[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ssl and openldap



Some info you have to provide so mailist folks could have more clues: OS and version, OpenLDAP version, your "./configure" arguments for OpenLDAP.
 
You may also turn on debugging mode: "ldapsearch -d -1 ...", and post more specific error to the mail list.

	-----Original Message----- 
	From: Gustavo Rios [mailto:vieira.rios@gmail.com] 
	Sent: Mon 1/10/2005 10:00 PM 
	To: Tay, Gary; openldap-software@openldap.org 
	Cc: 
	Subject: Re: ssl and openldap
	
	

	On Mon, 10 Jan 2005 21:40:49 +0800, Tay, Gary <Gary_Tay@platts.com> wrote:
	> 1) I notice there are "\x"s in the cert, not sure if "\x" is allowed in SSL cert? Could you not use "\x"?
	
	I did not put that. It was put by openssl when i type any special
	letter my natural language supports. And no problem has been detected
	with apache and common browsers, like netscape and I.E. I think this
	is not an issue.
	
	> 2) IIRC, if you are using self-sign cert, the issuer of server cert. should not be:
	>
	> issuer=/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
	> Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
	> Vit\xF3ria/CN=FESV Certification Authority
	> Office/emailAddress=gustavo.rios@fesv.br
	>
	> It should be identical to server cert's subject.
	>
	> issuer=/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
	> Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
	> Vit\xF3ria/CN=etosha.fesv.br/emailAddress=gustavo.rios@fesv.br
	
	Oops. I have been using such a cert with apache and everything works
	great with netscape and I.E. Your statement is a ssl/tls requirement
	or and openldap one?
	Just asking because what you said make no sense to me.
	
	
	From my tests, is anything wrong in the output ?
	
	Thanks.
	
