[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS headache



Paolo Marini wrote:
I have tried the instructions in your HOWTO (very clear / thank you!), after
lot

of time and frustration trying to setting up an LDAP server with TLS, but
the

client seems not to like the server certificate. Here are my configuration

files for the openldap 2.1.21 on a RH8 linux box:

/etc/openldap/slapd.conf:

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31
kurt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/inetorgperson.schema

include /etc/openldap/schema/nis.schema

include /etc/openldap/schema/redhat/rfc822-MailMember.schema

include /etc/openldap/schema/redhat/autofs.schema

#include /etc/openldap/schema/redhat/kerberosobject.schema



loglevel 296

pidfile /var/run/slapd.pid

TLSCipherSuite HIGH:MEDIUM:+SSLv2

TLSCACertificateFile /etc/openldap/cacert.pem

TLSCertificateFile /etc/openldap/servercert.pem

TLSCertificateKeyFile /etc/openldap/serverkey.pem

TLSVerifyClient never

access to * by read

#######################################################################

# ldbm database definitions

#######################################################################

database bdb

suffix "dc=prisma,dc=com"

rootdn "cn=root,dc=prisma,dc=com"

rootpw {SSHA}vZddgTWTErSxFyNG2MC8fnp4k/9zNadi

directory /var/lib/ldap

index objectClass,uid,uidNumber,gidNumber,memberUid eq

index cn,mail,surname,givenname eq,subinitial



/etc/ldap.conf:

HOST 127.0.0.1

PORT 389

TLS_CACERT /usr/share/ssl/misc/demoCA/cacert.pem

TLS_CACERTDIR /usr/share/ssl/misc/demoCA

TLS_REQCERT never



This is the result of the ldapsearch with -ZZ option in the slapd log:





conn=0 fd=12 ACCEPT from IP=127.0.0.1:32792 (IP=0.0.0.0:389)

connection_get(12)

connection_get(12): got connid=0

connection_read(12): checking for input on id=0

ber_get_next

ldap_read: want=8, got=8

0000: 30 1d 02 01 01 77 18 80 0....w..

ldap_read: want=23, got=23

0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146

0010: 36 2e 32 30 30 33 37 6.20037

ber_get_next: tag 0x30 len 29 contents:

ber_get_next

ldap_read: want=8 error=Resource temporarily unavailable

ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)

do_extended

ber_scanf fmt ({m) ber:

do_extended: oid=1.3.6.1.4.1.1466.20037

send_ldap_extended: err=0 oid= len=0

send_ldap_response: msgid=1 tag=120 err=0

ber_flush: 14 bytes to sd 12

0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........

ldap_write: want=14, written=14

0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........

connection_get(12)

connection_get(12): got connid=0

connection_read(12): checking for input on id=0

TLS trace: SSL_accept:before/accept initialization

tls_read: want=11, got=11

0000: 80 7a 01 03 01 00 51 00 00 00 20 .z....Q...

tls_read: want=113, got=113

0000: 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 ..............f.

0010: 00 05 00 00 04 03 00 80 01 00 80 08 00 80 00 00 ................

0020: 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60 e..d..c..b..a..`

0030: 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 ...........@....

0040: 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00 ................

0050: 80 d6 47 98 b5 73 99 81 d2 68 e6 97 b8 90 c1 ed ..G..s...h......

0060: d0 76 73 9d a7 dc 96 f8 de 66 b0 ca c1 37 c2 65 .vs......f...7.e

0070: 0e .

TLS trace: SSL_accept:SSLv3 read client hello A

TLS trace: SSL_accept:SSLv3 write server hello A

TLS trace: SSL_accept:SSLv3 write certificate A

TLS trace: SSL_accept:SSLv3 write server done A

tls_write: want=1069, written=1069

0000: 16 03 01 00 4a 02 00 00 46 03 01 3e ee ad 0b 74 ....J...F..>...t

0010: d4 44 d8 fe 96 28 8b 8c e2 e4 f2 20 82 ef d4 13 .D...(..... ....

