[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ssl and openldap
- To: "Tay, Gary" <Gary_Tay@platts.com>, openldap-software@OpenLDAP.org
- Subject: Re: ssl and openldap
- From: Gustavo Rios <vieira.rios@gmail.com>
- Date: Mon, 10 Jan 2005 14:57:28 -0200
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=LQ0gCLUBIUN8ThasUCF9+CaIdM1hMTx2EhLtWXf814TKAW5lQDbiECtxCS+mmhfRTqTqxIboVZwOHTGS9Hbiwwd1AuYwexk3kWN/BFgaQroar0C/sEha2asw8Y+wdKY3rpRDUmxgMe9GgDFjDs9ApJ5qa15VUqbcPdW9mj7Hj0s=
- In-reply-to: <A04B6AE6ED3BD742B64D5B17093F64E29130AA@IMSSGPX01.ims.mhm.mhc>
- References: <A04B6AE6ED3BD742B64D5B17093F64E29130AA@IMSSGPX01.ims.mhm.mhc>
Yes!
etosha$ openssl version
OpenSSL 0.9.7d 17 Mar 2004
etosha$
My slapd.conf : relevant parts only
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /var/ca1/crt/ca.crt
TLSCertificateFile /var/ca1/crt/ldap.crt
TLSCertificateKeyFile /var/ca1/pvt/ldap.key
TLSVerifyClient never
My ldap.conf : whole file
TLS_CACERT /var/ca1/crt/ca.crt
TLS_REQCERT demand
I hope it does help
On Tue, 11 Jan 2005 00:17:12 +0800, Tay, Gary <Gary_Tay@platts.com> wrote:
> I wish that you are using a latest version of OpenSSL eg: 0.9.7x and you have read this FAQ article which may provide useful information for you.
>
> http://www.openldap.org/faq/data/cache/185.html
>
> Gary
>
> -----Original Message-----
> From: Gustavo Rios [mailto:vieira.rios@gmail.com]
> Sent: Mon 1/10/2005 11:30 PM
> To: Tay, Gary; openldap-software@openldap.org
> Cc:
> Subject: Re: ssl and openldap
>
> Here you have it:
>
> etosha$ uname -a
> OpenBSD etosha.fesv.br 3.6 GENERIC#0 i386
> etosha$
>
> According to config.status
> # ./configure --prefix=/asd --enable-local --enable-ipv6
> --with-cyrus-sasl --with-tls --e
> nable-slapd --disable-cleartext --enable-bdb --disable-ldbm --enable-slurpd
>
> $ ls -l
> drwxr-xr-x 10 grios ord 1024 Dec 22 09:31 openldap-2.2.17
> -rw-r--r-- 1 grios ord 2569153 Dec 10 14:50 openldap-stable-20040923.tgz
>
> Gary, thank you very much for your time and patience.
>
> Kind regards.
>
> On Mon, 10 Jan 2005 22:52:12 +0800, Tay, Gary <Gary_Tay@platts.com> wrote:
> > Some info you have to provide so mailist folks could have more clues: OS and version, OpenLDAP version, your "./configure" arguments for OpenLDAP.
> >
> > You may also turn on debugging mode: "ldapsearch -d -1 ...", and post more specific error to the mail list.
> >
> > -----Original Message-----
> > From: Gustavo Rios [mailto:vieira.rios@gmail.com]
> > Sent: Mon 1/10/2005 10:00 PM
> > To: Tay, Gary; openldap-software@openldap.org
> > Cc:
> > Subject: Re: ssl and openldap
> >
> > On Mon, 10 Jan 2005 21:40:49 +0800, Tay, Gary <Gary_Tay@platts.com> wrote:
> > > 1) I notice there are "\x"s in the cert, not sure if "\x" is allowed in SSL cert? Could you not use "\x"?
> >
> > I did not put that. It was put by openssl when i type any special
> > letter my natural language supports. And no problem has been detected
> > with apache and common browsers, like netscape and I.E. I think this
> > is not an issue.
> >
> > > 2) IIRC, if you are using self-sign cert, the issuer of server cert. should not be:
> > >
> > > issuer=/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
> > > Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
> > > Vit\xF3ria/CN=FESV Certification Authority
> > > Office/emailAddress=gustavo.rios@fesv.br
> > >
> > > It should be identical to server cert's subject.
