[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP Client + IBM Directory Server + TLS



Hi,

 has anyone ever managed to set-up an TLS connection between an OpenLDAP
client and an IBM LDAP Server (more specifically, ITDS 6.1, linux
platform)?

I can submit queries in the standard way, but using TLS seems to be a
bit of a problem.

I have the server certificate specified as TLS_CACERT in my client
config since it's self-signed.

The query result goes like this:

------
klausk@klausk:~/sandbox/Kerberos_work$ ldapsearch -D cn=root -W -H
ldap://fqdn -s sub -x -ZZ -d 9 objectclass=*
ldap_url_parse_ext(ldap://fqdn)
ldap_create
ldap_url_parse_ext(ldap://fqdn:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP fqdn:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 2.2.2.222:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x8059240 msgid 1
wait4msg ld 0x8059240 msgid 1 (infinite timeout)
wait4msg continue ld 0x8059240 msgid 1 all 1
** ld 0x8059240 Connections:
* host: fqdn  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Aug 28 13:43:57 2008


** ld 0x8059240 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x8059240 request count 1 (abandoned 0)
** ld 0x8059240 Response Queue:
   Empty
  ld 0x8059240 response count 0
ldap_chkResponseList ld 0x8059240 msgid 1 all 1
ldap_chkResponseList returns ld 0x8059240 NULL
ldap_int_select
read1msg: ld 0x8059240 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 38 contents:
read1msg: ld 0x8059240 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x8059240 0 new referrals
read1msg:  mark request completed, ld 0x8059240 msgid 1
request done: ld 0x8059240 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: can't connect: Decryption has failed..
ldap_err2string
ldap_start_tls: Connect error (-11)
klausk@klausk:~/sandbox/Kerberos_work$ 
------

Note: the server is configured to accept TLS in the standard port (389),
after a START_TLS extended LDAP operation. It works fine using the IBM
Client.

After sniffing the packets I could see that the OpenLDAP Client sends a
"Client Hello" message advertising TLS 1.1 support (0x0302), whereas the
IBM Client asks for TLS 1.0 (0x0301).

In both cases the server replies with a TLS 1.0 "Server Hello" message,
with the certificate and TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher
Suite. The following client messages are TLS 1.0, indicating that the
OpenLDAP correctly fell back the version.

But with the OpenLDAP Client, after Change Cipher Spec and Encrypted
Handshake, the server sends an "Encrypted Alert" message and the
connection is dropped, with the output above.

I'm using a certificate generated using GSKIT in the server box, and
exported the .PEM key, which OpenSSL appears to recognize fine.

Is there anything more I can do to debug this error? I'm particularly
interested in further debugging the TLS connection. Maybe there is an
environment variable that will enable debugging output from OpenSSL?

Any pointers are helpful.

Thanks,

 -Klaus K.
-- 
Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Linux Security Development, IBM Linux Technology Center