[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSL client cert authc problems with OpenLDAP client and OpenDJ server



HI!

(cross-posted since OpenLDAP and OpenDJ are involved)

I have some SSL client cert authc problems with a OpenLDAP 2.4.23 LDAP client
(dynamically linked to OpenSSL 0.9.8e on RHEL 5.6) and OpenDJ 2.4.5 running
under control of Java 1.6.0_31. I cross-checked all the cert and trust stuff
several times. It seems to be correct. Unfortunately we're stuck with 2.4.23
in this setup because of OpenLDAP's ITS#6997.

(I manually obfuscated parameters and log lines herein.)

At first glance OpenLDAP's ldapwhoami seems to work correctly with the first
OpenDJ replica:

$ LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=client.key ldapwhoami -H
ldaps://master1.example.com -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: cn=ldapclient,o=example,c=DE
SASL SSF: 0
dn:cn=ldapclient,ou=Users,cn=example

But in OpenDJ's access-log file there's written:

[18/May/2012:16:52:00 +0200] CONNECT conn=15 from=x.x.x.x:33358
to=x.x.x.x:63677 protocol=LDAPS
[18/May/2012:16:52:00 +0200] BIND REQ conn=15 op=0 msgID=1 type=SASL
mechanism=EXTERNAL dn=""
[18/May/2012:16:52:00 +0200] BIND RES conn=15 op=0 msgID=1 result=0
authDN="cn=ldapclient,o=example,c=DE" etime=0
[18/May/2012:16:52:00 +0200] EXTENDED REQ conn=15 op=1 msgID=2 name="Who Am
I?" oid="1.3.6.1.4.1.4203.1.11.3"
[18/May/2012:16:52:00 +0200] EXTENDED RES conn=15 op=1 msgID=2 result=0
additionalInfo="authzID="dn:cn=ldapclient,ou=Users,cn=example"" etime=1
[18/May/2012:16:52:00 +0200] DISCONNECT conn=15 reason="Protocol Error"
msg="The client sent a request to the Directory Server that could not be
properly decoded as an LDAP message:  javax.net.ssl.SSLException: Inbound
closed before receiving peer's close_notify: possible truncation attack?"

The attempt to do the same on another OpenDJ replica fails completely (no
differences in TLS configuration - checked cn=config for potential differences
with diff):

$ LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=client.key ldapwhoami -H
ldaps://consumer1.example.com -Y EXTERNAL
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

In OpenDJ's access-log file there's written:

[18/May/2012:16:52:38 +0200] CONNECT conn=6 from=x.x.x.x:61841
to=x.x.x.x:63677 protocol=LDAPS
[18/May/2012:16:52:38 +0200] DISCONNECT conn=6 reason="Protocol Error"
msg="The client sent a request to the Directory Server that could not be
properly decoded as an LDAP message: javax.net.ssl.SSLHandshakeException:
General SSLEngine problem"
[18/May/2012:16:53:06 +0200] CONNECT conn=7 from=x.x.x.x:61842
to=x.x.x.x:63677 protocol=LDAPS
[18/May/2012:16:53:07 +0200] DISCONNECT conn=7 reason="Protocol Error"
msg="The client sent a request to the Directory Server that could not be
properly decoded as an LDAP message: javax.net.ssl.SSLHandshakeException:
General SSLEngine problem"

Any clue what's going on here?

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature