[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question about ldap_init, ldap_initialize, start_tls, LDAP_OPT_X_TLS_ALLOW and TLS/SSL

To: "Howard Chu" <hyc@symas.com>
Subject: Re: Question about ldap_init, ldap_initialize, start_tls, LDAP_OPT_X_TLS_ALLOW and TLS/SSL
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Tue, 19 Jun 2007 20:27:26 +0100
Cc: openldap-software@openldap.org
References: <07a801c7b206$aa2b49a0$0801a8c0@home> <46772841.1@symas.com>

Now I see my error. I used a wrong option value pair. LDAP_OPT_X_TLS_ALLOW belongs to the LDAP_OPT_X_TLS_REQUIRE_CERT option and not as I understood LDAP_OPT_X_TLS is generic for all TLS options.

Thank you Markus ----- Original Message ----- From: "Howard Chu" <hyc@symas.com> To: "Markus Moeller" <huaraz@moeller.plus.com> Cc: <openldap-software@openldap.org> Sent: Tuesday, June 19, 2007 1:50 AM Subject: Re: Question about ldap_init, ldap_initialize, start_tls, LDAP_OPT_X_TLS_ALLOW and TLS/SSL

Markus Moeller wrote:
Howard,
I use OpenSuse 10.2 with  libldap-2.3.so.0.2.15 and if  I have an empty
~/.ldaprc file ldap_start_tls_s comes back with error -11 Connect error
LDAP_OPT_X_TLS is not the same as LDAP_OPT_X_TLS_REQUIRE_CERT.
By default, certificate checking is enforced, and you must supply a valid CA cert, just like it says in the manpages and the Admin Guide.
ldap_int_select read1msg: ld 0x8054608 msgid 1 all 1 read1msg: ld 0x8054608 msgid 1 message type extended-result read1msg: ld 0x8054608 0 new referrals read1msg: mark request completed, ld 0x8054608 msgid 1 request done: ld 0x8054608 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string Error while setting start_tls for ldap server: Connect error(-11) ldap_free_connection 1 1 ldap_send_unbind
When I add  tls_reqcert allow to ~/.ldaprc I get
ldap_int_select read1msg: ld 0x8054608 msgid 1 all 1 read1msg: ld 0x8054608 msgid 1 message type extended-result read1msg: ld 0x8054608 0 new referrals read1msg: mark request completed, ld 0x8054608 msgid 1 request done: ld 0x8054608 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS certificate verification: depth: 0, err: 27, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to verify the first certificate TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer certificate. Successfully set up TLS protected connection to ldap server w2k3.windows2003.home:389

So, this setting definitely does something !!
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

References:
- Re: Question about ldap_init, ldap_initialize, start_tls, LDAP_OPT_X_TLS_ALLOW and TLS/SSL
  - From: "Markus Moeller" <huaraz@moeller.plus.com>
- Re: Question about ldap_init, ldap_initialize, start_tls, LDAP_OPT_X_TLS_ALLOW and TLS/SSL
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Backend meta as a module errors
Next by Date: Re: Backend meta as a module errors
Index(es):
- Chronological
- Thread