[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Solaris 10 native Client with TLS to OpenLDAP



John Gee wrote:
On Sun, Oct 12, 2008 at 02:56:38PM +0200, Dieter Kluenter wrote:
[...]
Did you sign the server cerficates with this ca-cert? And how did you
create the CA and the server certificates?
I personally use the CA.pl tools from openssl, this is by no means the
best way to do, but the simplest. If you follow this path, you may
have to edit openssl.cnf to meet your requirements. Then you just do
./CA.pl -newca, which creates es self signed CA
./CA.pl -newreq, this creates a host or user certficate request
./CA.pl -sign, wwhich signs the request
openssl rsa -in newreq.pem -out foo-key.pem, this removes password
from the requested certificate and creates a key file.
mv newcert.pem foo-cert.pem
./CA.pl -verify foo-cert.pem

The CA-Cert and ldap01-Certs created with openssl. When verifying it with openssl all seems to be ok: # openssl s_client -connect ldap01.kleinfeld.ch:636 -CAfile /var/ldap/ca.pem -showcerts ... --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: E276B6ABD9349FDFD7EA22CCB491D3E9FE423BA1D45B0C18D4019422EF1FF607 Session-ID-ctx: Master-Key: 758F1B898907CDA46E70E37D306517C60E21864E4119846C05597DA19572B1FDF9A4E6D1299848A2E769CA002DA76D93 Key-Arg : None Start Time: 1223891247 Timeout : 300 (sec) Verify return code: 0 (ok) ---

Slapd - Debug Output:
	connection_get(11): got connid=9
	connection_read(11): checking for input on id=9
	TLS trace: SSL_accept:SSLv3 read client key exchange A
	TLS trace: SSL_accept:SSLv3 read finished A
	TLS trace: SSL_accept:SSLv3 write change cipher spec A
	TLS trace: SSL_accept:SSLv3 write finished A
	TLS trace: SSL_accept:SSLv3 flush data
	connection_read(11): unable to get TLS client DN, error=49 id=9

When connecting with ldapsearch (openldap) the conenction established and
continues after TLS client error:

	connection_read(11): checking for input on id=0
	TLS trace: SSL_accept:before/accept initialization
	TLS trace: SSL_accept:SSLv3 read client hello A
	TLS trace: SSL_accept:SSLv3 write server hello A
	TLS trace: SSL_accept:SSLv3 write certificate A
	TLS trace: SSL_accept:SSLv3 write server done A
	TLS trace: SSL_accept:SSLv3 flush data
	TLS trace: SSL_accept:error in SSLv3 read client certificate A
	TLS trace: SSL_accept:error in SSLv3 read client certificate A
	connection_get(11): got connid=0
	connection_read(11): checking for input on id=0
	TLS trace: SSL_accept:SSLv3 read client key exchange A
	TLS trace: SSL_accept:SSLv3 read finished A
	TLS trace: SSL_accept:SSLv3 write change cipher spec A
	TLS trace: SSL_accept:SSLv3 write finished A
	TLS trace: SSL_accept:SSLv3 flush data
	connection_read(11): unable to get TLS client DN, error=49 id=0
	connection_get(11): got connid=0
	connection_read(11): checking for input on id=0

(To renember slapd.conf - TLSVerifyClient never)

When doing the same search with ldapsearch (SUNWlldap package), it seems to be
forced for tls client verification.
	connection_get(11): got connid=3
	connection_read(11): checking for input on id=3
	TLS trace: SSL_accept:before/accept initialization
	TLS trace: SSL_accept:SSLv3 read client hello A
	TLS trace: SSL_accept:SSLv3 write server hello A
	TLS trace: SSL_accept:SSLv3 write certificate A
	TLS trace: SSL_accept:SSLv3 write server done A
	TLS trace: SSL_accept:SSLv3 flush data
	TLS trace: SSL_accept:error in SSLv3 read client certificate A
	TLS trace: SSL_accept:error in SSLv3 read client certificate A
	connection_get(11): got connid=3
	connection_read(11): checking for input on id=3
	TLS trace: SSL3 alert read:fatal:bad certificate
	TLS trace: SSL_accept:failed in SSLv3 read client certificate A
	TLS: can't accept.
	TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053
	connection_read(11): TLS accept failure error=-1 id=3, closing
	connection_closing: readying conn=3 sd=11 for close
	connection_close: conn=3 sd=11

I will try it later today with a new-ca, but i think the problems must be at
ldapclient (SUNWlldap) or inside cerutil.

Use the debug flag on ldapsearch as well. It's obvious from the slapd logs that the problem is in the client, so you won't get any more help from the slapd debug output.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/