0020: 17 84 8c 13 56 d0 79 bc d8 b6 55 20 16 18 66 79 ....V.y...U ..fy

0030: 8e 19 5c d4 52 89 73 a7 96 d8 2f 22 9b f1 8c 5c ..\.R.s.../"...\

0040: 3a e4 c3 9c 13 ba 32 ab 51 06 09 dc 00 0a 00 16 :.....2.Q.......

0050: 03 01 03 d0 0b 00 03 cc 00 03 c9 00 03 c6 30 82 ..............0.

0060: 03 c2 30 82 03 2b a0 03 02 01 02 02 01 01 30 0d ..0..+........0.

0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 94 ..*.H........0..

0080: 31 0b 30 09 06 03 55 04 06 13 02 49 54 31 0f 30 1.0...U....IT1.0

0090: 0d 06 03 55 04 08 13 06 4d 69 6c 61 6e 6f 31 0f ...U....Milano1.

00a0: 30 0d 06 03 55 04 07 13 06 4d 69 6c 61 6e 6f 31 0...U....Milano1

00b0: 1f 30 1d 06 03 55 04 0a 13 16 50 72 69 73 6d 61 .0...U....Prisma

00c0: 20 45 6e 67 69 6e 65 65 72 69 6e 67 20 73 72 6c Engineering srl

00d0: 31 0d 30 0b 06 03 55 04 0b 13 04 4c 44 41 50 31 1.0...U....LDAP1

00e0: 13 30 11 06 03 55 04 03 13 0a 70 72 69 73 6d 61 .0...U....prisma

00f0: 2e 63 6f 6d 31 1e 30 1c 06 09 2a 86 48 86 f7 0d .com1.0...*.H...

0100: 01 09 01 16 0f 6c 64 61 70 40 70 72 69 73 6d 61 .....ldap@prisma

0110: 2e 63 6f 6d 30 1e 17 0d 30 33 30 36 31 37 30 35 .com0...03061705

0120: 33 30 32 30 5a 17 0d 30 34 30 36 31 36 30 35 33 3020Z..040616053

0130: 30 32 30 5a 30 81 94 31 0b 30 09 06 03 55 04 06 020Z0..1.0...U..

0140: 13 02 49 54 31 0f 30 0d 06 03 55 04 08 13 06 4d ..IT1.0...U....M

0150: 69 6c 61 6e 6f 31 0f 30 0d 06 03 55 04 07 13 06 ilano1.0...U....

0160: 4d 69 6c 61 6e 6f 31 1f 30 1d 06 03 55 04 0a 13 Milano1.0...U...

0170: 16 50 72 69 73 6d 61 20 45 6e 67 69 6e 65 65 72 .Prisma Engineer

0180: 69 6e 67 20 73 72 6c 31 0d 30 0b 06 03 55 04 0b ing srl1.0...U..

0190: 13 04 4c 44 41 50 31 13 30 11 06 03 55 04 03 13 ..LDAP1.0...U...

01a0: 0a 70 72 69 73 6d 61 2e 63 6f 6d 31 1e 30 1c 06 .prisma.com1.0..

01b0: 09 2a 86 48 86 f7 0d 01 09 01 16 0f 6c 64 61 70 .*.H........ldap

01c0: 40 70 72 69 73 6d 61 2e 63 6f 6d 30 81 9f 30 0d @prisma.com0..0.

01d0: 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d ..*.H...........

01e0: 00 30 81 89 02 81 81 00 bd d9 8a d3 ce a6 89 35 .0.............5

01f0: c4 1d 79 3b 53 44 08 08 a7 92 2a e6 4d 5b db 35 ..y;SD....*.M[.5

0200: ec b7 2e ca 9b ea 4e 77 9e 98 8f de ff 67 ae d0 ......Nw.....g..

0210: f8 17 45 95 02 55 86 34 7a 2b a9 1f 23 3a cc 5e ..E..U.4z+..#:.^

0220: d9 5b 76 df 51 e6 07 fe b9 24 15 66 f8 9f 6d 29 .[v.Q....$.f..m)

0230: ea 96 21 66 a3 72 ef 20 d7 e7 6a fa f6 55 18 35 ..!f.r. ..j..U.5

0240: af c9 54 cf 84 f1 76 55 38 e5 5e 0f 95 53 b4 fd ..T...vU8.^..S..

