Full_Name: Massimo Gravino Version: 2.4.23-15 OS: Scientific Linux 6.1 URL: Submission from: (NULL) (192.84.143.111)
We have an openldap server that uses LDAP over TLS/SSL and serves hundreds of clients.
The CA used to sign the server certificate was created in 2005 with OpenSSL 0.9.7a.
The CA self signed certificate and the server certificate have been used until now without any problem.
In the server configuration (/etc/openldap/slapd.conf) we use TLSCertificateFile and TLSCertificateKeyFile to specify the path to the pem files of the certificate and private key of the server, and TLSCACertificateFile for the path to the pem file of the self signed certificate of the CA. In the client configuration (/etc/openldap/ldap.conf) we only define TLS_CACERT to specify the path to the pem file of the CA certificate.
Now we are not able to use the the CA certificate on new Scientific Linux 6.1 clients with openldap 2.4.23-15: the problem appears with the standard openldap-2.4.23-15.el6 package that is compiled using MozNSS. If we recompile it using OpenSSL, the problem disappears (to recompile I simply edit the .spec file and omit -DHAVE_MOZNSS from the CFLAGS definition, change the --with-tls=no option to --with-tls=openssl and rebuild with rpmbuild -ba).
This is the error obtained from the client with the original package when using ldapsearch:
ldapsearch -x -d1 .... TLS: loaded CA certificate file /etc/openldap/cacerts/cacert.pem. TLS: certificate [CN=my.server.name,OU=Sezione di Padova,O=INFN,L=Padova,ST=Italia,C=IT] is not valid - error -8182:Unknown code ___f 10. TLS: error: connect - force handshake failure: errno 21 - moznss error -8182 TLS: can't connect: TLS error -8182:Unknown code ___f 10. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The problem appears to be related to our particular CA, that uses a DSA key.
I've never been able to reproduce the problem creating new CA with an rsa key; however if possible I'd not change the the CA that signes my server certificate, because in this case I should change the CA certificate on a lot of clients. Nor I would manually recompile every new version of openldap packages.
So I collected all the steps necessary to reproduce this problem on Scientific linux 6.1 server and client, with openldap 2.4.23-15 and openssl 1.0.0-10, hoping that the problem will be considered a bug in MozNSS.
Certification Authority creation -------------------------------- mkdir CA cd CA/ mkdir certs crl newcerts private touch index.txt echo "01" > serial
edit /etc/pki/tls/openssl.cnf and change the dir definition in [ CA_default ] to point to the CA/ directory
openssl dsaparam -out dsaparam.pem 2048 openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -newkey dsa:dsaparam.pem -days 5000
Server certificate creation and signing --------------------------------------- openssl req -new -keyout key.pem -out req.pem -newkey rsa:2048 -nodes openssl ca -policy policy_anything -out cert.pem -in req.pem
Now copy cert.pem and key.pem on the server, and cacert.pem on the server and the client (may be the same machine) and change appropriately the values of TLSCertificateFile, TLSCertificateKeyFile and TLSCACertificateFile in the server configuration, and TLS_CACERT in the client configuration.
Start the server with /usr/sbin/slapd -h ldaps:/// -u ldap -d 1
Then on the client use: ldapsearch -x -d1
On the server side you should see something like this: TLS: loaded CA certificate file /etc/openldap/cacerts/cacert.pem. TLS: certificate [E=admin@my.domain,CN=server.fqdn,OU=Sezione di Padova,O=INFN,L=Padova ,ST=Italia,C=IT] is valid TLS: error: accept - force handshake failure: errno 21 - moznss error -12271 TLS: can't accept: TLS error -12271:Unknown code ___P 17. connection_read(11): TLS accept failure error=-1 id=1000, closing connection_close: conn=1000 sd=11
And on the client side:
TLS: loaded CA certificate file /etc/openldap/cacerts/cacert.pem. TLS: certificate [E=admin@my.domain,CN=server.fqdn,OU=Sezione di Padova,O=INFN,L=Padova,ST=Italia,C=IT] is not valid - error -8182:Unknown code ___f 10. TLS: error: connect - force handshake failure: errno 21 - moznss error -8182 TLS: can't connect: TLS error -8182:Unknown code ___f 10. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Note that server says: certificate is valid but SSL peer cannot verify it (moznss error -12271: SSL_ERROR_BAD_CERT_ALERT)
On the other side the client says: certificate is not valid because has an invalid signature (moznss error -8182: SEC_ERROR_BAD_SIGNATURE)
As I said above, the problem disappears recompiling openldap with OpenSSL instead of MozNSS.