[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS Configuration - "unable to get TLS client DN, error=49"



I might be wrong but I think there is a certain problem with
Debian/*buntu for LDAPS clients...
Sambuddho
On Fri, 2008-08-01 at 16:14 -0400, Brad T Waldorf wrote:
> Hi.  We're trying to configure a basic SSL (TLS) connection through
> OpenLDAP version 2.4.6.  We're using Linux, Debian Version 4.0 ('etch')
> INTEL.
> 
> 
> The pertinent info...
> 
> 
> slapd.conf
> 
> include		/usr/local/etc/openldap/schema/core.schema
> include		/usr/local/etc/openldap/schema/cosine.schema
> include		/usr/local/etc/openldap/schema/inetorgperson.schema
> 
> pidfile	/usr/local/var/run/slapd.pid
> argsfile	/usr/local/var/run/slapd.args
> 
> loglevel -1
> logfile /usr/local/var/openldap-data/logb
> 
> 
> TLSCACertificateFile           /home/bwaldorf/certs/1024pcert.pem
> TLSCertificateFile             /home/bwaldorf/certs/1024pcert.pem
> TLSCertificateKeyFile          /home/bwaldorf/certs/1024pkey.pem
> TLSCipherSuite                 DES-CBC-SHA
> TLSVerifyClient                never
> 
> 
> #TLSRandFile
> #TLSEphemeralDHParamFile
> 
> 
> 
> #######################################################################
> # BDB database definitions
> #######################################################################
> 
> database    bdb
> suffix		"o=replDB"
> rootdn      "cn=replman,o=replDB"
> rootpw            password
> timelimit      1
> idletimeout    4
> 
> access to attrs=userPassword
>       by self write
>       by anonymous auth
>       by * none
> 
> access to *
>       by self write
>       by * read
> 
> directory	/usr/local/var/openldap-data
> 
> index sn,mail,uid,title eq
> 
> 
> 
> 
> 
> 
> 
> ldap.conf
> 
> TLS_CACERT     /home/bwaldorf/certs/1024pcert.pem
> TLS_CERT       /home/bwaldorf/certs/1024pcert.pem
> TLS_KEY        /home/bwaldorf/certs/1024pkey.pem
> 
> 
> 
> 
> 
> 
> 
> 
> So we try the following search (-ZZ to force the command to be
> successful)...
> 
> ldapsearch -x -D "cn=replman,o=replDB" -w password -b "o=replDB1" -ZZ
> 
> 
> 
> 
> 
> 
> And we get the following output (below) with -d -1... (sorry for the
> excessive messages).
> 
> Looks like the problem is...
> "connection_read(13): unable to get TLS client DN, error=49 id=5"
> 
> I did some googling for this error, but never found a thread with a
> cause/solution.
> 
> Thanks in advance for your time and help!
> 
> 
> 
> 
> 
> daemon: activity on 1 descriptor
> daemon: activity on:
> slap_listener_activate(8):
> daemon: epoll: listen=7 active_threads=0 tvp=NULL
> daemon: epoll: listen=8 busy
> >>> slap_listener(ldap:///)
> daemon: activity on 1 descriptor
> daemon: listen=8, new connection on 13
> daemon: activity on:daemon: added 13r (active) listener=(nil)
> 
> conn=5 fd=13 ACCEPT from IP=127.0.0.1:32933 (IP=0.0.0.0:389))
> daemon: epoll: listen=7 active_threads=1 tvp=zero.
> daemon: epoll: listen=8 active_threads=1 tvp=zero.
> daemon: activity on 1 descriptor
> daemon: activity on: 13r
> daemon: read active on 13
> daemon: epoll: listen=7 active_threads=1 tvp=zero.
> connection_get(13)
> daemon: epoll: listen=8 active_threads=1 tvp=zero.
> connection_get(13): got connid=5
> connection_read(13): checking for input on id=5
> ber_get_next
> ldap_read: want=8, got=8
>   0000:  30 1d 02 01 01 77 18 80                            0....w..
> ldap_read: want=23, got=23
>   0000:  16 31 2e 33 2e 36 2e 31  2e 34 2e 31 2e 31 34
> 36   .1.3.6.1.4.1.146
>   0010:  36 2e 32 30 30 33 37                               6.20037
> ber_get_next: tag 0x30 len 29 contents:
> ber_dump: buf=0xa0c11fc8 ptr=0xa0c11fc8 end=0xa0c11fe5 len=29.
>   0000:  02 01 01 77 18 80 16 31  2e 33 2e 36 2e 31 2e
> 34   ...w...1.3.6.1.4
>   0010:  2e 31 2e 31 34 36 36 2e  32 30 30 33 37            .1.1466.20037
> ber_get_next
> ldap_read: want=8 error=Resource temporarily unavailable
> conn=5 op=0 do_extended
> ber_scanf fmt ({m) ber:
> ber_dump: buf=0xa0c11fc8 ptr=0xa0c11fcb end=0xa0c11fe5 len=26
>   0000:  77 18 80 16 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e
> w...1.3.6.1.4.1.
>   0010:  31 34 36 36 2e 32 30 30  33 37                     1466.20037
> conn=5 op=0 EXT oid=1.3.6.1.4.1.1466.20037
> do_extended: oid=1.3.6.1.4.1.1466.20037
> daemon: activity on 1 descriptor
> conn=5 op=0 STARTTLS
> daemon: activity on:send_ldap_extended: err=0 oid= len=0
> 
> send_ldap_response: msgid=1 tag=120 err=0
> daemon: epoll: listen=7 active_threads=1 tvp=zero
> ber_flush2: 14 bytes to sd 13
>   0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........
> ldap_write: want=14, written=14
>   0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........
> conn=5 op=0 RESULT oid= err=0 text=
> daemon: epoll: listen=8 active_threads=1 tvp=zero
> daemon: activity on 1 descriptor
> daemon: activity on: 13r
> daemon: read active on 13
> daemon: epoll: listen=7 active_threads=1 tvp=zero
> connection_get(13)
> daemon: epoll: listen=8 active_threads=1 tvp=zero
> connection_get(13): got connid=5
> connection_read(13): checking for input on id=5
> TLS trace: SSL_accept:before/accept initialization
> tls_read: want=11, got=11
>   0000:  80 74 01 03 01 00 4b 00  00 00 20                  .t....K.......
> tls_read: want=107, got=107
>   0000:  00 00 39 00 00 38 00 00  35 00 00 16 00 00 13
> 00   ..9..8..5.......
>   0010:  00 0a 07 00 c0 00 00 33  00 00 32 00 00 2f 03
> 00   .......3..2../..
>   0020:  80 00 00 05 00 00 04 01  00 80 00 00 15 00 00
> 12   ................
>   0030:  00 00 09 06 00 40 00 00  14 00 00 11 00 00 08
> 00   .....@..........
>   0040:  00 06 04 00 80 00 00 03  02 00 80 15 2d dd 5d
> 9a   ............-.].
>   0050:  f5 29 55 3b 15 f2 e5 47  18 9c 22 f2 7d 07 51
> 72   .)U;...G..".}.Qr
>   0060:  60 1f 38 61 8d 9a e7 67  2a 5e 9e                  `.8a...g*^..}.
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> tls_write: want=985, written=985
>   0000:  16 03 01 00 4a 02 00 00  46 03 01 48 92 1d e7
> 69   ....J...F..H...i
>   0010:  f3 a0 ea 95 0f 3b 21 71  a5 b0 11 34 27 91 b8
> 0b   .....;!q...4'...
>   0020:  d1 25 4f ca d5 56 fd 55  d2 0f 33 20 a7 fe 44
> 07   .%O..V.U..3 ..D.
>   0030:  8a 33 a1 ec 46 61 01 94  2a 05 9a 59 9e 95 02
> ec   .3..Fa..*..Y....
>   0040:  99 82 42 77 1d f6 bf 6e  b4 0f 05 23 00 09 00
> 16   ..Bw...n...#....
>   0050:  03 01 03 7c 0b 00 03 78  00 03 75 00 03 72 30
> 82   ...|...x..u..r0.
>   0060:  03 6e 30 82 02 d7 a0 03  02 01 02 02 01 00 30
> 0d   .n0...........0.
>   0070:  06 09 2a 86 48 86 f7 0d  01 01 04 05 00 30 81
> 87   ..*.H........0..