	>        -----Original Message-----
	>        From: Gustavo Rios [mailto:vieira.rios@gmail.com]
	>        Sent: Mon 1/10/2005 9:17 PM
	>        To: Tay, Gary; openldap-software@openldap.org
	>        Cc:
	>        Subject: Re: ssl and openldap
	>
	>        Here you have it:
	>
	>        etosha$ openssl s_client -connect localhost:636 -showcerts -state
	>        -CAfile /var/ca1/crt/ca.crt
	>        CONNECTED(00000004)
	>        SSL_connect:before/connect initialization
	>        SSL_connect:SSLv2/v3 write client hello A
	>        SSL_connect:SSLv3 read server hello A
	>        depth=1 /C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
	>        Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
	>        Vit\xF3ria/CN=FESV Certification Authority
	>        Office/emailAddress=gustavo.rios@fesv.br
	>        verify return:1
	>        depth=0 /C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
	>        Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
	>        Vit\xF3ria/CN=etosha.fesv.br/emailAddress=gustavo.rios@fesv.br
	>        verify return:1
	>        SSL_connect:SSLv3 read server certificate A
	>        SSL_connect:SSLv3 read server done A
	>        SSL_connect:SSLv3 write client key exchange A
	>        SSL_connect:SSLv3 write change cipher spec A
	>        SSL_connect:SSLv3 write finished A
	>        SSL_connect:SSLv3 flush data
	>        SSL_connect:SSLv3 read finished A
	>        ---
	>        Certificate chain
	>         0 s:/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
	>        Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
	>        Vit\xF3ria/CN=etosha.fesv.br/emailAddress=gustavo.rios@fesv.br
	>           i:/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
	>        Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
	>        Vit\xF3ria/CN=FESV Certification Authority
	>        Office/emailAddress=gustavo.rios@fesv.br
	>        -----BEGIN CERTIFICATE-----
	>        MIIFyjCCBLKgAwIBAgIBAzANBgkqhkiG9w0BAQMFADCB6jELMAkGA1UEBhMCQlIx
	>        FzAVBgNVBAgUDkVzcO1yaXRvIFNhbnRvMRAwDgYDVQQHFAdWaXTzcmlhMTMwMQYD
	>        VQQKFCpTb2NpZWRhZGUgZGUgRW5zaW5vIFN1cGVyaW9yIEVzdOFjaW8gZGUgU+Ex
	>        KDAmBgNVBAsUH0ZhY3VsZGFkZSBFc3ThY2lvIGRlIFPhIFZpdPNyaWExLDAqBgNV
	>        BAMTI0ZFU1YgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgT2ZmaWNlMSMwIQYJKoZI
	>        hvcNAQkBFhRndXN0YXZvLnJpb3NAZmVzdi5icjAeFw0wNTAxMDkxOTQ1NDBaFw0w
	>        NjAxMDkxOTQ1NDBaMIHVMQswCQYDVQQGEwJCUjEXMBUGA1UECBQORXNw7XJpdG8g
	>        U2FudG8xEDAOBgNVBAcUB1ZpdPNyaWExMzAxBgNVBAoUKlNvY2llZGFkZSBkZSBF
	>        bnNpbm8gU3VwZXJpb3IgRXN04WNpbyBkZSBT4TEoMCYGA1UECxQfRmFjdWxkYWRl
	>        IEVzdOFjaW8gZGUgU+EgVml083JpYTEXMBUGA1UEAxMOZXRvc2hhLmZlc3YuYnIx
	>        IzAhBgkqhkiG9w0BCQEWFGd1c3Rhdm8ucmlvc0BmZXN2LmJyMIIBIjANBgkqhkiG
	>        9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyRNNZ2j/X/3sHU9upsGTVrNDFM6jrh6YInnw
	>        FOnTsr5CPM/jjNX81mRxSLmA//ppkJgI/WWT6/+T7xPxsHG/EOsnFBZGuVpxPzSR
	>        lQ2T/legB5AG9SOwSjtx+85Pd/CZE6it3vdZrVt0d7aifRdXreJiDqZyo/iAK15f
	>        UvPheJUY3RK6GJQ7RVO1BACYzNXEReUnArxnHODp2pj1UTctAbcyqKk481OVC+Oc
	>        4BKHJRHrGvgGFLECHVVDFnTNMnmR4mzH1mOedp8ic6cUclCOSp21WSVndsWhTNVu
	>        wBGqExi66QIiys1Fjgtkaw9BI0UC568Mi7kTDzZkHYa+PQD1PwIDAQABo4IBjDCC
	>        AYgwCQYDVR0TBAIwADA/BglghkgBhvhCAQ0EMhYwQ2VydGlmaWNhdGUgaXNzdWVk
	>        IGJ5IGh0dHA6Ly9ldG9zaGEuZmVzdi5ici9zc2wvMB0GA1UdDgQWBBTIq6MIMLOf
	>        AOlqZTnXeZzBxjNtRDCCARkGA1UdIwSCARAwggEMgBRCzxjE4AI0AoVS9ow96ZWR
	>        2mEbYKGB8KSB7TCB6jELMAkGA1UEBhMCQlIxFzAVBgNVBAgUDkVzcO1yaXRvIFNh
	>        bnRvMRAwDgYDVQQHFAdWaXTzcmlhMTMwMQYDVQQKFCpTb2NpZWRhZGUgZGUgRW5z
	>        aW5vIFN1cGVyaW9yIEVzdOFjaW8gZGUgU+ExKDAmBgNVBAsUH0ZhY3VsZGFkZSBF
	>        c3ThY2lvIGRlIFPhIFZpdPNyaWExLDAqBgNVBAMTI0ZFU1YgQ2VydGlmaWNhdGlv
	>        biBBdXRob3JpdHkgT2ZmaWNlMSMwIQYJKoZIhvcNAQkBFhRndXN0YXZvLnJpb3NA
	>        ZmVzdi5icoIBADANBgkqhkiG9w0BAQMFAAOCAQEAlO5aOLbQR1A5adxCkcNqFAi+
	>        oJbfg9csRR9t264dThqNbNv4NWi0vgSEWDtfhfKMtM/bDo85sZPZ3uohUUKnBxlx