0250: 1f 0a 3c 48 3b b4 cb 01 e1 ab 04 a6 70 a8 65 63 ..<H;.......p.ec

0260: 5f 8e 28 79 ff ca d1 61 02 03 01 00 01 a3 82 01 _.(y...a........

0270: 20 30 82 01 1c 30 09 06 03 55 1d 13 04 02 30 00 0...0...U....0.

0280: 30 2c 06 09 60 86 48 01 86 f8 42 01 0d 04 1f 16 0,..`.H...B.....

0290: 1d 4f 70 65 6e 53 53 4c 20 47 65 6e 65 72 61 74 .OpenSSL Generat

02a0: 65 64 20 43 65 72 74 69 66 69 63 61 74 65 30 1d ed Certificate0.

02b0: 06 03 55 1d 0e 04 16 04 14 24 59 e5 47 7e b2 95 ..U......$Y.G~..

02c0: c0 2c 62 ec 73 56 c1 ae b1 b1 77 f0 df 30 81 c1 .,b.sV....w..0..

02d0: 06 03 55 1d 23 04 81 b9 30 81 b6 80 14 1f 83 c3 ..U.#...0.......

02e0: e4 b0 f7 f9 eb bf de 5e 79 90 3d 73 64 18 c3 84 .......^y.=sd...

02f0: dd a1 81 9a a4 81 97 30 81 94 31 0b 30 09 06 03 .......0..1.0...

0300: 55 04 06 13 02 49 54 31 0f 30 0d 06 03 55 04 08 U....IT1.0...U..

0310: 13 06 4d 69 6c 61 6e 6f 31 0f 30 0d 06 03 55 04 ..Milano1.0...U.

0320: 07 13 06 4d 69 6c 61 6e 6f 31 1f 30 1d 06 03 55 ...Milano1.0...U

0330: 04 0a 13 16 50 72 69 73 6d 61 20 45 6e 67 69 6e ....Prisma Engin

0340: 65 65 72 69 6e 67 20 73 72 6c 31 0d 30 0b 06 03 eering srl1.0...

0350: 55 04 0b 13 04 4c 44 41 50 31 13 30 11 06 03 55 U....LDAP1.0...U

0360: 04 03 13 0a 70 72 69 73 6d 61 2e 63 6f 6d 31 1e ....prisma.com1.

0370: 30 1c 06 09 2a 86 48 86 f7 0d 01 09 01 16 0f 6c 0...*.H........l

0380: 64 61 70 40 70 72 69 73 6d 61 2e 63 6f 6d 82 01 dap@prisma.com..

0390: 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 .0...*.H........

03a0: 03 81 81 00 2d fb 74 28 0a 76 f5 b9 a3 cb ef 8c ....-.t(.v......

03b0: 0a df dd 67 8b 12 a3 7a b4 a6 28 83 6e 70 98 7b ...g...z..(.np.{

03c0: 7c 0c 68 4f d4 f4 f9 67 67 56 c9 e9 16 3a 28 8f |.hO...ggV...:(.

03d0: 37 fa 35 67 ae 1a a2 d5 82 c2 74 f6 a9 c0 cf f2 7.5g......t.....

03e0: 24 24 a0 fa bd bf 6e aa 15 e8 a6 8a 91 50 cd 18 $$....n......P..

03f0: 44 cc 4f be dd 69 e4 86 51 13 b2 68 66 a0 74 15 D.O..i..Q..hf.t.

0400: 7e 91 18 b4 36 33 97 d1 15 72 9c 1e 90 1b 72 5d ~...63...r....r]

0410: 80 43 d3 70 55 f0 b9 0c 46 99 2e 85 65 12 db 21 .C.pU...F...e..!

0420: 64 4b b3 c5 16 03 01 00 04 0e 00 00 00 dK...........

TLS trace: SSL_accept:SSLv3 flush data

tls_read: want=5, got=5

0000: 15 03 01 00 02 .....

tls_read: want=2, got=2

0000: 02 30 .0

TLS trace: SSL3 alert read:fatal:unknown

TLS trace: SSL_accept:failed in SSLv3 read client certificate A

TLS: can't accept.

TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1002

connection_read(12): TLS accept error error=-1 id=0, closing

connection_closing: readying conn=0 sd=12 for close

connection_close: conn=0 sd=12

conn=0 fd=12 closed



Needless to say, without TLS ldapsearch is OK and returns the correct
search.

Sorry for the long mail, but I think this problem affects a lot of people.

Does it have to do with server name, CA names ? Documentation states that
the DN

of a server certificate must use the CN attribute to name the server, and
the CN

must carry the servers fully qualified domain name. What does it mean ?

Thank you

Paolo

----- Original Message ----- From: "Kent Soper" <dksoper@us.ibm.com>
To: <ldap@fadesa.es>
Cc: <openldap-software@OpenLDAP.org>
Sent: Monday, June 16, 2003 9:25 PM
Subject: Re: TLS headache







Hi Jose,

I'm not sure whether you're trying to get server side TLS or server side
TLS with client side authentication working.  If you are only setting up
server side TLS, then you don't need the TLSVerifyClient line in

slapd.conf

or much of the ldap.conf file.

If you are trying to setup client authentication, then your user (client)
will also need the TLS_CERT and TLS_KEY entries moved from ldap.conf to
either a file called ldaprc or .ldaprc in the user's home directory or
current directory.

Please see the new doc
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html for various
TLS/SSL issues.  It's full of examples too.  Well written (tongue firmly

in

cheek!!).

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
      you grow old because you stop playing."

Linux Technology Center, Linux Security
phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com





                     "José M. Fandiño"
                     <ldap@fadesa.es>                 To:

openldap-software@OpenLDAP.org

                     Sent by:                         cc:
                     owner-openldap-software@O        Subject:  TLS

headache

                     penLDAP.org


06/16/2003 06:56 AM Please respond to ldap






Hello,

I'm trying to make a TLS conection work between ldap clients and slapd
but I always get a ssl error. The configuration can't be simpler
I'm using a self-issued certificate.

please, can anyone tellme what's wrong with my configuration?

thanks,

/usr/local/openldap/libexec/slapd -4 -h "ldap:// ldaps://"

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:ldap                  *:*                     LISTEN
tcp        0      0 *:ldaps                 *:*                     LISTEN

slapd.conf excerpt
==================
TLSVerifyClient true
TLSCipherSuite  HIGH
TLSCertificateKeyFile /usr/local/openldap/etc/openldap/slapd.key
TLSCertificateFile /usr/local/openldap/etc/openldap/slapd.pem
TLSCACertificateFile /usr/local/openldap/etc/openldap/slapd.pem

ldap.conf excerpt
==================
TLS_CACERT      /usr/local/openldap/etc/openldap/slapd.pem
TLS_CERT        /usr/local/openldap/etc/openldap/slapd.pem
TLS_KEY         /usr/local/openldap/etc/openldap/slapd.key
TLS_REQCERT allow

filemon:/usr/local/openldap/etc/openldap # openssl x509 -in slapd.pem
-noout -text
Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number: 0 (0x0)
       Signature Algorithm: md5WithRSAEncryption
       Issuer: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
OU=informatica, CN=openldap/Email=none@fffff.ff
       Validity
           Not Before: Jun 16 11:09:22 2003 GMT
           Not After : Jun 14 11:09:22 2008 GMT
       Subject: C=ES, ST=La Coru\xF1a, L=La Coru\xF1a, O=Fadesa,
OU=informatica, CN=openldap/Email=none@fffff.ff
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (2048 bit)
               Modulus (2048 bit):
                   00:d7:38:ea:8e:a2:1d:56:de:38:05:c1:41:1f:c5:
                   e1:06:27:28:1b:b6:86:56:7a:b2:bf:48:67:80:ab:
                   15:89:61:0c:f9:c5:26:1b:f9:07:da:cc:da:c9:f1:
                   64:0a:81:09:c3:6c:1d:26:1b:b9:35:0c:83:a6:0a:
                   08:ef:02:ef:a5:9e:6f:17:23:20:72:0f:e3:62:88:
                   40:f8:55:55:c2:75:7b:1d:b3:d8:bf:f2:50:f1:f9:
                   45:d9:fa:ca:b5:df:b2:ed:8a:f9:8a:29:c2:48:b5:
                   ad:4e:c2:d9:54:55:cf:5a:54:d8:3b:f9:3c:ea:d2:
                   8d:eb:8d:d1:45:4c:c5:1e:87:9d:35:2a:d9:94:fd:
                   a9:0d:17:3f:ca:15:8d:f6:48:80:1b:31:4b:46:99:
                   cd:e7:93:cb:92:9c:25:22:f5:ab:9a:01:90:20:c6:
                   70:6b:8d:d1:dd:3b:73:f1:7a:9f:d8:31:fc:b4:4d:
                   e8:d9:53:1b:45:87:6d:51:4e:40:48:bd:0d:b1:a4:
                   3f:51:37:0a:f1:0b:bb:18:be:02:69:a5:ce:67:85:
                   91:25:3a:44:85:bf:6f:ee:cb:cc:44:71:6c:57:99:
                   74:0a:15:ef:7b:e7:29:79:8a:5a:3b:6e:61:ba:09:
                   7f:73:33:da:31:3d:e0:05:da:32:c9:0c:12:64:1a:
                   a1:87
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Subject Key Identifier:


