[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS trace: SSL3 alert write:warning:bad certificate



Hello,

I think my ldap server is good but the TLS don't work.
In the file /etc/openldap/slapd.conf, if I put TLSVerifyClient allow, ldapsearch works.
But if I put TLSVerifyClient demand, ldapsearch don't works :


root@firewall /etc/ssl # ldapsearch -H ldap://firewall -d3 -D "****" -v -x -w ****** -ZZ
ldap_initialize( ldap://firewall )
ldap_create
ldap_url_parse_ext(ldap://firewall)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP firewall:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.10:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
ldap_write: want=31, written=31
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: firewall  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Aug 18 10:01:18 2004

** Outstanding Requests:
* msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 01 78 07 0a                            0....x..
ldap_read: want=6, got=6
  0000:  01 00 04 00 04 00                                  ......
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
tls_write: want=148, written=148
...
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
  0000:  16 03 01 00 4a 02 00                               ....J..
tls_read: want=72, got=72
...
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
  0000:  16 03 01 06 50                                     ....P
tls_read: want=1616, got=1616

...
TLS certificate verification: depth: 1, err: 19, subject: /C=FR/ST=FRANCE/L=NANTES/O=iWall/OU=iWall/CN=iWall/emailAddress=support@iwall.fr, issuer: /C=FR/ST=FRANCE/L=NANTES/O=iWall/OU=iWall/CN=iWall/emailAddress=support@iwall.fr
TLS certificate verification: Error, self signed certificate in certificate chain
TLS certificate verification: depth: 1, err: 19, subject: /C=FR/ST=FRANCE/L=NANTES/O=iWall/OU=iWall/CN=iWall/emailAddress=support@iwall.fr, issuer: /C=FR/ST=FRANCE/L=NANTES/O=iWall/OU=iWall/CN=iWall/emailAddress=
support@iwall.fr
TLS certificate verification: depth: 0, err: 19, subject: /C=FR/ST=FRANCE/L=NANTES/O=iWall/OU=iWall/CN=firewall/emailAddress=support@iwall.fr, issuer: /C=FR/ST=FRANCE/L=NANTES/O=iWall/OU=iWall/CN=iWall/emailAddress=support@iwall.fr
TLS trace: SSL_connect:SSLv3 read server certificate A
tls_read: want=5, got=5
  0000:  16 03 01 00 92                                     .....
tls_read: want=146, got=146

...
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
tls_write: want=210, written=210
...
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=5
  0000:  15 03 01 00 02                                     .....
tls_read: want=2, got=2
  0000:  02 28                                              .(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
        additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
root@firewall /etc/ssl # ldapsearch -H ldap://firewall -d1 -D "cn=Manager,dc=*****" -v -x -w ldap*****pwd -ZZ
ldap_initialize( ldap://firewall )
ldap_create
ldap_url_parse_ext(ldap://firewall)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP firewall:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.10:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: firewall  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Aug 18 10:01:53 2004

** Outstanding Requests:
* msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type extended-result msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject: /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr, issuer: /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=
support@*****.fr
TLS certificate verification: Error, self signed certificate in certificate chain
TLS certificate verification: depth: 1, err: 19, subject: /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr, issuer: /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=
support@*****.fr
TLS certificate verification: depth: 0, err: 19, subject: /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=firewall/emailAddress=support@*****.fr, issuer: /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
        additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure


So I verify my ssl certificates :
On the server :

root@firewall /etc/ssl # openssl s_server -accept 4443 -cert certs/ca.pem -key private/ca.key -verify 3 -www
verify depth is 3
Using default temp DH parameters
ACCEPT
depth=1 /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=
support@*****.fr
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=
support@*****.fr
verify return:1
depth=0 /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=firewall/emailAddress=
support@*****.fr
verify return:1
On the client :
root@firewall /etc/ssl # openssl s_client -state -prexit -connect 127.0.0.1:4443  -CAfile /etc/openldap/ca.pem -cert /etc/openldap/127.0.0.1.pem -key /etc/openldap/127.0.0.1.key -debug
CONNECTED(00000003)
SSL_connect:before/connect initialization
write to 080AD168 [080B0570] (148 bytes => 148 (0x94))

