[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem with clientside TLS



I'm trying to setup clientside TLS with openldap 2.1.29.

Serverside works OK. I've just generated a client cert, signed it with the same CA as the server cert, and added
TLSVerifyClient demand
in slapd.conf


However, it doesn't work anymore
guillomovitch@katu:~$ ldapsearch -x -H ldaps://ldap.zarb.org
ldap_bind: Can't contact LDAP server (81)

guillomovitch@katu:~$ ldapsearch -x -H ldaps://ldap.zarb.org -d 9
ldap_create
ldap_url_parse_ext(ldaps://ldap.zarb.org)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.zarb.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 212.85.153.250:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=katu3
TLS certificate verification: depth: 0, err: 0, subject: C=, ST=, L=, O=zarb.org, OU=ldap server, CN=ldap.zarb.org/Email=ldapmaster@zarb.org, issuer: C=, ST=Some-State, L=, O=zarb.org, OU=certification authority, CN=ca.zarb.org/Email=camaster@zarb.org
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 14 bytes to sd 3
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: ldap.zarb.org port: 636 (default)
refcnt: 2 status: Connected
last used: Wed Nov 24 23:27:35 2004


** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next failed.
ldap_perror
ldap_bind: Can't contact LDAP server (81)

Here is my .ldaprc:
TLS_CACERT      /etc/ssl/crt/ca.pem
TLS_REQCERT     demand
TLS_CERT        /etc/ssl/client.crt
TLS_KEY         /etc/ssl/client.key

Following http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.2, I tested with openssl_client:

guillomovitch@katu:~$ openssl s_client -connect ldap.zarb.org:636 -showcerts -state -CAfile /etc/ssl/crt/ca.pem -cert /etc/ssl/client.crt -key /etc/ssl/client.key
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=FR/ST=Some-State/O=zarb.org/OU=certification authority/CN=ca.zarb.org/Email=camaster@zarb.org
verify return:1
depth=0 /C=FR/O=zarb.org/OU=ldap server/CN=ldap.zarb.org/Email=ldapmaster@zarb.org
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=FR/O=zarb.org/OU=ldap server/CN=ldap.zarb.org/Email=ldapmaster@zarb.org
i:/C=FR/ST=Some-State/O=zarb.org/OU=certification authority/CN=ca.zarb.org/Email=camaster@zarb.org
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=FR/O=zarb.org/OU=ldap server/CN=ldap.zarb.org/Email=ldapmaster@zarb.org
issuer=/C=FR/ST=Some-State/O=zarb.org/OU=certification authority/CN=ca.zarb.org/Email=camaster@zarb.org
---
No client certificate CA names sent
---
SSL handshake has read 1681 bytes and written 282 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 12E58010D2F0364E7965C3DD2974012903B37756661955B8730129E1CBADEE69 Session-ID-ctx:
Master-Key: D7F2483CFF8C438B17D6D9278100770E413666AE9F71CDE5C64834D6431242928F381236DCABFB5866F9FAB516BA372B
Key-Arg : None
Start Time: 1101335314
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=0
SSL3 alert write:warning:close notify


Note that I still have the infamous "No client certificate CA names sent" line, and my SSL handshake trace is slightly different from the one exposed in the document: no "SSL_connect:SSLv3 read server certificate request A", but "SSL_connect:SSLv3 read server key exchange A"

my openssl_client version is 0.9.6c, while ldap is linked against libopenssl 0.9.7c, which could explain part of the problem.
--
Why is it when two planes almost hit each other it is called a "near miss"? Shouldn't it be called a "near hit"?
-- Why Why Why n°43