[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS Connection Failure

To: openldap-technical@openldap.org
Subject: TLS Connection Failure
From: Radomir Klacza <rklacza@melog.com>
Date: Thu, 10 Jun 2010 11:07:31 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100515 Icedove/3.0.4

Hi all,

I'm trying to establish TLS connection with my newly configured OpenLDAPserver, but all the time I get the TLS Connection Failure error.


I have the following configuration in slapd.conf:
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/servercrt.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSVerifyClient never

The CA and certs where creating with accordance to this tutorial:
http://www.openldap.org/faq/data/cache/185.html

server error (with loglevel -1):
connection_get(29)
Jun 10 10:51:30 firma slapd[6203]: connection_get(29): got connid=190

Jun 10 10:51:30 firma slapd[6203]: connection_read(29): checking forinput on id=190Jun 10 10:51:30 firma slapd[6203]: connection_read(29): TLS acceptfailure error=-1 id=190, closingJun 10 10:51:30 firma slapd[6203]: connection_closing: readying conn=190sd=29 for close

Jun 10 10:51:30 firma slapd[6203]: connection_close: conn=190 sd=29
Jun 10 10:51:30 firma slapd[6203]: daemon: removing 29

Jun 10 10:51:30 firma slapd[6203]: conn=190 fd=29 closed (TLSnegotiation failure)



the client error:

# ldapsearch -d -1 -H ldap://192.168.2.49 -D'cn=Manager,dc=melog,dc=com' -W -ZZ

ldap_create
ldap_url_parse_ext(ldap://192.168.2.49)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.2.49:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.2.49:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x978a418 ptr=0x978a418 end=0x978a437 len=31

0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 310....w...1.3.6.10010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37.4.1.1466.20037

ber_scanf fmt ({) ber:
ber_dump: buf=0x978a418 ptr=0x978a41d end=0x978a437 len=26

0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2ew...1.3.6.1.4.1.

  0010:  31 34 36 36 2e 32 30 30  33 37                     1466.20037
ber_flush: 31 bytes to sd 3

0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 310....w...1.3.6.10010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37.4.1.1466.20037

ldap_write: want=31, written=31

0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 310....w...1.3.6.10010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37.4.1.1466.20037

ldap_result ld 0x9782218 msgid 1
ldap_chkResponseList ld 0x9782218 msgid 1 all 1
ldap_chkResponseList returns ld 0x9782218 NULL
wait4msg ld 0x9782218 msgid 1 (infinite timeout)
wait4msg continue ld 0x9782218 msgid 1 all 1
** ld 0x9782218 Connections:
* host: 192.168.2.49  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jun 10 10:50:24 2010

** ld 0x9782218 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x9782218 Response Queue:
   Empty
ldap_chkResponseList ld 0x9782218 msgid 1 all 1
ldap_chkResponseList returns ld 0x9782218 NULL
ldap_int_select
read1msg: ld 0x9782218 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 84 00 00 00 10 02 01                            0.......
ldap_read: want=14, got=14
  0000:  01 78 84 00 00 00 07 0a  01 00 04 00 04 00         .x............
ber_get_next: tag 0x30 len 16 contents:
ber_dump: buf=0x978b550 ptr=0x978b550 end=0x978b560 len=16

0000: 02 01 01 78 84 00 00 00 07 0a 01 00 04 00 04 00...x............

read1msg: ld 0x9782218 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
ber_dump: buf=0x978b550 ptr=0x978b553 end=0x978b560 len=13
  0000:  78 84 00 00 00 07 0a 01  00 04 00 04 00            x............
read1msg: ld 0x9782218 0 new referrals
read1msg:  mark request completed, ld 0x9782218 msgid 1
request done: ld 0x9782218 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ber_dump: buf=0x978b550 ptr=0x978b553 end=0x978b560 len=13
  0000:  78 84 00 00 00 07 0a 01  00 04 00 04 00            x............
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x978b550 ptr=0x978b553 end=0x978b560 len=13
  0000:  78 84 00 00 00 07 0a 01  00 04 00 04 00            x............
ber_scanf fmt (}) ber:
ber_dump: buf=0x978b550 ptr=0x978b560 end=0x978b560 len=0

ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
tls_write: want=142, written=142

0000: 80 8c 01 03 01 00 63 00 00 00 20 00 00 39 00 00 ......c.....9..0010: 38 00 00 35 00 00 88 00 00 87 00 00 84 00 00 168..5............0020: 00 00 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00...........3..2.0030: 00 2f 00 00 45 00 00 44 00 00 41 00 00 07 05 00./..E..D..A.....0040: 80 03 00 80 00 00 05 00 00 04 01 00 80 00 00 15................0050: 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00........@.......0060: 00 08 00 00 06 04 00 80 00 00 03 02 00 80 9b 34...............40070: a3 18 95 67 ad a3 47 d0 89 9b 85 3f e2 e5 7a 44...g..G....?..zD

  0080:  e5 72 f1 07 82 06 51 45  f2 17 d9 a2 47 51         .r....QE....GQ
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0

TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)

client is configured:
TLS_CACERT /etc/openldap/cacert.pem

and cacert is the same like on the server.
I'm using gentoo with openldap  2.4.19-r1 and openssl 0.9.8n

I'm working on it for long time and currently I have no idea why it doesnot working...

Follow-Ups:
- Re: TLS Connection Failure
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Communicate from php/apache to openLDAP over LDAPS
Next by Date: Re: help SSL on Openldap and java
Index(es):
- Chronological
- Thread