> > >
> > > issuer=/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
> > > Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
> > > Vit\xF3ria/CN=etosha.fesv.br/emailAddress=gustavo.rios@fesv.br
> >
> > Oops. I have been using such a cert with apache and everything works
> > great with netscape and I.E. Your statement is a ssl/tls requirement
> > or and openldap one?
> > Just asking because what you said make no sense to me.
> >
> > From my tests, is anything wrong in the output ?
> >
> > Thanks.
> >
> > > -----Original Message-----
> > > From: Gustavo Rios [mailto:vieira.rios@gmail.com]
> > > Sent: Mon 1/10/2005 9:17 PM
> > > To: Tay, Gary; openldap-software@openldap.org
> > > Cc:
> > > Subject: Re: ssl and openldap
> > >
> > > Here you have it:
> > >
> > > etosha$ openssl s_client -connect localhost:636 -showcerts -state
> > > -CAfile /var/ca1/crt/ca.crt
> > > CONNECTED(00000004)
> > > SSL_connect:before/connect initialization
> > > SSL_connect:SSLv2/v3 write client hello A
> > > SSL_connect:SSLv3 read server hello A
> > > depth=1 /C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
> > > Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
> > > Vit\xF3ria/CN=FESV Certification Authority
> > > Office/emailAddress=gustavo.rios@fesv.br
> > > verify return:1
> > > depth=0 /C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
> > > Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
> > > Vit\xF3ria/CN=etosha.fesv.br/emailAddress=gustavo.rios@fesv.br
> > > verify return:1
> > > SSL_connect:SSLv3 read server certificate A
> > > SSL_connect:SSLv3 read server done A
> > > SSL_connect:SSLv3 write client key exchange A
> > > SSL_connect:SSLv3 write change cipher spec A
> > > SSL_connect:SSLv3 write finished A
> > > SSL_connect:SSLv3 flush data
> > > SSL_connect:SSLv3 read finished A
> > > ---
> > > Certificate chain
> > > 0 s:/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
> > > Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
> > > Vit\xF3ria/CN=etosha.fesv.br/emailAddress=gustavo.rios@fesv.br
> > > i:/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
> > > Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
> > > Vit\xF3ria/CN=FESV Certification Authority
> > > Office/emailAddress=gustavo.rios@fesv.br
> > > -----BEGIN CERTIFICATE-----
> > > MIIFyjCCBLKgAwIBAgIBAzANBgkqhkiG9w0BAQMFADCB6jELMAkGA1UEBhMCQlIx
> > > FzAVBgNVBAgUDkVzcO1yaXRvIFNhbnRvMRAwDgYDVQQHFAdWaXTzcmlhMTMwMQYD
> > > VQQKFCpTb2NpZWRhZGUgZGUgRW5zaW5vIFN1cGVyaW9yIEVzdOFjaW8gZGUgU+Ex
> > > KDAmBgNVBAsUH0ZhY3VsZGFkZSBFc3ThY2lvIGRlIFPhIFZpdPNyaWExLDAqBgNV
> > > BAMTI0ZFU1YgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgT2ZmaWNlMSMwIQYJKoZI
> > > hvcNAQkBFhRndXN0YXZvLnJpb3NAZmVzdi5icjAeFw0wNTAxMDkxOTQ1NDBaFw0w
> > > NjAxMDkxOTQ1NDBaMIHVMQswCQYDVQQGEwJCUjEXMBUGA1UECBQORXNw7XJpdG8g
> > > U2FudG8xEDAOBgNVBAcUB1ZpdPNyaWExMzAxBgNVBAoUKlNvY2llZGFkZSBkZSBF
