[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can't get TLS working.

To: openldap-technical@openldap.org
Subject: Re: Can't get TLS working.
From: c0re <nr1c0re@gmail.com>
Date: Wed, 15 Sep 2010 17:52:56 +0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=j53rYEW7A+/V233lQeZZ70J2fhKH1BRtk+mO8CYLC3Y=; b=wH+NZPluuPA3M88i/FeGxe15fnOuhvLDNUXXdl48ZNRn2pdxastgbjD59y9Lqo1fhx DnH1nWSzUW/GdYtxY7bZiaFfpyd9GO9ZgvsBdfG1oWWQ+DqxAqxtu12zbSQwHm/hX6TS HZ63aYzObNEDQJ8uTyM1HIhpB9VjpTHEnt+lY=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=kBp/ieGgSNJPvUZkDNQhMIaLVvQQRgho4zoGohRJVOiFHdTlhVeg2BMKzv1aCRXhPl aPpm2FaD9FQnljKf6RwAqp7TwsONQ/ViUSUQ8d1v/S1z/Rksp41j1koCsHdDYezZYLfm v61FY4nccSsDjXTnS1T2y04XpRfliFTe9kH60=
In-reply-to: <87vd67makp.fsf@magenta.l4b.de>
References: <AANLkTin+sius-b60ZxjEVD_mm9VL1ghgB7icnQSyMao8@mail.gmail.com> <87hbhro466.fsf@magenta.l4b.de> <AANLkTimcMyaSRBqXJmGJjX0Ogb_yw3gxex83OoiWuSLF@mail.gmail.com> <874odrnvc0.fsf@magenta.l4b.de> <AANLkTi=9MPcpvOUaY_4RUJBts=VhJsyPmucebvf2uQcG@mail.gmail.com> <87vd67makp.fsf@magenta.l4b.de>

Sorry, forgot to mention that I've tested that certificates are OK.

# starting slapd

/usr/local/libexec/slapd -u ldap -d 1 -h ldaps:///

# making test:

openssl s_client -connect 127.0.0.1:636 -CAfile
/usr/local/etc/openldap/ssl-client/root.crt -showcerts

# output of test in openssl command:

CONNECTED(00000003)
depth=1 /C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com
verify return:1
depth=0 /C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com
verify return:1
---
Certificate chain
 0 s:/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com
  i:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com
-----BEGIN CERTIFICATE-----
<certificate>
.....
</certificate>
-----END CERTIFICATE-----
 1 s:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com
  i:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com
-----BEGIN CERTIFICATE-----
<certificate>
.....
</certificate>
-----END CERTIFICATE-----
---
Server certificate
subject=/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com
issuer=/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com
---
No client certificate CA names sent
---
SSL handshake has read 1811 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
   Protocol  : TLSv1
   Cipher    : AES256-SHA
   Session-ID: <SOMESESSIONID>
   Session-ID-ctx:
   Master-Key: <SOMEMASTERKEY>
   Key-Arg   : None
   Start Time: 1284557075
   Timeout   : 300 (sec)
   Verify return code: 0 (ok)
---

# in slapd debug at that moment:

slap_listener_activate(7):
>>> slap_listener(ldaps:///)
connection_get(11): got connid=1001
connection_read(11): checking for input on id=1001
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=1001
connection_read(11): checking for input on id=1001
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(11): unable to get TLS client DN, error=49 id=1001

# in openssl I enter QUIT and reviece DONE
# in slapd debug after I entered QUIT i recieve folowing debug:

connection_get(11): got connid=1001
connection_read(11): checking for input on id=1001
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 11 failed errno=0 (Undefined error: 0)
connection_close: conn=1001 sd=11
TLS trace: SSL3 alert write:warning:close notify


Without -CAfile /usr/local/etc/openldap/ssl-client/root.crt I get folowing:

# openssl s_client -connect 127.0.0.1:636 -showcerts
CONNECTED(00000003)
depth=1 /C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=RU/ST=MSK/L=MSK/O=NRD/OU=IT/CN=ldap.domain.com
  i:/C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com
-----BEGIN CERTIFICATE-----
<certificate>
...
</certificate>
-----END CERTIFICATE-----
 1 s:/C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com
  i:/C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com
-----BEGIN CERTIFICATE-----
<certificate>
...
</certificate>
-----END CERTIFICATE-----
---
Server certificate
subject=/C=RU/ST=MSK/L=MSK/O=NRD/OU=IT/CN=ldap.domain.com
issuer=/C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com
---
No client certificate CA names sent
---
SSL handshake has read 1811 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
   Protocol  : TLSv1
   Cipher    : AES256-SHA
   Session-ID: <SOMESESSIONID>
   Session-ID-ctx:
   Master-Key: <SOMEMASTERKEY>
   Key-Arg   : None
   Start Time: 1284557459
   Timeout   : 300 (sec)
   Verify return code: 19 (self signed certificate in certificate chain)
---

# and slapd says folowing:

slap_listener_activate(7):
>>> slap_listener(ldaps:///)
connection_get(11): got connid=1000
connection_read(11): checking for input on id=1000
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=1000
connection_read(11): checking for input on id=1000
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(11): unable to get TLS client DN, error=49 id=1000

# after I eter quit slapd says this:

connection_get(11): got connid=1000
connection_read(11): checking for input on id=1000
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 11 failed errno=0 (Undefined error: 0)
connection_close: conn=1000 sd=11
TLS trace: SSL3 alert write:warning:close notify


And i've got ldap.domain.com record in /etc/hosts...

2010/9/15 Dieter Kluenter <dieter@dkluenter.de>:
> c0re <nr1c0re@gmail.com> writes:
>
>> Yes, same output of debug as in my first post, nothing changed.
>>
>> Also I tryed to use "ssl on" and connect to 636 port - same debug output...
>>
>> 2010/9/15 Dieter Kluenter <dieter@dkluenter.de>:
>>> c0re <nr1c0re@gmail.com> writes:
>>>
>>>> I tried to set "disallow tls_authc" and/or "TLSVerifyClient never" in
>>>> slapd.conf - no changes.
>>>
>>> What do you mean by 'no changes' do you still see the line
>>> unable to get TLS client DN, error=49
>>> Or is there an other error reported?
>
> please start slapd as ldaps on port 636 and try
> openssl s_client -connect hostanme:636 -showcerts
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> sip: 7770535@sipgate.de
> http://www.dpunkt.de/buecher/2104.html
> GPG Key ID:8EF7B6C6
>

Follow-Ups:
- Re: Can't get TLS working.
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

References:
- Can't get TLS working.
  - From: c0re <nr1c0re@gmail.com>
- Re: Can't get TLS working.
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: Can't get TLS working.
  - From: c0re <nr1c0re@gmail.com>
- Re: Can't get TLS working.
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: Can't get TLS working.
  - From: c0re <nr1c0re@gmail.com>
- Re: Can't get TLS working.
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: Can't get TLS working.
Next by Date: Re: Can't get TLS working.
Index(es):
- Chronological
- Thread