	>        Lau2K2Lkph8CuuNt03OMgZPt7HgMMY1XgUtDjmFGpd3VBlhZpYqOvpyasJfH1AUO
	>        4VSzLkHPQcb9o4teWBx57+URKI4ljCAbxNa1cp3GgH2yJSXRJaOoyletYLfbU5I5
	>        vpfoMsJB+BF7gb0LHnA5jB55NQQ1AWI8yIH7eYVRRxucBxsh4pNv+uKEeHzgoeTG
	>        8tsCmRkw8CWMX220lrh7P0te40IDxAo9H5S3ppRXx+O3vMxpgPVdj8Rt8rIGzQ==
	>        -----END CERTIFICATE-----
	>         1 s:/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
	>        Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
	>        Vit\xF3ria/CN=FESV Certification Authority
	>        Office/emailAddress=gustavo.rios@fesv.br
	>           i:/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
	>        Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
	>        Vit\xF3ria/CN=FESV Certification Authority
	>        Office/emailAddress=gustavo.rios@fesv.br
	>        -----BEGIN CERTIFICATE-----
	>        MIIF4jCCBMqgAwIBAgIBADANBgkqhkiG9w0BAQMFADCB6jELMAkGA1UEBhMCQlIx
	>        FzAVBgNVBAgUDkVzcO1yaXRvIFNhbnRvMRAwDgYDVQQHFAdWaXTzcmlhMTMwMQYD
	>        VQQKFCpTb2NpZWRhZGUgZGUgRW5zaW5vIFN1cGVyaW9yIEVzdOFjaW8gZGUgU+Ex
	>        KDAmBgNVBAsUH0ZhY3VsZGFkZSBFc3ThY2lvIGRlIFPhIFZpdPNyaWExLDAqBgNV
	>        BAMTI0ZFU1YgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgT2ZmaWNlMSMwIQYJKoZI
	>        hvcNAQkBFhRndXN0YXZvLnJpb3NAZmVzdi5icjAeFw0wNTAxMDkxNjA3MjdaFw0x
	>        NTAxMDcxNjA3MjdaMIHqMQswCQYDVQQGEwJCUjEXMBUGA1UECBQORXNw7XJpdG8g
	>        U2FudG8xEDAOBgNVBAcUB1ZpdPNyaWExMzAxBgNVBAoUKlNvY2llZGFkZSBkZSBF
	>        bnNpbm8gU3VwZXJpb3IgRXN04WNpbyBkZSBT4TEoMCYGA1UECxQfRmFjdWxkYWRl
	>        IEVzdOFjaW8gZGUgU+EgVml083JpYTEsMCoGA1UEAxMjRkVTViBDZXJ0aWZpY2F0
	>        aW9uIEF1dGhvcml0eSBPZmZpY2UxIzAhBgkqhkiG9w0BCQEWFGd1c3Rhdm8ucmlv
	>        c0BmZXN2LmJyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArYjDA/3d
	>        o78n8KBs6VIJ4PpbjhazoeGGS7uWJ+OHhuFHEeQnKFD5BPTo+sI3VWaBaFk4Zr3G
	>        yvzwRRRefg9aTR1Hm+xaIJBdVn6UMuL+LoiDEVk6haue6wX/mK+Ga1mU7AU/PBT6
	>        mzOqsGWN19a8LxO13YEb4JYBSh3c1xYFLOHZbtbh6MZgHDYbTW6SEf1RAEtbHGNc
	>        oodPvW8KW5+/2RYngAqeL9aO1kQnRqEx3rClGZ5qAHEo6+ZrP8Gnq7ho67XlXWJ1
	>        U/mYEoRsElfUaeLlsaj7se3hCN9xEzlyOsDgUrAfwLQEuBFLJB1aDoReeS9zWlvC
	>        3hjUiqM7kQ0OewIDAQABo4IBjzCCAYswHQYDVR0OBBYEFELPGMTgAjQChVL2jD3p
	>        lZHaYRtgMIIBGQYDVR0jBIIBEDCCAQyAFELPGMTgAjQChVL2jD3plZHaYRtgoYHw
	>        pIHtMIHqMQswCQYDVQQGEwJCUjEXMBUGA1UECBQORXNw7XJpdG8gU2FudG8xEDAO
	>        BgNVBAcUB1ZpdPNyaWExMzAxBgNVBAoUKlNvY2llZGFkZSBkZSBFbnNpbm8gU3Vw
	>        ZXJpb3IgRXN04WNpbyBkZSBT4TEoMCYGA1UECxQfRmFjdWxkYWRlIEVzdOFjaW8g
	>        ZGUgU+EgVml083JpYTEsMCoGA1UEAxMjRkVTViBDZXJ0aWZpY2F0aW9uIEF1dGhv
	>        cml0eSBPZmZpY2UxIzAhBgkqhkiG9w0BCQEWFGd1c3Rhdm8ucmlvc0BmZXN2LmJy
	>        ggEAMAwGA1UdEwQFMAMBAf8wPwYJYIZIAYb4QgENBDIWMENlcnRpZmljYXRlIGlz
	>        c3VlZCBieSBodHRwOi8vZXRvc2hhLmZlc3YuYnIvc3NsLzANBgkqhkiG9w0BAQMF
	>        AAOCAQEAfvkdXOior9cd/e2tsOZyA4OOYrizgP8r+/ALZmFYiW/TaVmXHulFqp2Q
	>        9gn+ySkJE2bzj+BkFUcio2gSOXcjEUctxXGtdEWLaRHTW9yRCxlC1WqwBmaqsIMk
	>        9tVausQDaDavCwTPewGXgVQhEsu8Oo7HV4pOcOn2KHJJVcEmb7vbx4WZxqNoyO6G
	>        LwopxWkXNiJ763UUty8RtnMAjqsZlcai5lha6UGGfTAWU/lYeg3Vj2gI3pT9zzC6
	>        7WQBFycAAI8jLyEdKKxeEd4Yp8+1pXZjXlC6YzTCkGVe7KAHNxGxLPiicCAX6MrA
	>        hrPXZlfcwPQTScS1YomOpz/yzudBug==
	>        -----END CERTIFICATE-----
	>        ---
	>        Server certificate
	>        subject=/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
	>        Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
	>        Vit\xF3ria/CN=etosha.fesv.br/emailAddress=gustavo.rios@fesv.br
	>        issuer=/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
	>        Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
	>        Vit\xF3ria/CN=FESV Certification Authority
	>        Office/emailAddress=gustavo.rios@fesv.br
	>        ---
	>        No client certificate CA names sent
	>        ---
	>        SSL handshake has read 3161 bytes and written 468 bytes
	>        ---
	>        New, TLSv1/SSLv3, Cipher is AES256-SHA
