[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS Connection Failure



Hi all,
I'm trying to establish TLS connection with my newly configured OpenLDAP server, but all the time I get the TLS Connection Failure error.

I have the following configuration in slapd.conf:
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/servercrt.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSVerifyClient never

The CA and certs where creating with accordance to this tutorial:
http://www.openldap.org/faq/data/cache/185.html

server error (with loglevel -1):
connection_get(29)
Jun 10 10:51:30 firma slapd[6203]: connection_get(29): got connid=190
Jun 10 10:51:30 firma slapd[6203]: connection_read(29): checking for input on id=190 Jun 10 10:51:30 firma slapd[6203]: connection_read(29): TLS accept failure error=-1 id=190, closing Jun 10 10:51:30 firma slapd[6203]: connection_closing: readying conn=190 sd=29 for close
Jun 10 10:51:30 firma slapd[6203]: connection_close: conn=190 sd=29
Jun 10 10:51:30 firma slapd[6203]: daemon: removing 29
Jun 10 10:51:30 firma slapd[6203]: conn=190 fd=29 closed (TLS negotiation failure)


the client error:
# ldapsearch -d -1 -H ldap://192.168.2.49 -D 'cn=Manager,dc=melog,dc=com' -W -ZZ
ldap_create
ldap_url_parse_ext(ldap://192.168.2.49)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.2.49:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.2.49:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x978a418 ptr=0x978a418 end=0x978a437 len=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ber_scanf fmt ({) ber:
ber_dump: buf=0x978a418 ptr=0x978a41d end=0x978a437 len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
  0010:  31 34 36 36 2e 32 30 30  33 37                     1466.20037
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result ld 0x9782218 msgid 1
ldap_chkResponseList ld 0x9782218 msgid 1 all 1
ldap_chkResponseList returns ld 0x9782218 NULL
wait4msg ld 0x9782218 msgid 1 (infinite timeout)
wait4msg continue ld 0x9782218 msgid 1 all 1
** ld 0x9782218 Connections:
* host: 192.168.2.49  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jun 10 10:50:24 2010

** ld 0x9782218 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x9782218 Response Queue:
   Empty
ldap_chkResponseList ld 0x9782218 msgid 1 all 1
ldap_chkResponseList returns ld 0x9782218 NULL
ldap_int_select
read1msg: ld 0x9782218 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 84 00 00 00 10 02 01                            0.......
ldap_read: want=14, got=14
  0000:  01 78 84 00 00 00 07 0a  01 00 04 00 04 00         .x............
ber_get_next: tag 0x30 len 16 contents:
ber_dump: buf=0x978b550 ptr=0x978b550 end=0x978b560 len=16
0000: 02 01 01 78 84 00 00 00 07 0a 01 00 04 00 04 00 ...x............
read1msg: ld 0x9782218 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
ber_dump: buf=0x978b550 ptr=0x978b553 end=0x978b560 len=13
  0000:  78 84 00 00 00 07 0a 01  00 04 00 04 00            x............
read1msg: ld 0x9782218 0 new referrals
read1msg:  mark request completed, ld 0x9782218 msgid 1
request done: ld 0x9782218 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ber_dump: buf=0x978b550 ptr=0x978b553 end=0x978b560 len=13
  0000:  78 84 00 00 00 07 0a 01  00 04 00 04 00            x............
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x978b550 ptr=0x978b553 end=0x978b560 len=13
  0000:  78 84 00 00 00 07 0a 01  00 04 00 04 00            x............
ber_scanf fmt (}) ber:
ber_dump: buf=0x978b550 ptr=0x978b560 end=0x978b560 len=0

ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
tls_write: want=142, written=142
0000: 80 8c 01 03 01 00 63 00 00 00 20 00 00 39 00 00 ......c... ..9.. 0010: 38 00 00 35 00 00 88 00 00 87 00 00 84 00 00 16 8..5............ 0020: 00 00 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 ...........3..2. 0030: 00 2f 00 00 45 00 00 44 00 00 41 00 00 07 05 00 ./..E..D..A..... 0040: 80 03 00 80 00 00 05 00 00 04 01 00 80 00 00 15 ................ 0050: 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 ........@....... 0060: 00 08 00 00 06 04 00 80 00 00 03 02 00 80 9b 34 ...............4 0070: a3 18 95 67 ad a3 47 d0 89 9b 85 3f e2 e5 7a 44 ...g..G....?..zD
  0080:  e5 72 f1 07 82 06 51 45  f2 17 d9 a2 47 51         .r....QE....GQ
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0

TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)

client is configured:
TLS_CACERT /etc/openldap/cacert.pem

and cacert is the same like on the server.
I'm using gentoo with openldap  2.4.19-r1 and openssl 0.9.8n

I'm working on it for long time and currently I have no idea why it does not working...