[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP TLS/SSL Security problem



I read what you sent me, and even recompiled with all the env's again and
redoing the cert's.  I'm still not able to make a secure connection.  If
I'm still trying to establish a ssl connection on a already secure port,
what do I need to change to not get this to happen?
I changes the files to:

/etc/ldap.conf
HOST    ldaptest.*********.com
BASE   dc=*********,dc=com
URI    ldap://ldaptest.*********.com/
URI    ldaps://ldaptest.*********.com/
TLS_CACER       /usr/local/etc/cacert.pem
#TLS_CACERTDIR  /usr/local/etc/server.pem
#TLS_KEY        /usr/local/etc/server.pem
ssl start_tls
#TLS_REQCERT never


SIZELIMIT      12
TIMELIMIT      15

/usr/loca/etc/openldap/slapd.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24
23:19:14 ku
rt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
#include                /usr/local/etc/openldap/schema/solaris.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

loglevel 256
pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
##security ssf=128
##TLSCipherSuite                3DES:RC4:EXPORT40
##TLSCertificateFile    /usr/local/etc/slapd-cert.pem
##TLSCertificateKeyFile /usr/local/etc/slapd-key.pem
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem
TLSCACertificateFile /usr/local/etc/openldap/demoCA/cacert.pem
TLSCipherSuite HIGH:MEDIUM:+SSLv2

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
access to attr=userPassword
        by self write
        by anonymous auth
        by dn.base="cn=Manager,dc=*********,dc=com" write
#       by * auth
# access to dn.base="cn=Subschema" by * read
access to *
        by self read
        by users read
        by anonymous auth
#
# if no access controls are present, the default policy is:
#       Allow read by all
#
# rootdn can always write!
#password-hash          {SSHA}

#######################################################################
# ldbm database definitions
#######################################################################

database        bdb
suffix          "dc=**********,dc=com"
##rootdn                "cn=Manager,dc=*********,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw         secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data
mode            0600
# Indices to maintain
index   objectClass     eq
index   cn,uid          eq
index   uidNumber       eq
index   gidNumber       eq

command
/usr/local/bin/ldapsearch -d 1 -x -b "dc=***********,dc=com"  -H
'ldap://ldaptest.*********.com'
comand return message
ldap_create
ldap_url_parse_ext(ldap://ldaptest.**********.com)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldaptest.*********.com:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ##.##.##.##:389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 14 bytes to sd 4
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: ldaptest.**********.com port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jul  1 10:31:31 2004

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
# extended LDIF
#
# LDAPv3
# base <dc=********,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_flush: 58 bytes to sd 4
ldap_result msgid -1
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid -1
wait4msg continue, msgid -1, all 0
** Connections:
* host: ldaptest.*********.com port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jul  1 10:31:31 2004

** Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid -1, all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type search-result msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
# search result
search: 2
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_err2string
result: 0 Success

# numResponses: 1
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 4
ldap_free_connection: actually freed

slapd.log
bdb_search: 66 does not match filter
====> bdb_cache_return_entry_r( 66 ): returned (0)
send_search_result: err=0 matched="" text=""
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 13
connection_get(13): got connid=12
connection_read(13): checking for input on id=12
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ber_get_next on fd 13 failed errno=0 (Error 0)
connection_read(13): input error=-2 id=12, closing.
connection_closing: readying conn=12 sd=13 for close
connection_close: deferring conn=12 sd=13
do_unbind
connection_resched: attempting closing conn=12 sd=13
connection_close: deferring conn=12 sd=13
connection_resched: attempting closing conn=12 sd=13
connection_close: conn=12 sd=13

command
/usr/local/bin/ldapsearch -d 1 -x -b "dc=***********,dc=com"  -H
'ldap://ldaptest.*********.com' -ZZ
command response
ldap_create
ldap_url_parse_ext(ldap://ldaptest.*************.com)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldaptest.#########.com:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ##.##.##.##:389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 4
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: ldaptest.*********.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jul  1 10:34:33 2004

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/C=US/ST=IL/L=AH/O=FOCAL/OU=NMS/CN=ldaptest.**********.com, issuer:
/C=US/ST=IL/L=AH/O=FOCAL/OU=NMS/CN=ldaptest.**********.com
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

slapd log
connection_get(13): got connid=14
connection_read(13): checking for input on id=14
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 13
connection_get(13): got connid=14
connection_read(13): checking for input on id=14
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(13): got connid=14
connection_read(13): checking for input on id=14
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1052
connection_read(13): TLS accept error error=-1 id=14, closing
connection_closing: readying conn=14 sd=13 for close
connection_close: conn=14 sd=13

slapd startup command
 /usr/local/libexec/slapd -d 1 -h 'ldap:/// ldaps:///'


Stephen Worden
BNE NMS Engineer
Focal Communications
Tel: 847-954-8306
Fax: 847-954-7710
Email: sworden@focal.com


                                                                                                                                            
                      Kirk Turner-Rustin                                                                                                    
                      <ktrustin@owu.edu>                To:      sworden@focal.com                                                          
                      Sent by:                          cc:      Openldap list <openldap-software@OpenLDAP.org>                             
                      owner-openldap-software@O         Subject: Re: LDAP TLS/SSL Security problem                                          
                      penLDAP.org                                                                                                           
                                                                                                                                            
                                                                                                                                            
                      06/30/2004 10:55 AM                                                                                                   
                                                                                                                                            
                                                                                                                                            




On Wed, 30 Jun 2004 sworden@focal.com wrote:

>
> /usr/local/bin/ldapsearch -d 1 -x -b "dc=********,dc=com" -H
> 'ldaps://ldaptest.*********.com' -ZZ

You are trying to use StartTLS on an already encrypted channel. For
details, see the following:

http://www.OpenLDAP.org/lists/openldap-software/200406/msg00454.html

Meanwhile, either drop the "-ZZ" from your ldapsearch command or
point ldapsearch to 'ldap://ldaptest.*********.com' (assuming that
slapd is listening there), and see if you get closer.

Also...

[snip]
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 0, err: 20, subject:
> /C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.*********.com, issuer:
> /C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.************.com
> TLS certificate verification: Error, unable to get local issuer
certificate
> TLS trace: SSL3 alert write:fatal:unknown CA

...it appears that there may be something wrong with your server
certificate setup. Maybe review this FAQ:

http://www.openldap.org/faq/index.cgi?_highlightWords=tls&file=185

...or this:

http://www.OpenLDAP.org/pub/ksoper/OpenLDAP_TLS_howto.html

> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Can't contact LDAP server (81)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

--
Kirk Turner-Rustin
Programmer/Analyst
Libraries and Information Services
Ohio Wesleyan University
http://www.owu.edu