>   0080:  31 0b 30 09 06 03 55 04  06 13 02 55 53 31 11 30
> 1.0...U....US1.0
>   0090:  0f 06 03 55 04 08 13 08  4e 65 77 20 59 6f 72 6b   ...U....New
> York
>   00a0:  31 15 30 13 06 03 55 04  07 13 0c 50 6f 75 67 68
> 1.0...U....Pough
>   00b0:  6b 65 65 70 73 69 65 31  0c 30 0a 06 03 55 04 0a
> keepsie1.0...U..
>   00c0:  13 03 49 42 4d 31 0c 30  0a 06 03 55 04 0b 13
> 03   ..IBM1.0...U....
>   00d0:  54 50 46 31 0e 30 0c 06  03 55 04 03 13 05 44 61
> TPF1.0...U....Da
>   00e0:  76 69 64 31 22 30 20 06  09 2a 86 48 86 f7 0d 01
> vid1"0 ..*.H....
>   00f0:  09 01 16 13 6d 6f 7a 65  73 68 74 61 40 75 73
> 2e   ....mozeshta@us.
>   0100:  69 62 6d 2e 63 6f 6d 30  1e 17 0d 30 38 30 33 31
> ibm.com0...08031
>   0110:  31 30 31 31 36 31 31 5a  17 0d 31 30 31 32 30 37
> 1011611Z..101207
>   0120:  30 31 31 36 31 31 5a 30  81 87 31 0b 30 09 06 03
> 011611Z0..1.0...
>   0130:  55 04 06 13 02 55 53 31  11 30 0f 06 03 55 04 08
> U....US1.0...U..
>   0140:  13 08 4e 65 77 20 59 6f  72 6b 31 15 30 13 06 03   ..New
> York1.0...
>   0150:  55 04 07 13 0c 50 6f 75  67 68 6b 65 65 70 73 69
> U....Poughkeepsi
>   0160:  65 31 0c 30 0a 06 03 55  04 0a 13 03 49 42 4d 31
> e1.0...U....IBM1
>   0170:  0c 30 0a 06 03 55 04 0b  13 03 54 50 46 31 0e
> 30   .0...U....TPF1.0
>   0180:  0c 06 03 55 04 03 13 05  44 61 76 69 64 31 22
> 30   ...U....David1"0
>   0190:  20 06 09 2a 86 48 86 f7  0d 01 09 01 16 13 6d
> 6f    ..*.H........mo
>   01a0:  7a 65 73 68 74 61 40 75  73 2e 69 62 6d 2e 63 6f
> zeshta@us.ibm.co
>   01b0:  6d 30 81 9f 30 0d 06 09  2a 86 48 86 f7 0d 01 01
> m0..0...*.H.....
>   01c0:  01 05 00 03 81 8d 00 30  81 89 02 81 81 00 ac
> ee   .......0........
>   01d0:  f9 a7 40 cc 73 af 67 a0  ea 46 08 45 a5 fd 44
> 71   ..@.s.g..F.E..Dq
>   01e0:  a4 04 3e 51 f7 39 51 82  3d 7e 9b 99 ae 1d c1
> 22   ..>Q.9Q.=~....."
>   01f0:  67 10 e7 15 d1 a9 65 75  e9 3e 0f 77 64 d1 14 4d
> g.....eu.>.wd..M
>   0200:  28 f0 8c ba d3 ed 87 e9  b1 5b 11 c1 3f 11 ed 1a
> (........[..?...
>   0210:  96 9a 3f b3 4b f3 db bd  84 41 11 aa ea 37 6d
> ab   ..?.K....A...7m.
>   0220:  c5 fb a9 bb ab 9d 87 66  b2 31 7a c8 35 06 06
> ec   .......f.1z.5...
>   0230:  fb 07 f1 29 f5 f3 fd 29  f4 df 33 bf 40 de 84
> 6f   ...)...)..3.@..o
>   0240:  9d 66 ea 57 42 ab 0f 13  a0 07 71 d5 e0 6d 02
> 03   .f.WB.....q..m..
>   0250:  01 00 01 a3 81 e7 30 81  e4 30 1d 06 03 55 1d
> 0e   ......0..0...U..
