[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS problem

To: Cédric Jeanneret <cedric.jeanneret@camptocamp.com>, Bryan Boone <v_1bboon@yahoo.com>, openldap-technical@openldap.org
Subject: Re: TLS problem
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Wed, 07 Jul 2010 13:27:52 -0700
Content-disposition: inline
In-reply-to: <AANLkTinCklosPfo54VQhET9Ac588e2hsabGDgqLiw1Np@mail.gmail.com>
References: <20100707121727.3f645208@saya.wrk.lsn.camptocamp.com> <289078.38179.qm@web65501.mail.ac4.yahoo.com> <AANLkTinCklosPfo54VQhET9Ac588e2hsabGDgqLiw1Np@mail.gmail.com>

--On Wednesday, July 07, 2010 10:08 PM +0200 Cédric Jeanneret<cedric.jeanneret@camptocamp.com> wrote:

Hello,

Hm, using debian etch 64b - maybe a 64b story ? For now, I just cannot
manage to make it work - errors have changed, but still no way to
connect to the server -.-.

I'll post tomorrow the new config and its error messages.

Thank you for those who tried to help me.

Debian uses GnuTLS instead of OpenSSL to build OpenLDAP. GnuTLS has anumber of interesting behaviors. I advise building your own OpenLDAP withOpenSSL instead.

Regards,

C.

On Wed, Jul 7, 2010 at 9:40 PM, Bryan Boone <v_1bboon@yahoo.com> wrote:

Hi Cedric.  I have the same problems.  I am using Opensuse 11.2 64-bit
edition.  Other people have the same problem.  I think this must be a
bug in opensuse anyway.  I wonder if you are experiencing the same
issue.  I switched over to SLES 10 and I don't have any problems.

________________________________
From: Cedric Jeanneret <cedric.jeanneret@camptocamp.com>
To: openldap-technical@openldap.org
Sent: Wed, July 7, 2010 3:17:27 AM
Subject: TLS problem

Hello,

I'm trying to configure an openldap with TLS so that all connections are
encrypted.

Here's the revelent part of my slapd.conf:

TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSVerifyClient never
TLSCertificateFile /etc/ldap/ssl/server.crt
TLSCertificateKeyFile /etc/ldap/ssl/server.key

Here's my ldap.conf:

URI ldaps://my.server.ltd
BASE dc=my,dc=server,dc=ltd
LDAP_VERSION 3

# SIZELIMIT      12
# TIMELIMIT      15
# DEREF          never
ssl start_tls
ssl on
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3

While starting slapd with:
slapd -h 'ldaps:///' -g openldap -u openldap  -d 16383

and trying to connect to it with:
ldapsearch -Z -d 16383 -LLL -b cn=admin,dc=my,dc=server,dc=ltd -w
"foo.bar" -S cn -h my.server.ltd -p 636 cn

I have these logs :
[slapd]

daemon: activity on 1 descriptor

slap_listener(ldaps:///)daemon: listen=7, new connection on 11

ldap_pvt_gethostbyname_a: host=my, r=0
daemon: added 11r (active) listener=(nil)
conn=0 fd=11 ACCEPT from IP=xx.yy.zz.aa:38806 (IP=0.0.0.0:636)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 11r
daemon: read activity on 11
connection_get(11)
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
  0000:  30 3e 02 01 01 63 39 04  00 0a 01                 
0>...c9.... TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
s23_srvr.c:562
connection_read(11): TLS accept failure error=-1 id=0, closing
connection_closing: readying conn=0 sd=11 for close
connection_close: conn=0 sd=11
daemon: removing 11
conn=0 fd=11 closed (TLS negotiation failure)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: waked
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL

[ldapsearch]

ldap_create
ldap_url_parse_ext(ldap://my.server.ltd:636)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS: supportedSASLMechanisms
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP my.server.ltd:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying xx.yy.zz.aa:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0xb92b6d68 ptr=0xb92b6d68 end=0xb92b6da8 len=64
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02 
0>...c9.........   0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65
63 74  ..........object   0020:  63 6c 61 73 73 30 19 04  17 73 75
70 70 6f 72 74  class0...support   0030:  65 64 53 41 53 4c 4d 65 
63 68 61 6e 69 73 6d 73  edSASLMechanisms ber_scanf fmt ({) ber:
ber_dump: buf=0xb92b6d68 ptr=0xb92b6d6d end=0xb92b6da8 len=59
  0000:  63 39 04 00 0a 01 00 0a  01 00 02 01 00 02 01 00 
c9..............   0010:  01 01 00 87 0b 6f 62 6a  65 63 74 63 6c 61
73 73  .....objectclass   0020:  30 19 04 17 73 75 70 70  6f 72 74
65 64 53 41 53  0...supportedSAS   0030:  4c 4d 65 63 68 61 6e 69 
73 6d 73                  LMechanisms ber_flush2: 64 bytes to
sd 3
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02 
0>...c9.........   0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65
63 74  ..........object   0020:  63 6c 61 73 73 30 19 04  17 73 75
70 70 6f 72 74  class0...support   0030:  65 64 53 41 53 4c 4d 65 
63 68 61 6e 69 73 6d 73  edSASLMechanisms ldap_write: want=64,
written=64
  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02 
0>...c9.........   0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65
63 74  ..........object   0020:  63 6c 61 73 73 30 19 04  17 73 75
70 70 6f 72 74  class0...support   0030:  65 64 53 41 53 4c 4d 65 
63 68 61 6e 69 73 6d 73  edSASLMechanisms ldap_result ld 0xb92ae158
msgid 1
wait4msg ld 0xb92ae158 msgid 1 (infinite timeout)
wait4msg continue ld 0xb92ae158 msgid 1 all 1
** ld 0xb92ae158 Connections:
* host: my.server.ltd  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Wed Jul  7 12:11:03 2010


** ld 0xb92ae158 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
  outstanding referrals 0, parent count 0
  ld 0xb92ae158 request count 1 (abandoned 0)
** ld 0xb92ae158 Response Queue:
  Empty
  ld 0xb92ae158 response count 0
ldap_chkResponseList ld 0xb92ae158 msgid 1 all 1
ldap_chkResponseList returns ld 0xb92ae158 NULL
ldap_int_select
read1msg: ld 0xb92ae158 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=0

ber_get_next failed.
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

I really don't know what to do. My certificates are correct I guess, as
we're using them in apache for https... For information, they are
self-signed.

Any help would be great.

Thank you!

Best regards,

C.


--
Cédric Jeanneret                |  System Administrator
021 619 10 32                    |  Camptocamp SA
cedric.jeanneret@camptocamp.com  |  PSE-A / EPFL




--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Follow-Ups:
- Re: TLS problem
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

References:
- TLS problem
  - From: Cedric Jeanneret <cedric.jeanneret@camptocamp.com>
- Re: TLS problem
  - From: Cédric Jeanneret <cedric.jeanneret@camptocamp.com>

Prev by Date: Re: TLS problem
Next by Date: Re: TLS problem
Index(es):
- Chronological
- Thread