[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: TLS / SSL
- To: <openldap-software@OpenLDAP.org>
- Subject: RE: TLS / SSL
- From: "Ron Wahler" <ron@rovingplanet.com>
- Date: Tue, 1 Jul 2003 11:36:59 -0600
- Content-class: urn:content-classes:message
- Thread-index: AcM/8/U1Q7R/reWgTdKLhmVvTuF6uQAA12Lg
- Thread-topic: TLS / SSL
thanks for the help.
I modified the files to be this but still don't connect.
Slapd.conf
ssl yes
port 636
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /opt/LocalCA/server_crt.pem
TLSCertificateKeyFile /opt/LocalCA/server_key.pem
TLSCACertificateFile /opt/LocalCA/cacert.pem
#TLSVerifyClient never
ldap.conf
ssl yes
port 636
ssl start_tls
TLS_CACERT /opt/LocalCA/cacert.pem
TLS_CERT /opt/LocalCA/server_crt.pem
TLS_KEY /opt/LocalCA/server_key.pem
#TLS_REQCERT demand
I also tried commenting out TLS_CACERT TLS_CERT and TLS_KEY with the
same result...
Ron.
> -----Original Message-----
> From: Kent Soper [mailto:dksoper@us.ibm.com]
> Sent: Tuesday, July 01, 2003 11:12 AM
> To: Ron Wahler
> Cc: openldap-software@OpenLDAP.org
> Subject: RE: TLS / SSL
>
>
>
>
>
> Hi Ron,
>
> Have you tried using only server-side authentication first (no client
> cert)? If you can get that working, then adding client certs to an
ldaprc
> would be the next step.
>
> In slapd.conf, try using only these directives:
> TLSCipherSuite <settings>
> TLSCertificateFile <server cert>
> TLSCACertificateFile <ca cert>
> (no TLSVerifyClient directive)
>
> In ldap.conf:
> Nothing or "TLS_REQCERT demand" which is the default.
> You don't need a client CA cert for TLS/SSL, but you can have it
listed
> too.
>
> After success you can add client auth entries to slapd.conf and ldaprc
> (see man pages for *.conf or the document Pierre pointed you to).
>
> I don't know much about your setup, so please pardon me if this is a
> Netscape or other issue that I'm not aware of.
>
> Cheers,
> Kent Soper
>
> "You don't stop playing because you grow old ...
> you grow old because you stop playing."
>
> Linux Technology Center, Linux Security
> phone: 1-512-838-9216
> e-mail: dksoper@us.ibm.com
>
>
>
>
>
> "Ron Wahler"
> <ron@rovingplanet.com> To:
> <freeradius-users@lists.cistron.nl>, "Lawrence, Mike (White
> Sent by: Plains)"
> <Mike.Lawrence@starwoodhotels.com>,
> owner-openldap-software@O <openldap-
> software@OpenLDAP.org>
> penLDAP.org cc:
> Subject: RE:
TLS /
> SSL
>
> 07/01/2003 11:46 AM
>
>
>
>
>
>
>
> I also get this when I allow SSLv3 on the ldap side
>
> ldap_pvt_gethostbyname_a: host=fido, r=0
> put_filter: "(objectclass=*)"
> put_filter: simple
> put_simple_filter: "objectclass=*"
> ber_scanf fmt (m) ber:
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> TLS trace: SSL_accept:SSLv3 flush data
> connection_read(13): unable to get TLS client DN error=49 id=0
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> ber_get_next
> TLS trace: SSL3 alert read:warning:close notify
> ber_get_next on fd 13 failed errno=0 (Success)
> connection_read(13): input error=-2 id=0, closing.