>   0260:  04 16 04 14 11 76 af b1  5a bd 99 53 a5 de 02
> 35   .....v..Z..S...5
>   0270:  06 51 c4 01 74 71 2c c6  30 81 b4 06 03 55 1d
> 23   .Q..tq,.0....U.#
>   0280:  04 81 ac 30 81 a9 80 14  11 76 af b1 5a bd 99
> 53   ...0.....v..Z..S
>   0290:  a5 de 02 35 06 51 c4 01  74 71 2c c6 a1 81 8d
> a4   ...5.Q..tq,.....
>   02a0:  81 8a 30 81 87 31 0b 30  09 06 03 55 04 06 13
> 02   ..0..1.0...U....
>   02b0:  55 53 31 11 30 0f 06 03  55 04 08 13 08 4e 65 77
> US1.0...U....New
>   02c0:  20 59 6f 72 6b 31 15 30  13 06 03 55 04 07 13 0c
> York1.0...U....
>   02d0:  50 6f 75 67 68 6b 65 65  70 73 69 65 31 0c 30 0a
> Poughkeepsie1.0.
>   02e0:  06 03 55 04 0a 13 03 49  42 4d 31 0c 30 0a 06
> 03   ..U....IBM1.0...
>   02f0:  55 04 0b 13 03 54 50 46  31 0e 30 0c 06 03 55 04
> U....TPF1.0...U.
>   0300:  03 13 05 44 61 76 69 64  31 22 30 20 06 09 2a
> 86   ...David1"0 ..*.
>   0310:  48 86 f7 0d 01 09 01 16  13 6d 6f 7a 65 73 68 74
> H........mozesht
>   0320:  61 40 75 73 2e 69 62 6d  2e 63 6f 6d 82 01 00 30
> a@us.ibm.com...0
>   0330:  0c 06 03 55 1d 13 04 05  30 03 01 01 ff 30 0d
> 06   ...U....0....0..
>   0340:  09 2a 86 48 86 f7 0d 01  01 04 05 00 03 81 81
> 00   .*.H............
>   0350:  a8 39 22 f9 88 b2 c1 e6  95 5e af 4d ae f6 89
> e5   .9"......^.M....
>   0360:  64 82 37 42 f6 5b 00 56  22 d0 c6 b9 5f 70 36 2f
> d.7B.[.V"..._p6/
>   0370:  8f 10 bb 5a d1 18 33 2a  37 8a a0 f2 c3 53 21
> 12   ...Z..3*7....S!.
>   0380:  2c 28 8a 62 a9 e0 b5 5a  70 4c 77 f1 5c 33 d2
> a3   ,(.b...ZpLw.\3..
>   0390:  6d 77 e8 6e e8 7e 5b 74  d9 3a 70 24 38 89 ce 11   mw.n.~[t.:p
> $8...
>   03a0:  4c ec 64 51 f2 be 61 4c  18 09 25 13 48 e2 5b 13
> L.dQ..aL..%.H.[.
>   03b0:  d9 fa 8c 0c b7 a2 dd 09  dd e8 da 01 c7 29 2b
> 9a   .............)+.
>   03c0:  22 51 6f 19 54 e7 02 90  75 0e a9 3a 4b e0 d1 a4
> "Qo.T...u..:K...
>   03d0:  16 03 01 00 04 0e 00 00  00                        ...........:
> TLS trace: SSL_accept:SSLv3 flush data
> tls_read: want=5 error=Resource temporarily unavailable
> TLS trace: SSL_accept:error in SSLv3 read client certificate A.........:
> TLS trace: SSL_accept:error in SSLv3 read client certificate A.........:
> daemon: activity on 1 descriptor
> daemon: activity on:
> daemon: epoll: listen=7 active_threads=1 tvp=zero
> daemon: epoll: listen=8 active_threads=1 tvp=zero
> daemon: activity on 1 descriptor
> daemon: activity on: 13r
> daemon: read active on 13
> daemon: epoll: listen=7 active_threads=1 tvp=zero
> connection_get(13)
> daemon: epoll: listen=8 active_threads=1 tvp=zero
> connection_get(13): got connid=5
> connection_read(13): checking for input on id=5
> tls_read: want=5, got=5
>   0000:  16 03 01 00 86                                     ...........:
> tls_read: want=134, got=134
>   0000:  10 00 00 82 00 80 91 6b  72 70 d5 4e 89 66 4e
> 5f   .......krp.N.fN_
>   0010:  f2 d6 d6 41 e7 3a 85 1e  8e ce 85 4d 90 ac 4a
> ec   ...A.:.....M..J.
