Full_Name: Yann Verry Version: 2.4.39 OS: debian/sid URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2a01:e35:2e6d:c800:d572:aec:1b42:380c)
Hi,
I would like (CACert sign class3 now with SHA512) to switch my X509 certificate with a signature algorithm SHA512. When I do this openldap bind on SSL port but was unable to provide SSL connection as you can see in error:
2014-05-31T00:20:46.852821+02:00 peach slapd[23997]: >>> slap_listener(ldaps:///) 2014-05-31T00:20:46.853369+02:00 peach slapd[23997]: connection_get(35): got connid=1068 2014-05-31T00:20:46.853891+02:00 peach slapd[23997]: connection_read(35): checking for input on id=1068 2014-05-31T00:20:46.854526+02:00 peach slapd[23997]: connection_read(35): TLS accept failure error=-1 id=1068, closing 2014-05-31T00:20:46.855071+02:00 peach slapd[23997]: connection_close: conn=1068 sd=35
If I fall back to sha256 it works fine
How to reproduce ================
- generate self signed with sha256 and sha512:
mkdir -p /etc/ldap/ssl cd !$
# priv certtool --generate-privkey --sec-param normal --outfile mypriv_normal.key
# self certtool -s --load-privkey mypriv_normal.key --outfile gnutls512_normal.crt --hash SHA512 certtool -s --load-privkey mypriv_normal.key --outfile gnutls256_normal.crt --hash SHA256
# build PEM cat mypriv_normal.key gnutls512_normal.crt > gnutls512_normal.pem cat mypriv_normal.key gnutls256_normal.crt > gnutls256_normal.pem
my cn=config:
olcTLSCACertificateFile: /etc/ldap/ssl/sslcertificate.pem olcTLSCertificateFile: /etc/ldap/ssl/sslcertificate.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/sslcertificate.pem
now just play with symlink.
sha256 ------
ln -s gnutls256_normal.pem sslcertificate.pem ; then restart openldap
make a client connection:
gnutls-cli ldap.verry.org -p 636 Resolving 'ldap.verry.org'... Connecting to '2a01:e35:2e6d:c800:cafe:deca:0:42:636'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=ldap.verry.org', issuer `CN=ldap.verry.org', RSA key 2432 bits, signed using RSA-SHA256, activated `2014-05-31 08:26:59 UTC', expires `2024-05-28 08:27:03 UTC', SHA-1 fingerprint `600b2a502289644c075d4b3eaf7b1efd38685687' - The hostname in the certificate matches 'ldap.verry.org'. - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS1.2 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed
- Simple Client Mode:
server view, it's OK:
538909bf conn=1007 fd=32 TLS established tls_ssf=256 ssf=256
sha512 ------ rm previous symlink and ln -s gnutls512_normal.pem sslcertificate.pem ; then restart openldap
make a connection:
gnutls-cli ldap.verry.org -p 636 Resolving 'ldap.verry.org'... Connecting to '2a01:e35:2e6d:c800:cafe:deca:0:42:636'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GnuTLS error: A TLS packet with unexpected length was received.
server view:
TLS: can't accept: Could not negotiate a supported cipher suite.. 538909f9 connection_read(28): TLS accept failure error=-1 id=1000, closing 538909f9 connection_closing: readying conn=1000 sd=28 for close 538909f9 connection_close: conn=1000 sd=28 538909f9 daemon: removing 28 538909f9 conn=1000 fd=28 closed (TLS negotiation failure)
gnutls ======
gnutls-cli -l|grep SHA512 MACs: SHA1, MD5, SHA256, SHA384, SHA512, SHA224, UMAC-96, UMAC-128, AEAD Digests: SHA1, MD5, SHA256, SHA384, SHA512, SHA224 PK-signatures: SIGN-RSA-SHA1, SIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-RMD160, SIGN-DSA-SHA1, SIGN-DSA-SHA1, SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5, SIGN-RSA-MD5, SIGN-RSA-MD2, SIGN-ECDSA-SHA1, SIGN-ECDSA-SHA224, SIGN-ECDSA-SHA256, SIGN-ECDSA-SHA384, SIGN-ECDSA-SHA512
I can provide more information as needed to solve this issue
Regards, Yann