...
SSL_connect:SSLv2/v3 write client hello A
read from 080AD168 [080B5AD0] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 4a 02                                 ....J.
0007 - <SPACES/NULS>
read from 080AD168 [080B5AD7] (72 bytes => 72 (0x48))
...
SSL_connect:SSLv3 read server hello A
read from 080AD168 [080B5AD0] (5 bytes => 5 (0x5))
0000 - 16 03 01 03 67                                    ....g
read from 080AD168 [080B5AD5] (871 bytes => 871 (0x367))

...
depth=0 /C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 080AD168 [080B5AD0] (5 bytes => 5 (0x5))
0000 - 16 03 01 01 0d                                    .....
read from 080AD168 [080B5AD5] (269 bytes => 269 (0x10D))

...
SSL_connect:SSLv3 read server key exchange A
read from 080AD168 [080B5AD0] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 0f                                    .....
read from 080AD168 [080B5AD5] (15 bytes => 15 (0xF))
0000 - 0d 00 00 07 04 03 04 01-02 00 00 0e               ............
000f - <SPACES/NULS>
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
write to 080AD168 [080BFBF8] (1621 bytes => 1621 (0x655))

..
SSL_connect:SSLv3 write client certificate A
write to 080AD168 [080BFBF8] (75 bytes => 75 (0x4B))

...
SSL_connect:SSLv3 write client key exchange A
write to 080AD168 [080BFBF8] (139 bytes => 139 (0x8B))
...
SSL_connect:SSLv3 write certificate verify A
write to 080AD168 [080BFBF8] (6 bytes => 6 (0x6))
0000 - 14 03 01 00 01 01                                 ......
SSL_connect:SSLv3 write change cipher spec A
write to 080AD168 [080BFBF8] (53 bytes => 53 (0x35))
...
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
read from 080AD168 [080B5AD0] (5 bytes => 5 (0x5))
0000 - 14 03 01 00 01                                    .....
read from 080AD168 [080B5AD5] (1 bytes => 1 (0x1))
0000 - 01                                                .
read from 080AD168 [080B5AD0] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30                                    ....0
read from 080AD168 [080B5AD5] (48 bytes => 48 (0x30))
...
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=
support@*****.fr
   i:/C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=
support@*****.fr
issuer=/C=FR/ST=FRANCE/L=NANTES/O=*****/OU=*****/CN=*****/emailAddress=support@*****.fr
---
No client certificate CA names sent
---
SSL handshake has read 1308 bytes and written 2042 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 82619153526F847492648A2B665385E6C838ED38F7F38DAA0A892988B8952EDA
    Session-ID-ctx:
    Master-Key: 5FED79F4DD69E801EB14E4060E2315787847552D1C426EF17D3C5546AE176286C860C4F8CFF71C827BF4D734EA074980
    Key-Arg   : None
    Start Time: 1092816332
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

So I think my certificates are good.

For executing slapd, I type "/usr/lib/openldap/slapd -- -u ldap -g ldap -s -1 -h 'ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock"
My /etc/openldap/ldap.conf :

BASE            dc=*****
HOST            firewall
URI             ldap://firewall:389
TLS_REQCERT     allow

My /etc/openldap/slapd.conf :
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
schemacheck     on
lastmod         on
password-hash {sha}
TLSCertificateFile /etc/openldap/127.0.0.1.pem
TLSCertificateKeyFile /etc/openldap/127.0.0.1.key
TLSCACertificateFile /etc/ssl/certs/ca.pem
TLSCipherSuite :SSLv3
TLSVerifyClient demand
... ACL et ldbm definition


So I don't understand.
My config files seems good and certificates also.
Do you have some ideas ?
Thanks a lot
Christophe.

P.S. : The common name I create the certificate with is "firewall" and when I type hostname -f, the result is "firewall".