>   0020:  81 f6 4d 2c 1d 94 85 e8  78 cf c9 68 11 77 b3
> 4e   ..M,....x..h.w.N
>   0030:  13 97 62 43 e2 e8 12 44  42 46 c6 bc c3 74 c7
> ad   ..bC...DBF...t..
>   0040:  f7 46 22 2b ac 8c 8e 59  5d de f4 fd f9 73 3f
> 76   .F"+...Y]....s?v
>   0050:  1b 58 1f da 5c 95 49 a6  73 ec 75 37 fc 38 fa
> 53   .X..\.I.s.u7.8.S
>   0060:  6d 3c a9 fd 2a 7d c3 f7  b9 79 e7 3f 8f da df 04
> m<..*}...y.?....
>   0070:  cb 06 e2 67 75 3c 57 cf  8e 60 6e e4 27 fa 23
> a3   ...gu<W..`n.'.#.
>   0080:  b8 fb c6 5b 14 7e                                  ...[.~
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> tls_read: want=5, got=5
>   0000:  14 03 01 00 01                                     .....
> tls_read: want=1, got=1
>   0000:  01                                                 .....
> tls_read: want=5, got=5
>   0000:  16 03 01 00 28                                     ....(
> tls_read: want=40, got=40
>   0000:  77 34 09 6c 45 e9 f1 f0  a2 e6 cb 2d e4 49 27 42
> w4.lE......-.I'B
>   0010:  45 a5 84 74 bb bd 0f 6e  24 70 e1 b0 0f 19 83 4a   E..t...n
> $p.....J
>   0020:  7a 41 c3 b3 ca fe 80 68                            zA.....h
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> tls_write: want=51, written=51
>   0000:  14 03 01 00 01 01 16 03  01 00 28 97 a6 bb b1
> 8c   ..........(.....
>   0010:  50 d4 6f 60 2c fb c7 d1  10 a6 a6 37 ff ea 0b e8
> P.o`,......7....
>   0020:  60 d0 f1 6b 34 d7 26 7b  a9 c8 c0 45 72 33 7c 67   `..k4.&{...Er3|
> g
>   0030:  b4 07 93                                           ...
> TLS trace: SSL_accept:SSLv3 flush data
> connection_read(13): unable to get TLS client DN, error=49 id=5
> conn=5 fd=13 TLS established tls_ssf=56 ssf=56
> daemon: activity on 1 descriptor
> daemon: activity on:
> daemon: epoll: listen=7 active_threads=1 tvp=zero
> daemon: epoll: listen=8 active_threads=1 tvp=zero
> daemon: activity on 1 descriptor
> daemon: activity on: 13r
> daemon: read active on 13
> daemon: epoll: listen=7 active_threads=1 tvp=zero
> connection_get(13)
> daemon: epoll: listen=8 active_threads=1 tvp=zero
> connection_get(13): got connid=5
> connection_read(13): checking for input on id=5
> ber_get_next
> tls_read: want=5, got=0
> 
> ldap_read: want=8, got=0
> 
> ber_get_next on fd 13 failed errno=0 (Success)
> connection_read(13): input error=-2 id=5, closing.
> connection_closing: readying conn=5 sd=13 for close
> connection_close: conn=5 sd=13
> daemon: removing 13
> daemon: activity on 1 descriptor
> tls_write: want=29, written=29
>   0000:  15 03 01 00 18 73 41 45  4f f9 51 03 05 e6 66
> c2   .....sAEO.Q...f.
>   0010:  f5 65 d2 a9 ab 03 aa 8d  d1 79 ef 18 8c            .e.......y....
> TLS trace: SSL3 alert write:warning:close notify
> conn=5 fd=13 closed (connection lost)
> daemon: activity on:
> daemon: epoll: listen=7 active_threads=0 tvp=NULL
> daemon: epoll: listen=8 active_threads=0 tvp=NULL
>