	>        Server public key is 2048 bit
	>        SSL-Session:
	>            Protocol  : TLSv1
	>            Cipher    : AES256-SHA
	>            Session-ID: 99E32706AF5C998DDB52BB9CF2FD3EFB722D49ABA1E43B8C6DC46BC2A85DB181
	>            Session-ID-ctx:
	>            Master-Key:
	>        A2DF39188D95621A9E844FAD5DD77E7920199D9468A7E583FB2A447F0F7A0C893F5F59C5765B92C35F941A6CAF700847
	>            Key-Arg   : None
	>            Start Time: 1105362778
	>            Timeout   : 300 (sec)
	>            Verify return code: 0 (ok)
	>        ---
	>        ^C
	>        etosha$ ldapsearch -x -H ldaps://etosha.fesv.br
	>        ldap_bind: Can't contact LDAP server (-1)
	>                additional info: error:0D0890A1:asn1 encoding
	>        routines:ASN1_verify:unknown message digest algorithm
	>        etosha$
	>
	>        Any suggestion ?
	>
	>        On Mon, 10 Jan 2005 09:58:28 +0800, Tay, Gary <Gary_Tay@platts.com> wrote:
	>        > Hv u read this URL and done some local check?
	>        >
	>        > http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
	>        >
	>        > 6.1 SSL Connection Check
	>        > To check the SSL connection, try this command:
	>        >
	>        > % openssl s_client -connect localhost:636 -showcerts -state -CAfile <ca
	>        > cert>
	>        >
	>        > (Note: Replace <ca cert> with the name of yr ca cert file)
	>        >
	>        > For the above command, post any err seen to OpenLDAP MailList.
	>        >
	>        > Gary
	>        >
	>        > -----Original Message-----
	>        > From: owner-openldap-software@OpenLDAP.org
	>        > [mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Gustavo Rios
	>        > Sent: Monday, January 10, 2005 4:01 AM
	>        > To: openldap-software@OpenLDAP.org
	>        > Subject: ssl and openldap
	>        >
	>        > Hey list,
	>        >
	>        > since my last posts i have done progress with netscape browser (it's ok
	>        > now). Any how, let's forget about apache and this matter and keep
	>        > focused on ssl and openldap.
	>        >
	>        > After have re-done my CA configuration i tried again to have ssl working
	>        > for openldap, but no success so far.
	>        >
	>        > starting openldap (slapd -d 7) i had the following:
	>        >
	>        > ...
	>        > ...
	>        > TLS trace: SSL_accept:SSLv3 flush data
	>        > tls_read: want=5, got=5
	>        >  0000:  15 03 01 00 02                                     .....
	>        > tls_read: want=2, got=2
	>        >  0000:  02 33                                              .3
	>        > TLS trace: SSL3 alert read:fatal:decrypt error
	>        > TLS trace: SSL_accept:failed in SSLv3 read client certificate A
	>        > TLS: can't accept.
	>        > TLS: error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
	>        > error /usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1052
	>        > connection_read(12): TLS accept error error=-1 id=1, closing
	>        > connection_closing: readying conn=1 sd=12 for close
	>        > connection_close: conn=1 sd=12
	>        >
	>        > The program i used to try connecting was ldapsearch, it's output was:
	>        >
	>        > etosha$ ldapsearch -ZZ -x
	>        > ldap_start_tls: Connect error (-11)
	>        >        additional info: error:0D0890A1:asn1 encoding
	>        > routines:ASN1_verify:unknown message digest algorithm etosha$
	>        >
	>        > Does anybody have any ideia about what is going on ?
	>        >
	>        > My slapd.conf is:
	>        >
	>        > TLSCACertificateFile    /var/ca1/crt/ca.crt
	>        > TLSCertificateFile      /var/ca1/crt/ldap.crt
	>        > TLSCertificateKeyFile   /var/ca1/pvt/ldap.key
	>        > TLSVerifyClient         never
	>        >
	>        > My ldap.conf is:
	>        > TLS_CACERT      /var/ca1/crt/ca.crt
	>        >
	>        > Thanks a lot for your time and cooperation.
	>        >
	>        > Best regards.
	>        >
	>
	>
	>