[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS problem

To: Bryan Boone <v_1bboon@yahoo.com>, openldap-technical@openldap.org
Subject: Re: TLS problem
From: Cédric Jeanneret <cedric.jeanneret@camptocamp.com>
Date: Wed, 7 Jul 2010 22:08:02 +0200
In-reply-to: <289078.38179.qm@web65501.mail.ac4.yahoo.com>
References: <20100707121727.3f645208@saya.wrk.lsn.camptocamp.com> <289078.38179.qm@web65501.mail.ac4.yahoo.com>

Hello,

Hm, using debian etch 64b - maybe a 64b story ? For now, I just cannot
manage to make it work - errors have changed, but still no way to
connect to the server -.-.

I'll post tomorrow the new config and its error messages.

Thank you for those who tried to help me.

Regards,

C.

On Wed, Jul 7, 2010 at 9:40 PM, Bryan Boone <v_1bboon@yahoo.com> wrote:
> Hi Cedric.  I have the same problems.  I am using Opensuse 11.2 64-bit
> edition.  Other people have the same problem.  I think this must be a bug in
> opensuse anyway.  I wonder if you are experiencing the same issue.  I
> switched over to SLES 10 and I don't have any problems.
>
> ________________________________
> From: Cedric Jeanneret <cedric.jeanneret@camptocamp.com>
> To: openldap-technical@openldap.org
> Sent: Wed, July 7, 2010 3:17:27 AM
> Subject: TLS problem
>
> Hello,
>
> I'm trying to configure an openldap with TLS so that all connections are
> encrypted.
>
> Here's the revelent part of my slapd.conf:
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv3
> TLSVerifyClient never
> TLSCertificateFile /etc/ldap/ssl/server.crt
> TLSCertificateKeyFile /etc/ldap/ssl/server.key
>
> Here's my ldap.conf:
>
> URI ldaps://my.server.ltd
> BASE dc=my,dc=server,dc=ltd
> LDAP_VERSION 3
>
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
> ssl start_tls
> ssl on
> TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
>
>
> While starting slapd with:
> slapd -h 'ldaps:///' -g openldap -u openldap  -d 16383
>
> and trying to connect to it with:
> ldapsearch -Z -d 16383 -LLL -b cn=admin,dc=my,dc=server,dc=ltd -w "foo.bar"
> -S cn -h my.server.ltd -p 636 cn
>
> I have these logs :
> [slapd]
>
> daemon: activity on 1 descriptor
>>>> slap_listener(ldaps:///)daemon: listen=7, new connection on 11
> ldap_pvt_gethostbyname_a: host=my, r=0
> daemon: added 11r (active) listener=(nil)
> conn=0 fd=11 ACCEPT from IP=xx.yy.zz.aa:38806 (IP=0.0.0.0:636)
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptor
> daemon: activity on: 11r
> daemon: read activity on 11
> connection_get(11)
> connection_get(11): got connid=0
> connection_read(11): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> tls_read: want=11, got=11
>   0000:  30 3e 02 01 01 63 39 04  00 0a 01                  0>...c9....
> TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
> TLS: can't accept.
> TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> s23_srvr.c:562
> connection_read(11): TLS accept failure error=-1 id=0, closing
> connection_closing: readying conn=0 sd=11 for close
> connection_close: conn=0 sd=11
> daemon: removing 11
> conn=0 fd=11 closed (TLS negotiation failure)
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptor
> daemon: waked
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
>
> [ldapsearch]
>
> ldap_create
> ldap_url_parse_ext(ldap://my.server.ltd:636)
> ldap_pvt_sasl_getmech
> ldap_search
> put_filter: "(objectclass=*)"
> put_filter: simple
> put_simple_filter: "objectclass=*"
> ldap_build_search_req ATTRS: supportedSASLMechanisms
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP my.server.ltd:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying xx.yy.zz.aa:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_dump: buf=0xb92b6d68 ptr=0xb92b6d68 end=0xb92b6da8 len=64
>   0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02  0>...c9.........
>   0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74  ..........object
>   0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74  class0...support
>   0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73  edSASLMechanisms
> ber_scanf fmt ({) ber:
> ber_dump: buf=0xb92b6d68 ptr=0xb92b6d6d end=0xb92b6da8 len=59
>   0000:  63 39 04 00 0a 01 00 0a  01 00 02 01 00 02 01 00  c9..............
>   0010:  01 01 00 87 0b 6f 62 6a  65 63 74 63 6c 61 73 73  .....objectclass
>   0020:  30 19 04 17 73 75 70 70  6f 72 74 65 64 53 41 53  0...supportedSAS
>   0030:  4c 4d 65 63 68 61 6e 69  73 6d 73                  LMechanisms
> ber_flush2: 64 bytes to sd 3
>   0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02  0>...c9.........
>   0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74  ..........object
>   0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74  class0...support
>   0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73  edSASLMechanisms
> ldap_write: want=64, written=64
>   0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02  0>...c9.........
>   0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74  ..........object
>   0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74  class0...support
>   0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73  edSASLMechanisms
> ldap_result ld 0xb92ae158 msgid 1
> wait4msg ld 0xb92ae158 msgid 1 (infinite timeout)
> wait4msg continue ld 0xb92ae158 msgid 1 all 1
> ** ld 0xb92ae158 Connections:
> * host: my.server.ltd  port: 636  (default)
>   refcnt: 2  status: Connected
>   last used: Wed Jul  7 12:11:03 2010
>
>
> ** ld 0xb92ae158 Outstanding Requests:
> * msgid 1,  origid 1, status InProgress
>   outstanding referrals 0, parent count 0
>   ld 0xb92ae158 request count 1 (abandoned 0)
> ** ld 0xb92ae158 Response Queue:
>   Empty
>   ld 0xb92ae158 response count 0
> ldap_chkResponseList ld 0xb92ae158 msgid 1 all 1
> ldap_chkResponseList returns ld 0xb92ae158 NULL
> ldap_int_select
> read1msg: ld 0xb92ae158 msgid 1 all 1
> ber_get_next
> ldap_read: want=8, got=0
>
> ber_get_next failed.
> ldap_err2string
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>
> I really don't know what to do. My certificates are correct I guess, as
> we're using them in apache for https... For information, they are
> self-signed.
>
> Any help would be great.
>
> Thank you!
>
> Best regards,
>
> C.
>
>
> --
> Cédric Jeanneret                |  System Administrator
> 021 619 10 32                    |  Camptocamp SA
> cedric.jeanneret@camptocamp.com  |  PSE-A / EPFL
>
>

Follow-Ups:
- Re: TLS problem
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- TLS problem
  - From: Cedric Jeanneret <cedric.jeanneret@camptocamp.com>

Prev by Date: Re: Migratate Zimbra to Openldap
Next by Date: Re: TLS problem
Index(es):
- Chronological
- Thread