> > > bnNpbm8gU3VwZXJpb3IgRXN04WNpbyBkZSBT4TEoMCYGA1UECxQfRmFjdWxkYWRl
> > > IEVzdOFjaW8gZGUgU+EgVml083JpYTEXMBUGA1UEAxMOZXRvc2hhLmZlc3YuYnIx
> > > IzAhBgkqhkiG9w0BCQEWFGd1c3Rhdm8ucmlvc0BmZXN2LmJyMIIBIjANBgkqhkiG
> > > 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyRNNZ2j/X/3sHU9upsGTVrNDFM6jrh6YInnw
> > > FOnTsr5CPM/jjNX81mRxSLmA//ppkJgI/WWT6/+T7xPxsHG/EOsnFBZGuVpxPzSR
> > > lQ2T/legB5AG9SOwSjtx+85Pd/CZE6it3vdZrVt0d7aifRdXreJiDqZyo/iAK15f
> > > UvPheJUY3RK6GJQ7RVO1BACYzNXEReUnArxnHODp2pj1UTctAbcyqKk481OVC+Oc
> > > 4BKHJRHrGvgGFLECHVVDFnTNMnmR4mzH1mOedp8ic6cUclCOSp21WSVndsWhTNVu
> > > wBGqExi66QIiys1Fjgtkaw9BI0UC568Mi7kTDzZkHYa+PQD1PwIDAQABo4IBjDCC
> > > AYgwCQYDVR0TBAIwADA/BglghkgBhvhCAQ0EMhYwQ2VydGlmaWNhdGUgaXNzdWVk
> > > IGJ5IGh0dHA6Ly9ldG9zaGEuZmVzdi5ici9zc2wvMB0GA1UdDgQWBBTIq6MIMLOf
> > > AOlqZTnXeZzBxjNtRDCCARkGA1UdIwSCARAwggEMgBRCzxjE4AI0AoVS9ow96ZWR
> > > 2mEbYKGB8KSB7TCB6jELMAkGA1UEBhMCQlIxFzAVBgNVBAgUDkVzcO1yaXRvIFNh
> > > bnRvMRAwDgYDVQQHFAdWaXTzcmlhMTMwMQYDVQQKFCpTb2NpZWRhZGUgZGUgRW5z
> > > aW5vIFN1cGVyaW9yIEVzdOFjaW8gZGUgU+ExKDAmBgNVBAsUH0ZhY3VsZGFkZSBF
> > > c3ThY2lvIGRlIFPhIFZpdPNyaWExLDAqBgNVBAMTI0ZFU1YgQ2VydGlmaWNhdGlv
> > > biBBdXRob3JpdHkgT2ZmaWNlMSMwIQYJKoZIhvcNAQkBFhRndXN0YXZvLnJpb3NA
> > > ZmVzdi5icoIBADANBgkqhkiG9w0BAQMFAAOCAQEAlO5aOLbQR1A5adxCkcNqFAi+
> > > oJbfg9csRR9t264dThqNbNv4NWi0vgSEWDtfhfKMtM/bDo85sZPZ3uohUUKnBxlx
> > > Lau2K2Lkph8CuuNt03OMgZPt7HgMMY1XgUtDjmFGpd3VBlhZpYqOvpyasJfH1AUO
> > > 4VSzLkHPQcb9o4teWBx57+URKI4ljCAbxNa1cp3GgH2yJSXRJaOoyletYLfbU5I5
> > > vpfoMsJB+BF7gb0LHnA5jB55NQQ1AWI8yIH7eYVRRxucBxsh4pNv+uKEeHzgoeTG
> > > 8tsCmRkw8CWMX220lrh7P0te40IDxAo9H5S3ppRXx+O3vMxpgPVdj8Rt8rIGzQ==
> > > -----END CERTIFICATE-----
> > > 1 s:/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
> > > Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
> > > Vit\xF3ria/CN=FESV Certification Authority
> > > Office/emailAddress=gustavo.rios@fesv.br
> > > i:/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
> > > Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
> > > Vit\xF3ria/CN=FESV Certification Authority
> > > Office/emailAddress=gustavo.rios@fesv.br
> > > -----BEGIN CERTIFICATE-----
> > > MIIF4jCCBMqgAwIBAgIBADANBgkqhkiG9w0BAQMFADCB6jELMAkGA1UEBhMCQlIx
> > > FzAVBgNVBAgUDkVzcO1yaXRvIFNhbnRvMRAwDgYDVQQHFAdWaXTzcmlhMTMwMQYD
> > > VQQKFCpTb2NpZWRhZGUgZGUgRW5zaW5vIFN1cGVyaW9yIEVzdOFjaW8gZGUgU+Ex
> > > KDAmBgNVBAsUH0ZhY3VsZGFkZSBFc3ThY2lvIGRlIFPhIFZpdPNyaWExLDAqBgNV
> > > BAMTI0ZFU1YgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgT2ZmaWNlMSMwIQYJKoZI
> > > hvcNAQkBFhRndXN0YXZvLnJpb3NAZmVzdi5icjAeFw0wNTAxMDkxNjA3MjdaFw0x
> > > NTAxMDcxNjA3MjdaMIHqMQswCQYDVQQGEwJCUjEXMBUGA1UECBQORXNw7XJpdG8g
> > > U2FudG8xEDAOBgNVBAcUB1ZpdPNyaWExMzAxBgNVBAoUKlNvY2llZGFkZSBkZSBF
> > > bnNpbm8gU3VwZXJpb3IgRXN04WNpbyBkZSBT4TEoMCYGA1UECxQfRmFjdWxkYWRl
