....
>   0420:  79 34 7f 4d 9a 8e 4a 66  68 d4 59 6f d7 86 ac 32
> y4.M..Jfh.Yo...2
>   0430:  8c 3c f4 e4 60 a0 3c 6a  e3 0c e6 b8 46 b6 1e c6
> .<..`.<j....F...
>   0440:  25 20 04 5a 93 4f c2 90  3c b6 7f 88 08 d1 09 59   %
> .Z.O..<......Y
>   0450:  e7 a1 a7 b4 04 53 28 5b  b2 8f 4d 08 58 d2 c2 37
> .....S([..M.X..7
>   0460:  ee 56 ee 23 15 e3 c7 e5  e0 f2 77 cb d9 58 43 53
> .V.#......w..XCS
>   0470:  be 18 1a f3 8a 19 5b 36  30 49 3c a4 cb 58 78 fc
> ......[60I<..Xx.
>   0480:  9f 92 c1 1d f0 5e d4 e3  da 8f 0c 5a 74 18 27 30
> .....^.....Zt.'0
>   0490:  8d 20 cc                                           . .
> TLS certificate verification: depth: 0, err: 18, subject: /C=ES/ST=La
> Coru\xF1a/L=La
> Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff, issuer:
> /C=ES/ST=La Coru\xF1a/L=La
> Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
> TLS certificate verification: Error, self signed certificate
> tls_write: want=7, written=7
>   0000:  15 03 01 00 02 02 30                               ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (91)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> --
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.1
> GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
> O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
> G++ e- h+(++) !r !z
> ------END GEEK CODE BLOCK------
>
>
>
>
>