[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ssl client probleme?
Hi All!
I have a probleme with SSL. My original destination was to
set up a secure openldap service. Now I can make a slapd,
that listens on tcp/636 using ldaps without stunnel, but
how can I try it out??
host# ldapsearch -vvv -ZZ -x -h localhost -p 636 -b "dc=matav, dc=hu" 'objectclass=*'
ldap_init( localhost, 636 )
ldap_start_tls: Can't contact LDAP server (81)
host# _
or
using stunnel on 636 to 389:
host# ldapsearch -vvv -H 'ldaps://localhost/' -b "dc=matav, dc=hu" 'objectclass=*'
ldap_initialize( ldaps://localhost/ )
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
host# _
using slapd -h 'ldaps://...'
host# ldapsearch -vvv -H 'ldaps://localhost/' -b "dc=matav, dc=hu" 'objectclass=*'
ldap_initialize( ldaps://localhost/ )
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
host# _
As I can see, ldapsearch -Z does not use SSL. (Yes, it is
compiled with --with-tls option and OpenSSL.) But lets have
a look at netcat/s output:
host# ldapsearch -x -h localhost -p 666 -b "..." '(objectClass=*)'
...
host# nc -l -p 666
0
a```a`bc€
This is a non encrypted search, and this one is with -Z:
host# ldapsearch -Z -x -h localhost -p 666 -b "..." '(objectClass=*)'
...
host# nc -l -p 666
0|a``ww€u1.3.6.1.4.1.1466.20037
As I can see, this is not an ssl handshake. :( Lets try another
trick!
host# stunnel -d 777 -r localhost:666 -p /usr/local/etc/openldap/server.pem
host# nc -l -p 666 > XX
...
host# ldapsearch -Z -x -h localhost -p 777 -b "..." '(obejctClass=*)'
XX will be an empty file. :(
---- o ----
I have more questions:
- How can I make ldapsearch to use ssl? Is there any other ldap
client, that can use ssl? (source url?)
- Which solution seems better: compile slapd to have tls support,
or use stunnel? I think stunnel is better, because slapd
is more simple to (re)compile, no linking with openssl and
cyrus sasl, and it's easier to replace stunnel without
stopping slapd.
- If I start up a slapd listening on ldap and ldaps ports, and I can
use it without ssl, and openssl s_client -connect host:636
seems to work fine, can I say, that slapd works with ssl?
How can I verify my servers ssl capabilities? It listens
on port 636, but is it working?
Thanks,
Sanyi