> > > IEVzdOFjaW8gZGUgU+EgVml083JpYTEsMCoGA1UEAxMjRkVTViBDZXJ0aWZpY2F0
> > > aW9uIEF1dGhvcml0eSBPZmZpY2UxIzAhBgkqhkiG9w0BCQEWFGd1c3Rhdm8ucmlv
> > > c0BmZXN2LmJyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArYjDA/3d
> > > o78n8KBs6VIJ4PpbjhazoeGGS7uWJ+OHhuFHEeQnKFD5BPTo+sI3VWaBaFk4Zr3G
> > > yvzwRRRefg9aTR1Hm+xaIJBdVn6UMuL+LoiDEVk6haue6wX/mK+Ga1mU7AU/PBT6
> > > mzOqsGWN19a8LxO13YEb4JYBSh3c1xYFLOHZbtbh6MZgHDYbTW6SEf1RAEtbHGNc
> > > oodPvW8KW5+/2RYngAqeL9aO1kQnRqEx3rClGZ5qAHEo6+ZrP8Gnq7ho67XlXWJ1
> > > U/mYEoRsElfUaeLlsaj7se3hCN9xEzlyOsDgUrAfwLQEuBFLJB1aDoReeS9zWlvC
> > > 3hjUiqM7kQ0OewIDAQABo4IBjzCCAYswHQYDVR0OBBYEFELPGMTgAjQChVL2jD3p
> > > lZHaYRtgMIIBGQYDVR0jBIIBEDCCAQyAFELPGMTgAjQChVL2jD3plZHaYRtgoYHw
> > > pIHtMIHqMQswCQYDVQQGEwJCUjEXMBUGA1UECBQORXNw7XJpdG8gU2FudG8xEDAO
> > > BgNVBAcUB1ZpdPNyaWExMzAxBgNVBAoUKlNvY2llZGFkZSBkZSBFbnNpbm8gU3Vw
> > > ZXJpb3IgRXN04WNpbyBkZSBT4TEoMCYGA1UECxQfRmFjdWxkYWRlIEVzdOFjaW8g
> > > ZGUgU+EgVml083JpYTEsMCoGA1UEAxMjRkVTViBDZXJ0aWZpY2F0aW9uIEF1dGhv
> > > cml0eSBPZmZpY2UxIzAhBgkqhkiG9w0BCQEWFGd1c3Rhdm8ucmlvc0BmZXN2LmJy
> > > ggEAMAwGA1UdEwQFMAMBAf8wPwYJYIZIAYb4QgENBDIWMENlcnRpZmljYXRlIGlz
> > > c3VlZCBieSBodHRwOi8vZXRvc2hhLmZlc3YuYnIvc3NsLzANBgkqhkiG9w0BAQMF
> > > AAOCAQEAfvkdXOior9cd/e2tsOZyA4OOYrizgP8r+/ALZmFYiW/TaVmXHulFqp2Q
> > > 9gn+ySkJE2bzj+BkFUcio2gSOXcjEUctxXGtdEWLaRHTW9yRCxlC1WqwBmaqsIMk
> > > 9tVausQDaDavCwTPewGXgVQhEsu8Oo7HV4pOcOn2KHJJVcEmb7vbx4WZxqNoyO6G
> > > LwopxWkXNiJ763UUty8RtnMAjqsZlcai5lha6UGGfTAWU/lYeg3Vj2gI3pT9zzC6
> > > 7WQBFycAAI8jLyEdKKxeEd4Yp8+1pXZjXlC6YzTCkGVe7KAHNxGxLPiicCAX6MrA
> > > hrPXZlfcwPQTScS1YomOpz/yzudBug==
> > > -----END CERTIFICATE-----
> > > ---
> > > Server certificate
> > > subject=/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
> > > Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
> > > Vit\xF3ria/CN=etosha.fesv.br/emailAddress=gustavo.rios@fesv.br
> > > issuer=/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
> > > Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
> > > Vit\xF3ria/CN=FESV Certification Authority
> > > Office/emailAddress=gustavo.rios@fesv.br
> > > ---
> > > No client certificate CA names sent
> > > ---
> > > SSL handshake has read 3161 bytes and written 468 bytes
> > > ---
> > > New, TLSv1/SSLv3, Cipher is AES256-SHA
> > > Server public key is 2048 bit
> > > SSL-Session:
> > > Protocol : TLSv1
> > > Cipher : AES256-SHA
> > > Session-ID: 99E32706AF5C998DDB52BB9CF2FD3EFB722D49ABA1E43B8C6DC46BC2A85DB181
> > > Session-ID-ctx:
> > > Master-Key:
> > > A2DF39188D95621A9E844FAD5DD77E7920199D9468A7E583FB2A447F0F7A0C893F5F59C5765B92C35F941A6CAF700847
> > > Key-Arg : None
> > > Start Time: 1105362778
> > > Timeout : 300 (sec)
> > > Verify return code: 0 (ok)
> > > ---
> > > ^C
> > > etosha$ ldapsearch -x -H ldaps://etosha.fesv.br
> > > ldap_bind: Can't contact LDAP server (-1)
> > > additional info: error:0D0890A1:asn1 encoding
