[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS Connection Failure
Hi all,
I'm trying to establish TLS connection with my newly configured OpenLDAP
server, but all the time I get the TLS Connection Failure error.
I have the following configuration in slapd.conf:
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/servercrt.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSVerifyClient never
The CA and certs where creating with accordance to this tutorial:
http://www.openldap.org/faq/data/cache/185.html
server error (with loglevel -1):
connection_get(29)
Jun 10 10:51:30 firma slapd[6203]: connection_get(29): got connid=190
Jun 10 10:51:30 firma slapd[6203]: connection_read(29): checking for
input on id=190
Jun 10 10:51:30 firma slapd[6203]: connection_read(29): TLS accept
failure error=-1 id=190, closing
Jun 10 10:51:30 firma slapd[6203]: connection_closing: readying conn=190
sd=29 for close
Jun 10 10:51:30 firma slapd[6203]: connection_close: conn=190 sd=29
Jun 10 10:51:30 firma slapd[6203]: daemon: removing 29
Jun 10 10:51:30 firma slapd[6203]: conn=190 fd=29 closed (TLS
negotiation failure)
the client error:
# ldapsearch -d -1 -H ldap://192.168.2.49 -D
'cn=Manager,dc=melog,dc=com' -W -ZZ
ldap_create
ldap_url_parse_ext(ldap://192.168.2.49)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.2.49:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.2.49:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x978a418 ptr=0x978a418 end=0x978a437 len=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
ber_scanf fmt ({) ber:
ber_dump: buf=0x978a418 ptr=0x978a41d end=0x978a437 len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e
w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31
0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37
.4.1.1466.20037
ldap_result ld 0x9782218 msgid 1
ldap_chkResponseList ld 0x9782218 msgid 1 all 1
ldap_chkResponseList returns ld 0x9782218 NULL
wait4msg ld 0x9782218 msgid 1 (infinite timeout)
wait4msg continue ld 0x9782218 msgid 1 all 1
** ld 0x9782218 Connections:
* host: 192.168.2.49 port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jun 10 10:50:24 2010
** ld 0x9782218 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x9782218 Response Queue:
Empty
ldap_chkResponseList ld 0x9782218 msgid 1 all 1
ldap_chkResponseList returns ld 0x9782218 NULL
ldap_int_select
read1msg: ld 0x9782218 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 84 00 00 00 10 02 01 0.......
ldap_read: want=14, got=14
0000: 01 78 84 00 00 00 07 0a 01 00 04 00 04 00 .x............
ber_get_next: tag 0x30 len 16 contents:
ber_dump: buf=0x978b550 ptr=0x978b550 end=0x978b560 len=16
0000: 02 01 01 78 84 00 00 00 07 0a 01 00 04 00 04 00
...x............
read1msg: ld 0x9782218 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
ber_dump: buf=0x978b550 ptr=0x978b553 end=0x978b560 len=13
0000: 78 84 00 00 00 07 0a 01 00 04 00 04 00 x............
read1msg: ld 0x9782218 0 new referrals
read1msg: mark request completed, ld 0x9782218 msgid 1
request done: ld 0x9782218 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ber_dump: buf=0x978b550 ptr=0x978b553 end=0x978b560 len=13
0000: 78 84 00 00 00 07 0a 01 00 04 00 04 00 x............
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x978b550 ptr=0x978b553 end=0x978b560 len=13
0000: 78 84 00 00 00 07 0a 01 00 04 00 04 00 x............
ber_scanf fmt (}) ber:
ber_dump: buf=0x978b550 ptr=0x978b560 end=0x978b560 len=0
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
tls_write: want=142, written=142
0000: 80 8c 01 03 01 00 63 00 00 00 20 00 00 39 00 00 ......c...
..9..
0010: 38 00 00 35 00 00 88 00 00 87 00 00 84 00 00 16
8..5............
0020: 00 00 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00
...........3..2.
0030: 00 2f 00 00 45 00 00 44 00 00 41 00 00 07 05 00
./..E..D..A.....
0040: 80 03 00 80 00 00 05 00 00 04 01 00 80 00 00 15
................
0050: 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00
........@.......
0060: 00 08 00 00 06 04 00 80 00 00 03 02 00 80 9b 34
...............4
0070: a3 18 95 67 ad a3 47 d0 89 9b 85 3f e2 e5 7a 44
...g..G....?..zD
0080: e5 72 f1 07 82 06 51 45 f2 17 d9 a2 47 51 .r....QE....GQ
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
client is configured:
TLS_CACERT /etc/openldap/cacert.pem
and cacert is the same like on the server.
I'm using gentoo with openldap 2.4.19-r1 and openssl 0.9.8n
I'm working on it for long time and currently I have no idea why it does
not working...