[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP TLS/SSL Security problem
I read what you sent me, and even recompiled with all the env's again and
redoing the cert's. I'm still not able to make a secure connection. If
I'm still trying to establish a ssl connection on a already secure port,
what do I need to change to not get this to happen?
I changes the files to:
/etc/ldap.conf
HOST ldaptest.*********.com
BASE dc=*********,dc=com
URI ldap://ldaptest.*********.com/
URI ldaps://ldaptest.*********.com/
TLS_CACER /usr/local/etc/cacert.pem
#TLS_CACERTDIR /usr/local/etc/server.pem
#TLS_KEY /usr/local/etc/server.pem
ssl start_tls
#TLS_REQCERT never
SIZELIMIT 12
TIMELIMIT 15
/usr/loca/etc/openldap/slapd.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24
23:19:14 ku
rt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
#include /usr/local/etc/openldap/schema/solaris.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
loglevel 256
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
##security ssf=128
##TLSCipherSuite 3DES:RC4:EXPORT40
##TLSCertificateFile /usr/local/etc/slapd-cert.pem
##TLSCertificateKeyFile /usr/local/etc/slapd-key.pem
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem
TLSCACertificateFile /usr/local/etc/openldap/demoCA/cacert.pem
TLSCipherSuite HIGH:MEDIUM:+SSLv2
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to attr=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=*********,dc=com" write
# by * auth
# access to dn.base="cn=Subschema" by * read
access to *
by self read
by users read
by anonymous auth
#
# if no access controls are present, the default policy is:
# Allow read by all
#
# rootdn can always write!
#password-hash {SSHA}
#######################################################################
# ldbm database definitions
#######################################################################
database bdb
suffix "dc=**********,dc=com"
##rootdn "cn=Manager,dc=*********,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
mode 0600
# Indices to maintain
index objectClass eq
index cn,uid eq
index uidNumber eq
index gidNumber eq
command
/usr/local/bin/ldapsearch -d 1 -x -b "dc=***********,dc=com" -H
'ldap://ldaptest.*********.com'
comand return message
ldap_create
ldap_url_parse_ext(ldap://ldaptest.**********.com)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldaptest.*********.com:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ##.##.##.##:389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 14 bytes to sd 4
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: ldaptest.**********.com port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jul 1 10:31:31 2004
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
# extended LDIF
#
# LDAPv3
# base <dc=********,dc=com> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_flush: 58 bytes to sd 4
ldap_result msgid -1
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid -1
wait4msg continue, msgid -1, all 0
** Connections:
* host: ldaptest.*********.com port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jul 1 10:31:31 2004
** Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid -1, all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type search-result msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
read1msg: 0 new referrals
read1msg: mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
# search result
search: 2
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_err2string
result: 0 Success
# numResponses: 1
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 4
ldap_free_connection: actually freed
slapd.log
bdb_search: 66 does not match filter
====> bdb_cache_return_entry_r( 66 ): returned (0)
send_search_result: err=0 matched="" text=""
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 13
connection_get(13): got connid=12
connection_read(13): checking for input on id=12
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ber_get_next on fd 13 failed errno=0 (Error 0)
connection_read(13): input error=-2 id=12, closing.
connection_closing: readying conn=12 sd=13 for close
connection_close: deferring conn=12 sd=13
do_unbind
connection_resched: attempting closing conn=12 sd=13
connection_close: deferring conn=12 sd=13
connection_resched: attempting closing conn=12 sd=13
connection_close: conn=12 sd=13
command
/usr/local/bin/ldapsearch -d 1 -x -b "dc=***********,dc=com" -H
'ldap://ldaptest.*********.com' -ZZ
command response
ldap_create
ldap_url_parse_ext(ldap://ldaptest.*************.com)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldaptest.#########.com:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ##.##.##.##:389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 4
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: ldaptest.*********.com port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jul 1 10:34:33 2004
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/C=US/ST=IL/L=AH/O=FOCAL/OU=NMS/CN=ldaptest.**********.com, issuer:
/C=US/ST=IL/L=AH/O=FOCAL/OU=NMS/CN=ldaptest.**********.com
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
slapd log
connection_get(13): got connid=14
connection_read(13): checking for input on id=14
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 13
connection_get(13): got connid=14
connection_read(13): checking for input on id=14
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(13): got connid=14
connection_read(13): checking for input on id=14
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1052
connection_read(13): TLS accept error error=-1 id=14, closing
connection_closing: readying conn=14 sd=13 for close
connection_close: conn=14 sd=13
slapd startup command
/usr/local/libexec/slapd -d 1 -h 'ldap:/// ldaps:///'
Stephen Worden
BNE NMS Engineer
Focal Communications
Tel: 847-954-8306
Fax: 847-954-7710
Email: sworden@focal.com
Kirk Turner-Rustin
<ktrustin@owu.edu> To: sworden@focal.com
Sent by: cc: Openldap list <openldap-software@OpenLDAP.org>
owner-openldap-software@O Subject: Re: LDAP TLS/SSL Security problem
penLDAP.org
06/30/2004 10:55 AM
On Wed, 30 Jun 2004 sworden@focal.com wrote:
>
> /usr/local/bin/ldapsearch -d 1 -x -b "dc=********,dc=com" -H
> 'ldaps://ldaptest.*********.com' -ZZ
You are trying to use StartTLS on an already encrypted channel. For
details, see the following:
http://www.OpenLDAP.org/lists/openldap-software/200406/msg00454.html
Meanwhile, either drop the "-ZZ" from your ldapsearch command or
point ldapsearch to 'ldap://ldaptest.*********.com' (assuming that
slapd is listening there), and see if you get closer.
Also...
[snip]
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 0, err: 20, subject:
> /C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.*********.com, issuer:
> /C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.************.com
> TLS certificate verification: Error, unable to get local issuer
certificate
> TLS trace: SSL3 alert write:fatal:unknown CA
...it appears that there may be something wrong with your server
certificate setup. Maybe review this FAQ:
http://www.openldap.org/faq/index.cgi?_highlightWords=tls&file=185
...or this:
http://www.OpenLDAP.org/pub/ksoper/OpenLDAP_TLS_howto.html
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Can't contact LDAP server (81)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
--
Kirk Turner-Rustin
Programmer/Analyst
Libraries and Information Services
Ohio Wesleyan University
http://www.owu.edu