Full_Name: Michael Keller Version: 2.4.20 OS: SLES 11 SP1 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (95.131.98.154)
I have configured slapd to accept only TLS connections with:
security ssf=1 update_ssf=112 simple_bind=64
A ldapsearch -x returns correctly a "# search result search: 2 result: 13 Confidentiality required text: confidentiality required"
When using TLS_REQCERT=demand a ldapsearch -x -Z still returns results, even if a bad certificate comes from the server. See debug output below. ldapsearch -x -Z
ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate # extended LDIF # # LDAPv3 # base <dc=ee,dc=psi> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# ee.psi dn: dc=ee,dc=psi objectClass: dcObject objectClass: organization dc: ee o: PSI-EE
# People, ee.psi dn: ou=People,dc=ee,dc=psi ou: People objectClass: top objectClass: organizationalUnit
# Group, ee.psi dn: ou=Group,dc=ee,dc=psi ou: Group objectClass: top objectClass: organizationalUnit
# search result search: 3 result: 0 Success
# numResponses: 4 # numEntries: 3
Only when using "-ZZ" the connection isn't established. But the man page stated, that the connection is terminated immediatly if a bad certificate is supplied ("ldap_start_tls returns with an error). I think with "TLS_REQCERT demand" and a bad certificate the connection should be terminated even if just a "-Z" is used. At the moment the behaviour is the same for TLS_REQCERT = allow|try|demand
Debug output: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 0, subject: /DC=psi/DC=ee/ST=Germany/O=PSI AG/OU=EE/CN=ee-caroot.ee.psi, issuer: /DC=psi/DC=ee/ST=Germany/O=PSI AG/OU=EE/CN=ee-caroot.ee.psi TLS certificate verification: depth: 1, err: 0, subject: /DC=psi/DC=ee/ST=Germany/L=Aschaffenburg/O=PSI AG/OU=EE/CN=EE-SigningCA@ldap-srv11, issuer: /DC=psi/DC=ee/ST=Germany/O=PSI AG/OU=EE/CN=ee-caroot.ee.psi TLS certificate verification: depth: 0, err: 0, subject: /DC=psi/DC=ee/ST=Germany/L=Aschaffenburg/O=PSI AG/OU=EE/CN=ldap-srv11.ee.psi, issuer: /DC=psi/DC=ee/ST=Germany/L=Aschaffenburg/O=PSI AG/OU=EE/CN=EE-SigningCA@ldap-srv11 TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS: hostname (ldap-srv11) does not match common name in certificate (ldap-srv11.ee.psi). ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 14 bytes to sd 3 ldap_result ld 0x615150 msgid 2 wait4msg ld 0x615150 msgid 2 (infinite timeout) wait4msg continue ld 0x615150 msgid 2 all 1 ** ld 0x615150 Connections: * host: ldap-srv11 port: 389 (default) refcnt: 2 status: Connected last used: Wed Mar 14 08:49:55 2012
** ld 0x615150 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x615150 request count 1 (abandoned 0) ** ld 0x615150 Response Queue: Empty ld 0x615150 response count 0 ldap_chkResponseList ld 0x615150 msgid 2 all 1 ldap_chkResponseList returns ld 0x615150 NULL ldap_int_select read1msg: ld 0x615150 msgid 2 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x615150 msgid 2 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x615150 0 new referrals read1msg: mark request completed, ld 0x615150 msgid 2 request done: ld 0x615150 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search_ext put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 51 bytes to sd 3 ldap_result ld 0x615150 msgid -1 wait4msg ld 0x615150 msgid -1 (infinite timeout) wait4msg continue ld 0x615150 msgid -1 all 0 ** ld 0x615150 Connections: * host: ldap-srv11 port: 389 (default) refcnt: 2 status: Connected last used: Wed Mar 14 08:49:55 2012
** ld 0x615150 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0x615150 request count 1 (abandoned 0) ** ld 0x615150 Response Queue: Empty ld 0x615150 response count 0 ldap_chkResponseList ld 0x615150 msgid -1 all 0 ldap_chkResponseList returns ld 0x615150 NULL ldap_int_select read1msg: ld 0x615150 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 89 contents: read1msg: ld 0x615150 msgid 3 message type search-entry ldap_get_dn_ber ber_scanf fmt ({ml{) ber: ldap_dn2ufn ldap_dn_normalize ber_scanf fmt ({xx) ber: ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: ldap_get_attribute_ber ldap_msgfree ldap_result ld 0x615150 msgid -1 wait4msg ld 0x615150 msgid -1 (infinite timeout) wait4msg continue ld 0x615150 msgid -1 all 0 ** ld 0x615150 Connections: * host: ldap-srv11 port: 389 (default) refcnt: 2 status: Connected last used: Wed Mar 14 08:49:55 2012
** ld 0x615150 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0x615150 request count 1 (abandoned 0) ** ld 0x615150 Response Queue: Empty ld 0x615150 response count 0 ldap_chkResponseList ld 0x615150 msgid -1 all 0 ldap_chkResponseList returns ld 0x615150 NULL ldap_int_select read1msg: ld 0x615150 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 89 contents: read1msg: ld 0x615150 msgid 3 message type search-entry ldap_get_dn_ber ber_scanf fmt ({ml{) ber: ldap_dn2ufn ldap_dn_normalize ber_scanf fmt ({xx) ber: ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: ldap_get_attribute_ber ldap_msgfree ldap_result ld 0x615150 msgid -1 wait4msg ld 0x615150 msgid -1 (infinite timeout) wait4msg continue ld 0x615150 msgid -1 all 0 ** ld 0x615150 Connections: * host: ldap-srv11 port: 389 (default) refcnt: 2 status: Connected last used: Wed Mar 14 08:49:55 2012
** ld 0x615150 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0x615150 request count 1 (abandoned 0) ** ld 0x615150 Response Queue: Empty ld 0x615150 response count 0 ldap_chkResponseList ld 0x615150 msgid -1 all 0 ldap_chkResponseList returns ld 0x615150 NULL ldap_int_select read1msg: ld 0x615150 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 87 contents: read1msg: ld 0x615150 msgid 3 message type search-entry ldap_get_dn_ber ber_scanf fmt ({ml{) ber: ldap_dn2ufn ldap_dn_normalize ber_scanf fmt ({xx) ber: ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: ldap_get_attribute_ber ber_scanf fmt ({mM}) ber: ldap_get_attribute_ber ldap_msgfree ldap_result ld 0x615150 msgid -1 wait4msg ld 0x615150 msgid -1 (infinite timeout) wait4msg continue ld 0x615150 msgid -1 all 0 ** ld 0x615150 Connections: * host: ldap-srv11 port: 389 (default) refcnt: 2 status: Connected last used: Wed Mar 14 08:49:55 2012
** ld 0x615150 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0x615150 request count 1 (abandoned 0) ** ld 0x615150 Response Queue: Empty ld 0x615150 response count 0 ldap_chkResponseList ld 0x615150 msgid -1 all 0 ldap_chkResponseList returns ld 0x615150 NULL ldap_int_select read1msg: ld 0x615150 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x615150 msgid 3 message type search-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x615150 0 new referrals read1msg: mark request completed, ld 0x615150 msgid 3 request done: ld 0x615150 msgid 3 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 3, msgid 3) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_err2string ldap_msgfree ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 TLS trace: SSL3 alert write:warning:close notify ldap_free_connection: actually freed