> connection_closing: readying conn=0 sd=13 for close
> connection_close: conn=0 sd=13
> TLS trace: SSL3 alert write:warning:close notify
>
>
>
>
> > -----Original Message-----
> > From: Ron Wahler
> > Sent: Tuesday, July 01, 2003 10:30 AM
> > To: Lawrence, Mike (White Plains);
freeradius-users@lists.cistron.nl;
> > openldap-software@OpenLDAP.org
> > Subject: RE: TLS / SSL
> >
> >
> >
> > Getting this but the client can't connect at port 636
> >
> > CLIENT
> > m_ldap: setting TLS mode to 1
> > rlm_ldap: bind as cn=Manager,dc=fido,dc=com/secret to 10.0.0.94:636
> > rlm_ldap: cn=Manager,dc=fido,dc=com bind to 10.0.0.94:636 failed:
> Can't
> > contact LDAP server
> > rlm_ldap: (re)connection attempt failed
> >
> >
> >
> > SERVER:
> >
> > ldap_pvt_gethostbyname_a: host=fido, r=0
> > put_filter: "(objectclass=*)"
> > put_filter: simple
> > put_simple_filter: "objectclass=*"
> > ber_scanf fmt (m) ber:
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:before/accept initialization
> > TLS trace: SSL_accept:SSLv3 read client hello A
> > TLS trace: SSL_accept:SSLv3 write server hello A
> > TLS trace: SSL_accept:SSLv3 write certificate A
> > TLS trace: SSL_accept:SSLv3 write server done A
> > TLS trace: SSL_accept:SSLv3 flush data
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > TLS trace: SSL_accept:SSLv3 read finished A
> > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > TLS trace: SSL_accept:SSLv3 write finished A
> > TLS trace: SSL_accept:SSLv3 flush data
> > connection_read(13): unable to get TLS client DN error=49 id=0
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > ber_get_next
> > TLS trace: SSL3 alert read:warning:close notify
> > ber_get_next on fd 13 failed errno=0 (Success)
> > connection_read(13): input error=-2 id=0, closing.
> > connection_closing: readying conn=0 sd=13 for close
> > connection_close: conn=0 sd=13
> > TLS trace: SSL3 alert write:warning:close notify
> >
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Lawrence, Mike (White Plains)
> > > [mailto:Mike.Lawrence@starwoodhotels.com]
> > > Sent: Tuesday, July 01, 2003 9:01 AM
> > > To: Ron Wahler
> > > Subject: RE: TLS / SSL
> > >
> > >
> > > Hi Ron - I see that error as well and what it means is that
> > > the server was unable to get a client certificate. It doesn't
> > > need one to do ssl/tls, but it will still give the error if
> > > it doesn't have one, so it's basically a noise error and not
> > > a big deal unless you do have a client cert and are trying to
> > > use it.
> > >
> > > -----Original Message-----
> > > From: Ron Wahler [mailto:ron@rovingplanet.com]
> > > Sent: Monday, June 30, 2003 4:01 PM
> > > To: openldap-software@OpenLDAP. org
> > > Subject: TLS / SSL
> > >
> > >
> > >
> > > I am getting the following error when trying to connect
> > > From FreeRadius to OpenLDAP on SSL port 636. Is there
> > > Something here I can look at in the configuration files?
> > >
> > > Ron.
> > >
> > >
> > >
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > > TLS trace: SSL_accept:SSLv3 read finished A
> > > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > > TLS trace: SSL_accept:SSLv3 write finished A
> > > TLS trace: SSL_accept:SSLv3 flush data
> > > connection_read(13): unable to get TLS client DN error=49 id=0
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > ber_get_next
> > > TLS trace: SSL3 alert read:warning:close notify
> > > ber_get_next on fd 13 failed errno=0 (Success)
> > > connection_read(13): input error=-2 id=0, closing.
> > > connection_closing: readying conn=0 sd=13 for close
> > > connection_close: conn=0 sd=13
> > > TLS trace: SSL3 alert write:warning:close notify
> > >
> > >
> > > This electronic message transmission contains information from the
> > Company
> > > that may be proprietary, confidential and/or privileged.
> > > The information is intended only for the use of the individual(s)
or
> > > entity named above. If you are not the intended recipient, be
> > > aware that any disclosure, copying or distribution or use of the
> > contents
> > > of this information is prohibited. If you have received
> > > this electronic transmission in error, please notify the sender
> > > immediately by replying to the address listed in the "From:"
field.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>