[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS / SSL






Hi Ron,

Have you tried using only server-side authentication first (no client
cert)?  If you can get that working, then adding client certs to an ldaprc
would be the next step.

In slapd.conf, try using only these directives:
TLSCipherSuite  <settings>
TLSCertificateFile  <server cert>
TLSCACertificateFile <ca cert>
(no TLSVerifyClient directive)

In ldap.conf:
Nothing or "TLS_REQCERT  demand" which is the default.
You don't need a client CA cert for TLS/SSL, but you can have it listed
too.

After success you can add client auth entries to slapd.conf and ldaprc
(see man pages for *.conf or the document Pierre pointed you to).

I don't know much about your setup, so please pardon me if this is a
Netscape or other issue that I'm not aware of.

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com




                                                                                                                                     
                      "Ron Wahler"                                                                                                   
                      <ron@rovingplanet.com>           To:       <freeradius-users@lists.cistron.nl>, "Lawrence, Mike (White         
                      Sent by:                          Plains)" <Mike.Lawrence@starwoodhotels.com>,                                 
                      owner-openldap-software@O         <openldap-software@OpenLDAP.org>                                             
                      penLDAP.org                      cc:                                                                           
                                                       Subject:  RE: TLS / SSL                                                       
                                                                                                                                     
                      07/01/2003 11:46 AM                                                                                            
                                                                                                                                     
                                                                                                                                     





I also get this when I allow SSLv3 on the ldap side

ldap_pvt_gethostbyname_a: host=fido, r=0
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(13): unable to get TLS client DN error=49 id=0
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 13 failed errno=0 (Success)
connection_read(13): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13
TLS trace: SSL3 alert write:warning:close notify




> -----Original Message-----
> From: Ron Wahler
> Sent: Tuesday, July 01, 2003 10:30 AM
> To: Lawrence, Mike (White Plains); freeradius-users@lists.cistron.nl;
> openldap-software@OpenLDAP.org
> Subject: RE: TLS / SSL
>
>
>
> Getting this but the client can't connect at port 636
>
> CLIENT
> m_ldap: setting TLS mode to 1
> rlm_ldap: bind as cn=Manager,dc=fido,dc=com/secret to 10.0.0.94:636
> rlm_ldap: cn=Manager,dc=fido,dc=com bind to 10.0.0.94:636 failed:
Can't
> contact LDAP server
> rlm_ldap: (re)connection attempt failed
>
>
>
> SERVER:
>
> ldap_pvt_gethostbyname_a: host=fido, r=0
> put_filter: "(objectclass=*)"
> put_filter: simple
> put_simple_filter: "objectclass=*"
> ber_scanf fmt (m) ber:
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> TLS trace: SSL_accept:SSLv3 flush data
> connection_read(13): unable to get TLS client DN error=49 id=0
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> ber_get_next
> TLS trace: SSL3 alert read:warning:close notify
> ber_get_next on fd 13 failed errno=0 (Success)
> connection_read(13): input error=-2 id=0, closing.
> connection_closing: readying conn=0 sd=13 for close
> connection_close: conn=0 sd=13
> TLS trace: SSL3 alert write:warning:close notify
>
>
>
>
>
> > -----Original Message-----
> > From: Lawrence, Mike (White Plains)
> > [mailto:Mike.Lawrence@starwoodhotels.com]
> > Sent: Tuesday, July 01, 2003 9:01 AM
> > To: Ron Wahler
> > Subject: RE: TLS / SSL
> >
> >
> > Hi Ron - I see that error as well and what it means is that
> > the server was unable to get a client certificate.  It doesn't
> > need one to do ssl/tls, but it will still give the error if
> > it doesn't have one, so it's basically a noise error and not
> > a big deal unless you do have a client cert and are trying to
> > use it.
> >
> > -----Original Message-----
> > From: Ron Wahler [mailto:ron@rovingplanet.com]
> > Sent: Monday, June 30, 2003 4:01 PM
> > To: openldap-software@OpenLDAP. org
> > Subject: TLS / SSL
> >
> >
> >
> > I am getting the following error when trying to connect
> > From FreeRadius to OpenLDAP on SSL port 636.  Is there
> > Something here I can look at in the configuration files?
> >
> > Ron.
> >
> >
> >
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > TLS trace: SSL_accept:SSLv3 read finished A
> > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > TLS trace: SSL_accept:SSLv3 write finished A
> > TLS trace: SSL_accept:SSLv3 flush data
> > connection_read(13): unable to get TLS client DN error=49 id=0
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > ber_get_next
> > TLS trace: SSL3 alert read:warning:close notify
> > ber_get_next on fd 13 failed errno=0 (Success)
> > connection_read(13): input error=-2 id=0, closing.
> > connection_closing: readying conn=0 sd=13 for close
> > connection_close: conn=0 sd=13
> > TLS trace: SSL3 alert write:warning:close notify
> >
> >
> > This electronic message transmission contains information from the
> Company
> > that may be proprietary, confidential and/or privileged.
> > The information is intended only for the use of the individual(s) or
> > entity named above.  If you are not the intended recipient, be
> > aware that any disclosure, copying or distribution or use of the
> contents
> > of this information is prohibited.  If you have received
> > this electronic transmission in error, please notify the sender
> > immediately by replying to the address listed in the "From:" field.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html