[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS trace: SSL3 alert write:warning:bad certificate
Hello,
I think my ldap server is good but the TLS don't work.
In the file /etc/openldap/slapd.conf, if I put TLSVerifyClient allow, ldapsearch works.
But if I put TLSVerifyClient demand, ldapsearch don't works :
root@firewall /etc/ssl # ldapsearch -H ldap://firewall -d3 -D "****" -v -x -w ****** -ZZ
ldap_initialize( ldap://firewall )
ldap_create
ldap_url_parse_ext(ldap://firewall)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP firewall:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.10:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: firewall port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Aug 18 10:01:18 2004
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 78 07 0a 0....x..
ldap_read: want=6, got=6
0000: 01 00 04 00 04 00 ......
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
tls_write: want=148, written=148
...
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 16 03 01 00 4a 02 00 ....J..
tls_read: want=72, got=72
...
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
0000: 16 03 01 06 50 ....P
tls_read: want=1616, got=1616
...
TLS certificate verification: depth: 1, err: 19, subject: /C=FR/ST=FRANCE/L=NANTES/O=iWall/OU=iWall/CN=iWall/emailAddress=support@iwall.fr, issuer: /C=FR/ST=FRANCE/L=NANTES/O=iWall/OU=iWall/CN=iWall/emailAddress=support@iwall.fr
TLS certificate verification: Error, self signed certificate in certificate chain
TLS certificate verification: depth: 1, err: 19, subject: /C=FR/ST=FRANCE/L=NANTES/O=iWall/OU=iWall/CN=iWall/emailAddress=support@iwall.fr, issuer: /C=FR/ST=FRANCE/L=NANTES/O=iWall/OU=iWall/CN=iWall/emailAddress=support@iwall.fr
TLS certificate verification: depth: 0, err: 19, subject: /C=FR/ST=FRANCE/L=NANTES/O=iWall/OU=iWall/CN=firewall/emailAddress=support@iwall.fr, issuer: /C=FR/ST=FRANCE/L=NANTES/O=iWall/OU=iWall/CN=iWall/emailAddress=support@iwall.fr
TLS trace: SSL_connect:SSLv3 read server certificate A
tls_read: want=5, got=5
0000: 16 03 01 00 92 .....
tls_read: want=146, got=146
...
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
tls_write: want=210, written=210
...
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 28 .(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
root@firewall /etc/ssl # ldapsearch -H ldap://firewall -d1 -D "cn=Manager,dc=*****" -v -x -w ldap*****pwd -ZZ
ldap_initialize( ldap://firewall )
ldap_create
ldap_url_parse_ext(ldap://firewall)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP firewall:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.10:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: firewall port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Aug 18 10:01:53 2004
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject: /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr, issuer: /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr
TLS certificate verification: Error, self signed certificate in certificate chain
TLS certificate verification: depth: 1, err: 19, subject: /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr, issuer: /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr
TLS certificate verification: depth: 0, err: 19, subject: /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=firewall/emailAddress=support@*****.fr, issuer: /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
So I verify my ssl certificates :
On the server :
root@firewall /etc/ssl # openssl s_server -accept 4443 -cert certs/ca.pem -key private/ca.key -verify 3 -www
verify depth is 3
Using default temp DH parameters
ACCEPT
depth=1 /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr
verify return:1
depth=0 /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=firewall/emailAddress=support@*****.fr
verify return:1
On the client :
root@firewall /etc/ssl # openssl s_client -state -prexit -connect 127.0.0.1:4443 -CAfile /etc/openldap/ca.pem -cert /etc/openldap/127.0.0.1.pem -key /etc/openldap/127.0.0.1.key -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 080AD168 [080B0570] (148 bytes => 148 (0x94))
...
SSL_connect:SSLv2/v3 write client hello A
read from 080AD168 [080B5AD0] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 4a 02 ....J.
0007 - <SPACES/NULS>
read from 080AD168 [080B5AD7] (72 bytes => 72 (0x48))
...
SSL_connect:SSLv3 read server hello A
read from 080AD168 [080B5AD0] (5 bytes => 5 (0x5))
0000 - 16 03 01 03 67 ....g
read from 080AD168 [080B5AD5] (871 bytes => 871 (0x367))
...
depth=0 /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 080AD168 [080B5AD0] (5 bytes => 5 (0x5))
0000 - 16 03 01 01 0d .....
read from 080AD168 [080B5AD5] (269 bytes => 269 (0x10D))
...
SSL_connect:SSLv3 read server key exchange A
read from 080AD168 [080B5AD0] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 0f .....
read from 080AD168 [080B5AD5] (15 bytes => 15 (0xF))
0000 - 0d 00 00 07 04 03 04 01-02 00 00 0e ............
000f - <SPACES/NULS>
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
write to 080AD168 [080BFBF8] (1621 bytes => 1621 (0x655))
..
SSL_connect:SSLv3 write client certificate A
write to 080AD168 [080BFBF8] (75 bytes => 75 (0x4B))
...
SSL_connect:SSLv3 write client key exchange A
write to 080AD168 [080BFBF8] (139 bytes => 139 (0x8B))
...
SSL_connect:SSLv3 write certificate verify A
write to 080AD168 [080BFBF8] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01 ......
SSL_connect:SSLv3 write change cipher spec A
write to 080AD168 [080BFBF8] (53 bytes => 53 (0x35))
...
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 080AD168 [080B5AD0] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01 .....
read from 080AD168 [080B5AD5] (1 bytes => 1 (0x1))
0000 - 01 .
read from 080AD168 [080B5AD0] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 080AD168 [080B5AD5] (48 bytes => 48 (0x30))
...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr
i:/C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr
issuer=/C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr
---
No client certificate CA names sent
---
SSL handshake has read 1308 bytes and written 2042 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 82619153526F847492648A2B665385E6C838ED38F7F38DAA0A892988B8952EDA
Session-ID-ctx:
Master-Key: 5FED79F4DD69E801EB14E4060E2315787847552D1C426EF17D3C5546AE176286C860C4F8CFF71C827BF4D734EA074980
Key-Arg : None
Start Time: 1092816332
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
So I think my certificates are good.
For executing slapd, I type "/usr/lib/openldap/slapd -- -u ldap -g ldap -s -1 -h 'ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock"
My /etc/openldap/ldap.conf :
BASE dc=*****
HOST firewall
URI ldap://firewall:389
TLS_REQCERT allow
My /etc/openldap/slapd.conf :
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
schemacheck on
lastmod on
password-hash {sha}
TLSCertificateFile /etc/openldap/127.0.0.1.pem
TLSCertificateKeyFile /etc/openldap/127.0.0.1.key
TLSCACertificateFile /etc/ssl/certs/ca.pem
TLSCipherSuite :SSLv3
TLSVerifyClient demand
... ACL et ldbm definition
So I don't understand.
My config files seems good and certificates also.
Do you have some ideas ?
Thanks a lot
Christophe.
P.S. : The common name I create the certificate with is "firewall" and when I type hostname -f, the result is "firewall".