[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: syncrepl fails after upgrade to openldap 2.4.45
Cert authentication works on 2.4.44-r1 without any problem.
I have now downloaded the source code, configured, compiled and installed it manually.
Configure options:
./configure --disable-bdb --disable-hdb --enable-accesslog --enable-auditlog --enable-deref --enable-memberof --enable-ppolicy --enable-proxycache --enable-syncprov --enable-valsort
After compilation 'make test' completed successfully without any errors.
Everything works fine with 2.4.44-r1, but there are still certificate problems with 2.4.45, complaining about self-signed certificates.
Configurations with 2.4.44-r1 and 2.4.45 are identical, both are compiled with the same version of OpenSSL libraries (OpenSSL 1.0.2l 25 May 2017) and are using the same certificates.
I have done strace:
2.4.44-r1:
=======
ldap_create
ldap_create
ldap_url_parse_ext(ldaps://fw1.dannatu.ch:636)
ldap_url_parse_ext(ldaps://fw0.dannatu.ch:636)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP fw1.dannatu.ch:636
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP fw0.dannatu.ch:636
ldap_new_socket: 13
ldap_prepare_socket: 13
ldap_connect_to_host: Trying 10.0.0.11:636
ldap_pvt_connect: fd: 13 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
ldap_new_socket: 14
ldap_prepare_socket: 14
ldap_connect_to_host: Trying 10.0.0.10:636
ldap_pvt_connect: fd: 14 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAdd
ress=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
TLS certificate verification: depth: 0, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=dannatu.ch/emailAddres
s=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
TLS certificate verification: depth: 1, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAdd
ress=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS certificate verification: depth: 0, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=dannatu.ch/emailAddres
s=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read server session ticket A
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
2.4.45:
=====
ldap_create
ldap_url_parse_ext(ldaps://fw1.dannatu.ch:636)
ldap_url_parse_ext(ldaps://fw0.dannatu.ch:636)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP fw0.dannatu.ch:636
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP fw1.dannatu.ch:636
ldap_new_socket: 15
ldap_prepare_socket: 15
ldap_connect_to_host: Trying 10.0.0.10:636
ldap_pvt_connect: fd: 15 tm: -1 async: 0
attempting to connect:
ldap_new_socket: 16
ldap_prepare_socket: 16
ldap_connect_to_host: Trying 10.0.0.11:636
ldap_pvt_connect: fd: 16 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
connect success
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAd
dress=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
TLS certificate verification: Error, self signed certificate in certificate chain
TLS certificate verification: depth: 1, err: 19, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAd
dress=admin@dannatu.ch, issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAddress=admin@dannatu.ch
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS trace: SSL3 alert write:fatal:unknown CA
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in ce
rtificate chain).
5950a07f slap_client_connect: URI=ldaps://fw1.dannatu.ch:636 DN="cn=manager,dc=dannatu,dc=ch" ldap_sasl_bind_s failed (-1)
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in ce
rtificate chain).
5950a07f slap_client_connect: URI=ldaps://fw0.dannatu.ch:636 DN="cn=manager,dc=dannatu,dc=ch" ldap_sasl_bind_s failed (-1)
5950a07f do_syncrepl: rid=001 rc -1 retrying (4 retries left)
5950a07f do_syncrepl: rid=000 rc -1 retrying (4 retries left)
Still can't find a cause for this behavior.
Kind regards
Juergen Sprenger
-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@symas.com]
Sent: Friday, June 23, 2017 6:33 PM
To: Sprenger Jürgen, INI-ON-CIS-SDI-HES <Juergen.Sprenger@swisscom.com>; openldap-technical@openldap.org
Subject: RE: syncrepl fails after upgrade to openldap 2.4.45
--On Friday, June 23, 2017 8:30 AM +0000 Juergen.Sprenger@swisscom.com
wrote:
> Have also added these entries to syncrepl now, but without any success:
>
> tls_cert=/etc/ssl/openldap/dannatu.ch.pem
> tls_key=/etc/ssl/openldap/dannatu.ch.key
> tls_cacert=/etc/ssl/certs/dannatuCA-cacert.pem
This would indicate you want to do client cert authentication with the syncrepl client, which as far as I know, you are not using (based on your earlier configuration). You need to remove the tls_cert and tls_key lines.
I've tested with OpenLDAP 2.4.45 and TLS works as expected with replication.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>