[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Issues with OpenLdap using OpenTLS



Thanks for the suggestions everyone,

I’ve corrected an issue with the generation of the self-signed CA , I was using the wrong ‘cert’

For OpenSSL this gets put into:

   /etc/pki/CA/cacert.pem

 

I have used the “Common Name” in the cert-generation as:  server.my-domain.com

I have it in /etc/hosts as:

    127.0.0.1         server.my-domain.com

I am using ‘localhost’ first in this investigation-stage, and will be used for our unit-tests

The port 636 does not appear to be firewalled

 

I get a little farther now with these changes, 8 bytes are sent/received: see below TLS: can't connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure.

 

----------------------------------------------------ldap server

/usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -h ldaps://server.my-domain.com:636 -d -1

.

.

5e0f6aa1 daemon: activity on:

5e0f6aa1 daemon: epoll: listen=7 active_threads=0 tvp=NULL

5e0f6b65 daemon: activity on 1 descriptor

5e0f6b65 daemon: activity on:

5e0f6b65 slap_listener_activate(7):

5e0f6b65 daemon: epoll: listen=7 busy

5e0f6b65 >>> slap_listener(ldaps://server.my-domain.com:636)

5e0f6b65 daemon: accept() = 11

5e0f6b65 daemon: listen=7, new connection on 11

5e0f6b65 daemon: added 11r (active) listener=(nil)

5e0f6b65 conn=1001 fd=11 ACCEPT from IP=127.0.0.1:51880 (IP=127.0.0.1:636)

5e0f6b65 daemon: activity on 1 descriptor

5e0f6b65 daemon: activity on:

5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL

5e0f6b65 daemon: activity on 1 descriptor

5e0f6b65 daemon: activity on: 11r

5e0f6b65 daemon: read active on 11

5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL

5e0f6b65 connection_get(11)

5e0f6b65 connection_get(11): got connid=1001

5e0f6b65 connection_read(11): checking for input on id=1001

TLS trace: SSL_accept:before/accept initialization

tls_read: want=11, got=11

  0000:  16 03 01 01 1c 01 00 01  18 03 03                  ...........      

tls_read: want=278, got=278

  0000:  c7 eb 10 c3 5a af 18 e7  9b 3b ad 08 e6 cc b2 7d   ....Z....;.....} 

  0010:  ee a7 7d 0f c4 fe 01 49  8a 5b d3 94 c5 25 08 1d   ..}....I.[...%.. 

  0020:  00 00 ac c0 30 c0 2c c0  28 c0 24 c0 14 c0 0a 00   ....0.,.(.$..... 

  0030:  a5 00 a3 00 a1 00 9f 00  6b 00 6a 00 69 00 68 00   ........k.j.i.h. 

  0040:  39 00 38 00 37 00 36 00  88 00 87 00 86 00 85 c0   9.8.7.6......... 

  0050:  32 c0 2e c0 2a c0 26 c0  0f c0 05 00 9d 00 3d 00   2...*.&.......=. 

  0060:  35 00 84 c0 2f c0 2b c0  27 c0 23 c0 13 c0 09 00   5.../.+.'.#..... 

  0070:  a4 00 a2 00 a0 00 9e 00  67 00 40 00 3f 00 3e 00   ........g.@.?.>. 

  0080:  33 00 32 00 31 00 30 00  9a 00 99 00 98 00 97 00   3.2.1.0......... 

  0090:  45 00 44 00 43 00 42 c0  31 c0 2d c0 29 c0 25 c0   E.D.C.B.1.-.).%. 

  00a0:  0e c0 04 00 9c 00 3c 00  2f 00 96 00 41 c0 12 c0   ......<./...A... 

  00b0:  08 00 16 00 13 00 10 00  0d c0 0d c0 03 00 0a 00   ................ 

  00c0:  07 c0 11 c0 07 c0 0c c0  02 00 05 00 04 00 ff 01   ................ 

  00d0:  00 00 43 00 0b 00 04 03  00 01 02 00 0a 00 0a 00   ..C............. 

  00e0:  08 00 17 00 19 00 18 00  16 00 23 00 00 00 0d 00   ..........#..... 

  00f0:  20 00 1e 06 01 06 02 06  03 05 01 05 02 05 03 04    ............... 

  0100:  01 04 02 04 03 03 01 03  02 03 03 02 01 02 02 02   ................ 

  0110:  03 00 0f 00 01 01                                  ......           

tls_write: want=7, written=7

  0000:  15 03 03 00 02 02 28                               ......(          

TLS trace: SSL3 alert write:fatal:handshake failure

TLS trace: SSL_accept:error in error

TLS trace: SSL_accept:error in error

TLS: can't accept: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher.