25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64

           X509v3 Authority Key Identifier:

keyid:25:18:EF:9A:09:20:44:11:FC:3A:B7:6C:67:7E:80:B4:3C:21:EF:64
               DirName:/C=ES/ST=La Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
               serial:00

           X509v3 Basic Constraints:
               CA:TRUE
   Signature Algorithm: md5WithRSAEncryption
       90:81:6e:b2:72:4c:70:2f:c4:5a:41:90:70:0b:0c:77:d0:18:
       af:e2:a5:13:4f:4b:41:23:87:05:a2:6c:f1:d5:8d:84:34:a6:
       fd:5a:c0:93:9f:b2:a4:4d:0b:d6:fd:7b:28:45:f4:35:b4:a9:
       2c:29:1f:6a:c4:5e:87:d2:59:e1:75:1d:9f:2b:3d:69:cd:d9:
       da:b7:15:03:0d:2c:b4:1d:c2:8e:a2:45:47:a9:e7:2a:3d:28:
       22:2b:41:49:25:0e:38:ee:0c:84:b9:e4:1b:f8:07:e8:3b:1a:
       4c:de:68:50:20:fb:2e:f0:74:a2:db:c2:96:95:65:c1:de:e8:
       a2:3d:f6:a9:48:9e:1f:e4:67:ba:59:e5:9a:cb:d6:79:34:7f:
       4d:9a:8e:4a:66:68:d4:59:6f:d7:86:ac:32:8c:3c:f4:e4:60:
       a0:3c:6a:e3:0c:e6:b8:46:b6:1e:c6:25:20:04:5a:93:4f:c2:
       90:3c:b6:7f:88:08:d1:09:59:e7:a1:a7:b4:04:53:28:5b:b2:
       8f:4d:08:58:d2:c2:37:ee:56:ee:23:15:e3:c7:e5:e0:f2:77:
       cb:d9:58:43:53:be:18:1a:f3:8a:19:5b:36:30:49:3c:a4:cb:
       58:78:fc:9f:92:c1:1d:f0:5e:d4:e3:da:8f:0c:5a:74:18:27:
       30:8d:20:cc

            /------/

ldapsearch -ZZ -d -1 -b "dc=fadesa"
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: -1
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=filemon.servidores.fadesa
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
 0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
 0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37

.4.1.1466.20037

ldap_write: want=31, written=31
 0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
 0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37

.4.1.1466.20037

ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: localhost  port: 389  (default)
 refcnt: 2  status: Connected
 last used: Mon Jun 16 13:54:07 2003

** Outstanding Requests:
* msgid 1,  origid 1, status InProgress
  outstanding referrals 0, parent count 0
** Response Queue:
  Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=9, got=9
 0000:  30 0c 02 01 01 78 07 0a  01                        0....x...
ldap_read: want=5, got=5
 0000:  00 04 00 04 00                                     .....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x0807df08 ptr=0x0807df08 end=0x0807df14 len=12
 0000:  02 01 01 78 07 0a 01 00  04 00 04 00               ...x........
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
 0000:  78 07 0a 01 00 04 00 04  00                        x........
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
 0000:  78 07 0a 01 00 04 00 04  00                        x........
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df0b end=0x0807df14 len=9
 0000:  78 07 0a 01 00 04 00 04  00                        x........
ber_scanf fmt (}) ber:
ber_dump: buf=0x0807df08 ptr=0x0807df14 end=0x0807df14 len=0

ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
tls_write: want=124, written=124
 0000:  80 7a 01 03 01 00 51 00  00 00 20 00 00 16 00 00   .z....Q...
.....
 0010:  13 00 00 0a 07 00 c0 00  00 66 00 00 05 00 00 04
.........f......
 0020:  03 00 80 01 00 80 08 00  80 00 00 65 00 00 64 00
...........e..d.
 0030:  00 63 00 00 62 00 00 61  00 00 60 00 00 15 00 00
.c..b..a..`.....
 0040:  12 00 00 09 06 00 40 00  00 14 00 00 11 00 00 08
......@.........
 0050:  00 00 06 00 00 03 04 00  80 02 00 80 39 13 8b a0
............9...
 0060:  72 49 06 d9 a2 aa 96 66  d6 a7 cc a6 5b f3 c8 52
rI.....f....[..R
 0070:  b0 98 c2 d9 ea f4 d7 68  fb 1a 74 07               .......h..t.
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
 0000:  16 03 01 00 4a 02 00                               ....J..
tls_read: want=72, got=72
 0000:  00 46 03 01 3e ed af df  ac 36 d2 53 17 d5 a0 12
.F..>....6.S....
 0010:  d3 ed 59 a0 c1 76 d2 06  64 e6 06 8e 52 8e d9 85
..Y..v..d...R...
 0020:  80 ce 6d 47 20 8c 89 00  18 6a 0c 2b d9 ff c5 44   ..mG
....j.+...D
 0030:  d5 65 79 1a 7a f8 26 99  b4 6a e3 fa c4 9c 49 10
.ey.z.&..j....I.
 0040:  9f d1 77 2b 09 00 0a 00                            ..w+....
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
 0000:  16 03 01 04 93                                     .....
tls_read: want=1171, got=1171
 0000:  0b 00 04 8f 00 04 8c 00  04 89 30 82 04 85 30 82
..........0...0.
 0010:  03 6d a0 03 02 01 02 02  01 00 30 0d 06 09 2a 86
.m........0...*.
 0020:  48 86 f7 0d 01 01 04 05  00 30 81 8d 31 0b 30 09
H........0..1.0.
 0030:  06 03 55 04 06 13 02 45  53 31 12 30 10 06 03 55
..U....ES1.0...U
 0040:  04 08 14 09 4c 61 20 43  6f 72 75 f1 61 31 12 30   ....La
Coru.a1.0
 0050:  10 06 03 55 04 07 14 09  4c 61 20 43 6f 72 75 f1   ...U....La
Coru.
 0060:  61 31 0f 30 0d 06 03 55  04 0a 13 06 46 61 64 65
a1.0...U....Fade
 0070:  73 61 31 14 30 12 06 03  55 04 0b 13 0b 69 6e 66
sa1.0...U....inf
 0080:  6f 72 6d 61 74 69 63 61  31 11 30 0f 06 03 55 04
ormatica1.0...U.
 0090:  03 13 08 6f 70 65 6e 6c  64 61 70 31 1c 30 1a 06
...openldap1.0..
 00a0:  09 2a 86 48 86 f7 0d 01  09 01 16 0d 6e 6f 6e 65
.*.H........none
 00b0:  40 66 66 66 66 66 2e 66  66 30 1e 17 0d 30 33 30
@fffff.ff0...030
 00c0:  36 31 36 31 31 30 39 32  32 5a 17 0d 30 38 30 36
616110922Z..0806
 00d0:  31 34 31 31 30 39 32 32  5a 30 81 8d 31 0b 30 09
14110922Z0..1.0.
 00e0:  06 03 55 04 06 13 02 45  53 31 12 30 10 06 03 55
..U....ES1.0...U