> > > routines:ASN1_verify:unknown message digest algorithm
> > > etosha$
> > >
> > > Any suggestion ?
> > >
> > > On Mon, 10 Jan 2005 09:58:28 +0800, Tay, Gary <Gary_Tay@platts.com> wrote:
> > > > Hv u read this URL and done some local check?
> > > >
> > > > http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
> > > >
> > > > 6.1 SSL Connection Check
> > > > To check the SSL connection, try this command:
> > > >
> > > > % openssl s_client -connect localhost:636 -showcerts -state -CAfile <ca
> > > > cert>
> > > >
> > > > (Note: Replace <ca cert> with the name of yr ca cert file)
> > > >
> > > > For the above command, post any err seen to OpenLDAP MailList.
> > > >
> > > > Gary
> > > >
> > > > -----Original Message-----
> > > > From: owner-openldap-software@OpenLDAP.org
> > > > [mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Gustavo Rios
> > > > Sent: Monday, January 10, 2005 4:01 AM
> > > > To: openldap-software@OpenLDAP.org
> > > > Subject: ssl and openldap
> > > >
> > > > Hey list,
> > > >
> > > > since my last posts i have done progress with netscape browser (it's ok
> > > > now). Any how, let's forget about apache and this matter and keep
> > > > focused on ssl and openldap.
> > > >
> > > > After have re-done my CA configuration i tried again to have ssl working
> > > > for openldap, but no success so far.
> > > >
> > > > starting openldap (slapd -d 7) i had the following:
> > > >
> > > > ...
> > > > ...
> > > > TLS trace: SSL_accept:SSLv3 flush data
> > > > tls_read: want=5, got=5
> > > > 0000: 15 03 01 00 02 .....
> > > > tls_read: want=2, got=2
> > > > 0000: 02 33 .3
> > > > TLS trace: SSL3 alert read:fatal:decrypt error
> > > > TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> > > > TLS: can't accept.
> > > > TLS: error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
> > > > error /usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1052
> > > > connection_read(12): TLS accept error error=-1 id=1, closing
> > > > connection_closing: readying conn=1 sd=12 for close
> > > > connection_close: conn=1 sd=12
> > > >
> > > > The program i used to try connecting was ldapsearch, it's output was:
> > > >
> > > > etosha$ ldapsearch -ZZ -x
> > > > ldap_start_tls: Connect error (-11)
> > > > additional info: error:0D0890A1:asn1 encoding
> > > > routines:ASN1_verify:unknown message digest algorithm etosha$
> > > >
> > > > Does anybody have any ideia about what is going on ?
> > > >
> > > > My slapd.conf is:
> > > >
> > > > TLSCACertificateFile /var/ca1/crt/ca.crt
> > > > TLSCertificateFile /var/ca1/crt/ldap.crt
> > > > TLSCertificateKeyFile /var/ca1/pvt/ldap.key
> > > > TLSVerifyClient never
> > > >
> > > > My ldap.conf is:
> > > > TLS_CACERT /var/ca1/crt/ca.crt
> > > >
> > > > Thanks a lot for your time and cooperation.
> > > >
> > > > Best regards.
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>
>