5e0f6b65 connection_read(11): TLS accept failure error=-1 id=1001, closing

5e0f6b65 connection_closing: readying conn=1001 sd=11 for close

5e0f6b65 connection_close: conn=1001 sd=11

5e0f6b65 daemon: removing 11

5e0f6b65 conn=1001 fd=11 closed (TLS negotiation failure)

5e0f6b65 daemon: activity on 1 descriptor

5e0f6b65 daemon: activity on:

5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL

^C5e0f6e38 daemon: shutdown requested and initiated.

5e0f6e38 daemon: removing 7r

5e0f6e38 daemon: closing 7

5e0f6e38 slapd shutdown: waiting for 0 operations/tasks to finish

5e0f6e38 slapd shutdown: initiated

5e0f6e38 slapd destroy: freeing system resources.

5e0f6e38 slapd stopped.

 

---------------------------------------------------- client

[root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts -H ldaps://server.my-domain.com:636 -d -1

ldap_url_parse_ext(ldaps://server.my-domain.com:636)

ldap_create

ldap_url_parse_ext(ldaps://server.my-domain.com:636/??base)

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP server.my-domain.com:636

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 127.0.0.1:636

ldap_pvt_connect: fd: 3 tm: -1 async: 0

attempting to connect:

connect success

TLS trace: SSL_connect:before/connect initialization

tls_write: want=289, written=289

  0000:  16 03 01 01 1c 01 00 01  18 03 03 8b 5c ad c3 76   ............\..v 

  0010:  a2 eb 75 4f df e3 f3 7b  5c 55 73 5e 2c 43 62 de   ..uO...{\Us^,Cb. 

  0020:  98 5f 5d b8 3b c0 82 32  46 86 cd 00 00 ac c0 30   ._].;..2F......0 

  0030:  c0 2c c0 28 c0 24 c0 14  c0 0a 00 a5 00 a3 00 a1   .,.(.$.......... 

  0040:  00 9f 00 6b 00 6a 00 69  00 68 00 39 00 38 00 37   ...k.j.i.h.9.8.7 

  0050:  00 36 00 88 00 87 00 86  00 85 c0 32 c0 2e c0 2a   .6.........2...* 

  0060:  c0 26 c0 0f c0 05 00 9d  00 3d 00 35 00 84 c0 2f   .&.......=.5.../ 

  0070:  c0 2b c0 27 c0 23 c0 13  c0 09 00 a4 00 a2 00 a0   .+.'.#.......... 

  0080:  00 9e 00 67 00 40 00 3f  00 3e 00 33 00 32 00 31   ...g.@.?.>.3.2.1 

  0090:  00 30 00 9a 00 99 00 98  00 97 00 45 00 44 00 43   .0.........E.D.C 

  00a0:  00 42 c0 31 c0 2d c0 29  c0 25 c0 0e c0 04 00 9c   .B.1.-.).%...... 

  00b0:  00 3c 00 2f 00 96 00 41  c0 12 c0 08 00 16 00 13   .<./...A........ 

  00c0:  00 10 00 0d c0 0d c0 03  00 0a 00 07 c0 11 c0 07   ................ 

  00d0:  c0 0c c0 02 00 05 00 04  00 ff 01 00 00 43 00 0b   .............C.. 

  00e0:  00 04 03 00 01 02 00 0a  00 0a 00 08 00 17 00 19   ................ 

  00f0:  00 18 00 16 00 23 00 00  00 0d 00 20 00 1e 06 01   .....#..... .... 

  0100:  06 02 06 03 05 01 05 02  05 03 04 01 04 02 04 03   ................ 

  0110:  03 01 03 02 03 03 02 01  02 02 02 03 00 0f 00 01   ................ 

  0120:  01                                                 .                

TLS trace: SSL_connect:SSLv2/v3 write client hello A

tls_read: want=7, got=7

  0000:  15 03 03 00 02 02 28                               ......(          

TLS trace: SSL3 alert read:fatal:handshake failure

TLS trace: SSL_connect:error in SSLv2/v3 read server hello A

TLS: can't connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure.

ldap_err2string

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

 

 

From: openldap-technical <openldap-technical-bounces@openldap.org> On Behalf Of Christopher Paul
Sent: Thursday, January 2, 2020 6:17 PM
To: openldap-technical@openldap.org
Subject: Re: Issues with OpenLdap using OpenTLS

 

I

On 1/2/20 8:36 AM, Dunne, Kenneth wrote:

All

 

  I am able to connect to my home-built OpenSSL installation (from Dec-19 sources) on CentOS-7 without the TLS bind

[...]

TLS trace: SSL_connect:SSLv2/v3 write client hello A

tls_read: want=7, got=0

Hey Ken, is port 636 open on the host-based firewall if it's running? any other firewalls blocking 636?

CP