 00f0:  04 08 14 09 4c 61 20 43  6f 72 75 f1 61 31 12 30   ....La
Coru.a1.0
 0100:  10 06 03 55 04 07 14 09  4c 61 20 43 6f 72 75 f1   ...U....La
Coru.
 0110:  61 31 0f 30 0d 06 03 55  04 0a 13 06 46 61 64 65
a1.0...U....Fade
 0120:  73 61 31 14 30 12 06 03  55 04 0b 13 0b 69 6e 66
sa1.0...U....inf
 0130:  6f 72 6d 61 74 69 63 61  31 11 30 0f 06 03 55 04
ormatica1.0...U.
 0140:  03 13 08 6f 70 65 6e 6c  64 61 70 31 1c 30 1a 06
...openldap1.0..
 0150:  09 2a 86 48 86 f7 0d 01  09 01 16 0d 6e 6f 6e 65
.*.H........none
 0160:  40 66 66 66 66 66 2e 66  66 30 82 01 22 30 0d 06
@fffff.ff0.."0..
 0170:  09 2a 86 48 86 f7 0d 01  01 01 05 00 03 82 01 0f
.*.H............
 0180:  00 30 82 01 0a 02 82 01  01 00 d7 38 ea 8e a2 1d
.0.........8....
 0190:  56 de 38 05 c1 41 1f c5  e1 06 27 28 1b b6 86 56
V.8..A....'(...V
 01a0:  7a b2 bf 48 67 80 ab 15  89 61 0c f9 c5 26 1b f9
z..Hg....a...&..
 01b0:  07 da cc da c9 f1 64 0a  81 09 c3 6c 1d 26 1b b9
......d....l.&..
 01c0:  35 0c 83 a6 0a 08 ef 02  ef a5 9e 6f 17 23 20 72   5..........o.#
r
 01d0:  0f e3 62 88 40 f8 55 55  c2 75 7b 1d b3 d8 bf f2
..b.@.UU.u{.....
 01e0:  50 f1 f9 45 d9 fa ca b5  df b2 ed 8a f9 8a 29 c2
P..E..........).
 01f0:  48 b5 ad 4e c2 d9 54 55  cf 5a 54 d8 3b f9 3c ea
H..N..TU.ZT.;.<.
 0200:  d2 8d eb 8d d1 45 4c c5  1e 87 9d 35 2a d9 94 fd
.....EL....5*...
 0210:  a9 0d 17 3f ca 15 8d f6  48 80 1b 31 4b 46 99 cd
...?....H..1KF..
 0220:  e7 93 cb 92 9c 25 22 f5  ab 9a 01 90 20 c6 70 6b   .....%".....
.pk
 0230:  8d d1 dd 3b 73 f1 7a 9f  d8 31 fc b4 4d e8 d9 53
...;s.z..1..M..S
 0240:  1b 45 87 6d 51 4e 40 48  bd 0d b1 a4 3f 51 37 0a
.E.mQN@H....?Q7.
 0250:  f1 0b bb 18 be 02 69 a5  ce 67 85 91 25 3a 44 85
......i..g..%:D.
 0260:  bf 6f ee cb cc 44 71 6c  57 99 74 0a 15 ef 7b e7
.o...DqlW.t...{.
 0270:  29 79 8a 5a 3b 6e 61 ba  09 7f 73 33 da 31 3d e0
)y.Z;na...s3.1=.
 0280:  05 da 32 c9 0c 12 64 1a  a1 87 02 03 01 00 01 a3
..2...d.........
 0290:  81 ed 30 81 ea 30 1d 06  03 55 1d 0e 04 16 04 14
..0..0...U......
 02a0:  25 18 ef 9a 09 20 44 11  fc 3a b7 6c 67 7e 80 b4   %....
D..:.lg~..
 02b0:  3c 21 ef 64 30 81 ba 06  03 55 1d 23 04 81 b2 30
<!.d0....U.#...0
 02c0:  81 af 80 14 25 18 ef 9a  09 20 44 11 fc 3a b7 6c   ....%....
D..:.l
 02d0:  67 7e 80 b4 3c 21 ef 64  a1 81 93 a4 81 90 30 81
g~..<!.d......0.
 02e0:  8d 31 0b 30 09 06 03 55  04 06 13 02 45 53 31 12
.1.0...U....ES1.
 02f0:  30 10 06 03 55 04 08 14  09 4c 61 20 43 6f 72 75   0...U....La
Coru
 0300:  f1 61 31 12 30 10 06 03  55 04 07 14 09 4c 61 20

