[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS / SSL



That's all I want to do is Server side. I just want to keep it simple.


> -----Original Message-----
> From: Kent Soper [mailto:dksoper@us.ibm.com]
> Sent: Tuesday, July 01, 2003 11:12 AM
> To: Ron Wahler
> Cc: openldap-software@OpenLDAP.org
> Subject: RE: TLS / SSL
> 
> 
> 
> 
> 
> Hi Ron,
> 
> Have you tried using only server-side authentication first (no client
> cert)?  If you can get that working, then adding client certs to an
ldaprc
> would be the next step.
> 
> In slapd.conf, try using only these directives:
> TLSCipherSuite  <settings>
> TLSCertificateFile  <server cert>
> TLSCACertificateFile <ca cert>
> (no TLSVerifyClient directive)
> 
> In ldap.conf:
> Nothing or "TLS_REQCERT  demand" which is the default.
> You don't need a client CA cert for TLS/SSL, but you can have it
listed
> too.
> 
> After success you can add client auth entries to slapd.conf and ldaprc
> (see man pages for *.conf or the document Pierre pointed you to).
> 
> I don't know much about your setup, so please pardon me if this is a
> Netscape or other issue that I'm not aware of.
> 
> Cheers,
> Kent Soper
> 
> "You don't stop playing because you grow old ...
>        you grow old because you stop playing."
> 
> Linux Technology Center, Linux Security
> phone:  1-512-838-9216
> e-mail:  dksoper@us.ibm.com
> 
> 
> 
> 
> 
>                       "Ron Wahler"
>                       <ron@rovingplanet.com>           To:
> <freeradius-users@lists.cistron.nl>, "Lawrence, Mike (White
>                       Sent by:                          Plains)"
> <Mike.Lawrence@starwoodhotels.com>,
>                       owner-openldap-software@O         <openldap-
> software@OpenLDAP.org>
>                       penLDAP.org                      cc:
>                                                        Subject:  RE:
TLS /
> SSL
> 
>                       07/01/2003 11:46 AM
> 
> 
> 
> 
> 
> 
> 
> I also get this when I allow SSLv3 on the ldap side
> 
> ldap_pvt_gethostbyname_a: host=fido, r=0
> put_filter: "(objectclass=*)"
> put_filter: simple
> put_simple_filter: "objectclass=*"
> ber_scanf fmt (m) ber:
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> TLS trace: SSL_accept:SSLv3 flush data
> connection_read(13): unable to get TLS client DN error=49 id=0
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> ber_get_next
> TLS trace: SSL3 alert read:warning:close notify
> ber_get_next on fd 13 failed errno=0 (Success)
> connection_read(13): input error=-2 id=0, closing.
> connection_closing: readying conn=0 sd=13 for close
> connection_close: conn=0 sd=13
> TLS trace: SSL3 alert write:warning:close notify
> 
> 
> 
> 
> > -----Original Message-----
> > From: Ron Wahler
> > Sent: Tuesday, July 01, 2003 10:30 AM
> > To: Lawrence, Mike (White Plains);
freeradius-users@lists.cistron.nl;
> > openldap-software@OpenLDAP.org
> > Subject: RE: TLS / SSL
> >
> >
> >
> > Getting this but the client can't connect at port 636
> >
> > CLIENT
> > m_ldap: setting TLS mode to 1
> > rlm_ldap: bind as cn=Manager,dc=fido,dc=com/secret to 10.0.0.94:636
> > rlm_ldap: cn=Manager,dc=fido,dc=com bind to 10.0.0.94:636 failed:
> Can't
> > contact LDAP server
> > rlm_ldap: (re)connection attempt failed
> >
> >
> >
> > SERVER:
> >
> > ldap_pvt_gethostbyname_a: host=fido, r=0
> > put_filter: "(objectclass=*)"
> > put_filter: simple
> > put_simple_filter: "objectclass=*"
> > ber_scanf fmt (m) ber:
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:before/accept initialization
> > TLS trace: SSL_accept:SSLv3 read client hello A
> > TLS trace: SSL_accept:SSLv3 write server hello A
> > TLS trace: SSL_accept:SSLv3 write certificate A
> > TLS trace: SSL_accept:SSLv3 write server done A
> > TLS trace: SSL_accept:SSLv3 flush data
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > TLS trace: SSL_accept:SSLv3 read finished A
> > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > TLS trace: SSL_accept:SSLv3 write finished A
> > TLS trace: SSL_accept:SSLv3 flush data
> > connection_read(13): unable to get TLS client DN error=49 id=0
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > ber_get_next
> > TLS trace: SSL3 alert read:warning:close notify
> > ber_get_next on fd 13 failed errno=0 (Success)
> > connection_read(13): input error=-2 id=0, closing.
> > connection_closing: readying conn=0 sd=13 for close
> > connection_close: conn=0 sd=13
> > TLS trace: SSL3 alert write:warning:close notify
> >
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Lawrence, Mike (White Plains)
> > > [mailto:Mike.Lawrence@starwoodhotels.com]
> > > Sent: Tuesday, July 01, 2003 9:01 AM
> > > To: Ron Wahler
> > > Subject: RE: TLS / SSL
> > >
> > >
> > > Hi Ron - I see that error as well and what it means is that
> > > the server was unable to get a client certificate.  It doesn't
> > > need one to do ssl/tls, but it will still give the error if
> > > it doesn't have one, so it's basically a noise error and not
> > > a big deal unless you do have a client cert and are trying to
> > > use it.
> > >
> > > -----Original Message-----
> > > From: Ron Wahler [mailto:ron@rovingplanet.com]
> > > Sent: Monday, June 30, 2003 4:01 PM
> > > To: openldap-software@OpenLDAP. org
> > > Subject: TLS / SSL
> > >
> > >
> > >
> > > I am getting the following error when trying to connect
> > > From FreeRadius to OpenLDAP on SSL port 636.  Is there
> > > Something here I can look at in the configuration files?
> > >
> > > Ron.
> > >
> > >
> > >
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > > TLS trace: SSL_accept:SSLv3 read finished A
> > > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > > TLS trace: SSL_accept:SSLv3 write finished A
> > > TLS trace: SSL_accept:SSLv3 flush data
> > > connection_read(13): unable to get TLS client DN error=49 id=0
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > ber_get_next
> > > TLS trace: SSL3 alert read:warning:close notify
> > > ber_get_next on fd 13 failed errno=0 (Success)
> > > connection_read(13): input error=-2 id=0, closing.
> > > connection_closing: readying conn=0 sd=13 for close
> > > connection_close: conn=0 sd=13
> > > TLS trace: SSL3 alert write:warning:close notify
> > >
> > >
> > > This electronic message transmission contains information from the
> > Company
> > > that may be proprietary, confidential and/or privileged.
> > > The information is intended only for the use of the individual(s)
or
> > > entity named above.  If you are not the intended recipient, be
> > > aware that any disclosure, copying or distribution or use of the
> > contents
> > > of this information is prohibited.  If you have received
> > > this electronic transmission in error, please notify the sender
> > > immediately by replying to the address listed in the "From:"
field.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> 
> 
>