[Date Prev][Date Next] [Chronological] [Thread] [Top]

SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server - client certificate not read



Hello everybody,

I'm just trying to set up a LDAPS server using my own
certification authority, but the ldap server does not
accept/understand my client certificate. Instead, the server
sais:

   TLS: can't accept: The peer did not send any certificate..


What I did:

1.) I set up LDAP without SSL/TLS to make sure that it is
configured properly. This worked out fine so far, I can
use ldapsearch, ldapadd, phpldapadmin ...

2.) I created a self signed certificate for my RootCA, used
it to sign my ServerCA and used the ServerCA to sign the
certificates for my ldap server and client.

The certificates of RootCA and ServerCA have been concatenated
into one file <name of ca>.chain.crt

3.) Changed ldap.conf and slapd.conf as described below

4.) Tried to do an ldapsearch on the client -> failed

5.) Tried openssl client -> success


Here are the details:

Client:
=======

# ldapsearch -x -LLL -ZZ -d 1

ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP <serverip>:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <serverip>:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)


Server:
========

# slapd -VV
  @(#) $OpenLDAP: slapd 2.4.9 (Aug  1 2008 01:09:46) $
        buildd@king:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd


# slapd -h "ldaps://<ip>/" -u openldap -g openldap -d 127

...
...
connection_get(13): got connid=32
connection_read(13): checking for input on id=32
tls_read: want=5, got=5
  0000:  16 03 02 00 07                                     .....
tls_read: want=7, got=7
  0000:  0b 00 00 03 00 00 00                               .......
TLS: can't accept: The peer did not send any certificate..
connection_read(13): TLS accept failure error=-1 id=32, closing
connection_closing: readying conn=32 sd=13 for close
connection_close: conn=32 sd=13
daemon: removing 13


But if I use openssl s_client, I get a differnet result:

Client:
=======

openssl s_client -showcerts -connect <serverfqdn>:636 \
        -CAfile cacerts/<ca>.chain.crt -cert certs/<clientfqdn>.cert.pem \
        -key private/<clientfqdn>.key.pem

CONNECTED(00000003)
depth=2 /C=...
verify return:1
depth=1 /C=...
verify return:1
depth=0 /C=...
verify return:1
---
Certificate chain
 0 s:/C=...
   i:/C=...
-----BEGIN CERTIFICATE-----
<Certificate data>
-----END CERTIFICATE-----
---
Server certificate
subject=/C=...
issuer=/C=...
---
Acceptable client certificate CA names
/C=...
/C=...
---
SSL handshake has read 1806 bytes and written 4358 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: F63D4DB4A918CC3BC8F8617AD49F6C6EFCB316203466EC91DBCF0C2E3700DE1E
    Session-ID-ctx:
    Master-Key: <master key>
    Key-Arg   : None
    Start Time: 1219848938
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---



And on server side, everything seems to be o.k. There is no error and the last lines
of output are:

=> ldap_dn2bv(16)
<= ldap_dn2bv(cn=<cn of client>,ou=<ou>,o=<o>,st=<st>,c=<c>)=0
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero




ldap.conf (partially)
---------------------

uri ldaps://132.176.4.6/
ssl yes
tls_cacertfile /usr/lib/ssl/cacartes/<ca>.chain.crt
tls_ciphers TLSv1
tls_cert /usr/lib/ssl/certs/<clientfqdn>.cert.pem
tls_key /usr/lib/ssl/private/<clientfqdn>.key.pem


ldap.conf (partially)
---------------------

TLSCACertificateFile /usr/lib/ssl/certs/<ca>.chain.crt
TLSCertificateFile /usr/lib/ssl/openldap/<serverfqdn>.cert.pem
TLSCertificateKeyFile /usr/lib/ssl/openldap/private/<serverfqdn>.key.pem
TLSVerifyClient demand


What did I do wrong?

Best regards,

Hauke Coltzau

--