.a1.0...U....La

 0310:  43 6f 72 75 f1 61 31 0f  30 0d 06 03 55 04 0a 13
Coru.a1.0...U...
 0320:  06 46 61 64 65 73 61 31  14 30 12 06 03 55 04 0b
.Fadesa1.0...U..
 0330:  13 0b 69 6e 66 6f 72 6d  61 74 69 63 61 31 11 30
..informatica1.0
 0340:  0f 06 03 55 04 03 13 08  6f 70 65 6e 6c 64 61 70
...U....openldap
 0350:  31 1c 30 1a 06 09 2a 86  48 86 f7 0d 01 09 01 16
1.0...*.H.......
 0360:  0d 6e 6f 6e 65 40 66 66  66 66 66 2e 66 66 82 01
.none@fffff.ff..
 0370:  00 30 0c 06 03 55 1d 13  04 05 30 03 01 01 ff 30
.0...U....0....0
 0380:  0d 06 09 2a 86 48 86 f7  0d 01 01 04 05 00 03 82
...*.H..........
 0390:  01 01 00 90 81 6e b2 72  4c 70 2f c4 5a 41 90 70
.....n.rLp/.ZA.p
 03a0:  0b 0c 77 d0 18 af e2 a5  13 4f 4b 41 23 87 05 a2
..w......OKA#...
 03b0:  6c f1 d5 8d 84 34 a6 fd  5a c0 93 9f b2 a4 4d 0b
l....4..Z.....M.
 03c0:  d6 fd 7b 28 45 f4 35 b4  a9 2c 29 1f 6a c4 5e 87
..{(E.5..,).j.^.
 03d0:  d2 59 e1 75 1d 9f 2b 3d  69 cd d9 da b7 15 03 0d
.Y.u..+=i.......
 03e0:  2c b4 1d c2 8e a2 45 47  a9 e7 2a 3d 28 22 2b 41
,.....EG..*=("+A
 03f0:  49 25 0e 38 ee 0c 84 b9  e4 1b f8 07 e8 3b 1a 4c
I%.8.........;.L
 0400:  de 68 50 20 fb 2e f0 74  a2 db c2 96 95 65 c1 de   .hP
...t.....e..
 0410:  e8 a2 3d f6 a9 48 9e 1f  e4 67 ba 59 e5 9a cb d6
..=..H...g.Y....
 0420:  79 34 7f 4d 9a 8e 4a 66  68 d4 59 6f d7 86 ac 32
y4.M..Jfh.Yo...2
 0430:  8c 3c f4 e4 60 a0 3c 6a  e3 0c e6 b8 46 b6 1e c6
.<..`.<j....F...
 0440:  25 20 04 5a 93 4f c2 90  3c b6 7f 88 08 d1 09 59   %
.Z.O..<......Y
 0450:  e7 a1 a7 b4 04 53 28 5b  b2 8f 4d 08 58 d2 c2 37
.....S([..M.X..7
 0460:  ee 56 ee 23 15 e3 c7 e5  e0 f2 77 cb d9 58 43 53
.V.#......w..XCS
 0470:  be 18 1a f3 8a 19 5b 36  30 49 3c a4 cb 58 78 fc
......[60I<..Xx.
 0480:  9f 92 c1 1d f0 5e d4 e3  da 8f 0c 5a 74 18 27 30
.....^.....Zt.'0
 0490:  8d 20 cc                                           . .
TLS certificate verification: depth: 0, err: 18, subject: /C=ES/ST=La
Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff, issuer:
/C=ES/ST=La Coru\xF1a/L=La
Coru\xF1a/O=Fadesa/OU=informatica/CN=openldap/Email=none@fffff.ff
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
 0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
       additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------








Does your cert7.db know about your CA?

--
Dave
--
Dave Lewney
Principal Systems Programmer, Computing Service
University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273 271956