[Issue 10112] New: We are working with the client that comes with openldap and cannot connect to TLS/SSL ldaps
https://bugs.openldap.org/show_bug.cgi?id=10112
Issue ID: 10112 Summary: We are working with the client that comes with openldap and cannot connect to TLS/SSL ldaps Product: OpenLDAP Version: 2.6.6 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: 228844797@qq.com Target Milestone: ---
Created attachment 985 --> https://bugs.openldap.org/attachment.cgi?id=985&action=edit slapd config
Hello developers,
Can you help me see how to solve this problem
We are working with the client that comes with openldap and cannot connect to TLS/SSL ldaps,But I was able to access it using ldap:389
The server configuration information is as follows:
Linux System version:Ubuntu 22.04.3 LTS OpenLDAP version:2.6.6 openssl version:OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
The slapd.ldif certificate is configured as follows:
olcTLSCACertificateFile: /usr/local/openldap-2.6.6/cert/demoCA/newcerts/cacert.pem olcTLSCertificateFile: /usr/local/openldap-2.6.6/cert/demoCA/newcerts/slapd01-server.pem olcTLSCertificateKeyFile: /usr/local/openldap-2.6.6/cert/demoCA/private/slapd01-server-key.pem
The server startup information is as follows:
slapd -4 -F /usr/local/openldap-2.6.6/etc/openldap/slapd.d -h ldap:/// ldaps:/// ldapi:///
Configure the ldap.conf certificate on the client as follows:
TLS_CACERT /usr/local/openldap-2.6.6/cert/demoCA/newcerts/
#######################################################################################################
Server local test failed:
ldapwhoami -H ldaps://slapd.zxactions.com -d 1
The failure information is as follows:
root@openldap-1:/usr/local/openldap-2.6.6/etc/openldap# ldapwhoami -H ldaps://slapd.zxactions.com -d 1 ldap_url_parse_ext(ldaps://slapd.zxactions.com) ldap_create ldap_url_parse_ext(ldaps://slapd.zxactions.com:636/??base) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP slapd.zxactions.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.174.128:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in error TLS: can't connect: error:0A000410:SSL routines::sslv3 alert handshake failure. ldap_err2string ldap_sasl_interactive_bind: Can't contact LDAP server (-1) additional info: error:0A000410:SSL routines::sslv3 alert handshake failure
#######################################################################################################
Failed to use the openssl tool:
openssl s_client -connect slapd.zxactions.com:636 -debug
The failure information is as follows:
root@openldap-1:/usr/local/openldap-2.6.6/etc/openldap# openssl s_client -connect slapd.zxactions.com:636 -debug CONNECTED(00000003) write to 0x556ccbdb5c40 [0x556ccbdc5b30] (321 bytes => 321 (0x141)) 0000 - 16 03 01 01 3c 01 00 01-38 03 03 1a eb eb eb ad ....<...8....... 0010 - 52 f0 12 36 b2 cd ad 9c-6f c9 de 67 54 13 e3 47 R..6....o..gT..G 0020 - 23 ac 44 5c d9 51 2f d4-a5 0b cf 20 e6 f9 c1 6c #.D.Q/.... ...l 0030 - e5 ce 18 9c ea f1 d6 67-a2 1f 71 3c 78 d4 c6 fb .......g..q<x... 0040 - 25 23 98 bd 38 90 1f 8c-13 94 b1 00 00 3e 13 02 %#..8........>.. 0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa .....,.0........ 0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27 .+./...$.(.k.#.' 0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d .g.....9.....3.. 0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 b1 ...=.<.5./...... 0090 - 00 00 00 18 00 16 00 00-13 73 6c 61 70 64 2e 7a .........slapd.z 00a0 - 78 61 63 74 69 6f 6e 73-2e 63 6f 6d 00 0b 00 04 xactions.com.... 00b0 - 03 00 01 02 00 0a 00 16-00 14 00 1d 00 17 00 1e ................ 00c0 - 00 19 00 18 01 00 01 01-01 02 01 03 01 04 00 23 ...............# 00d0 - 00 00 00 16 00 00 00 17-00 00 00 0d 00 2a 00 28 .............*.( 00e0 - 04 03 05 03 06 03 08 07-08 08 08 09 08 0a 08 0b ................ 00f0 - 08 04 08 05 08 06 04 01-05 01 06 01 03 03 03 01 ................ 0100 - 03 02 04 02 05 02 06 02-00 2b 00 05 04 03 04 03 .........+...... 0110 - 03 00 2d 00 02 01 01 00-33 00 26 00 24 00 1d 00 ..-.....3.&.$... 0120 - 20 92 75 81 9c 09 28 95-68 b4 eb b1 9e 2c d5 9b .u...(.h....,.. 0130 - e3 99 13 36 68 87 b5 72-4d d6 3e 60 0f 47 50 db ...6h..rM.>`.GP. 0140 - 15 . read from 0x556ccbdb5c40 [0x556ccbdbc913] (5 bytes => 5 (0x5)) 0000 - 15 03 03 00 02 ..... read from 0x556ccbdb5c40 [0x556ccbdbc918] (2 bytes => 2 (0x2)) 0000 - 02 28 .( 800B77514E7F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1584:SSL alert number 40 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 321 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- read from 0x556ccbdb5c40 [0x556ccbd0d650] (8192 bytes => 0)
https://bugs.openldap.org/show_bug.cgi?id=10112
--- Comment #1 from cscowx 228844797@qq.com ---
I can access it using ldap:389
root@openldap-1:/usr/local/openldap-2.6.6/etc/openldap# ldapsearch -x -D "cn=Manager,dc=my-domain,dc=com" -H ldap://slapd.zxactions.com -w 123456 -b "dc=my-domain,dc=com" -d 256 # extended LDIF # # LDAPv3 # base <dc=my-domain,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# my-domain.com dn: dc=my-domain,dc=com dc: my-domain o: www.zxactions.com objectClass: dcObject objectClass: organization
# copy of my-domain, my-domain.com dn: ou=copy of my-domain,dc=my-domain,dc=com ou: copy of my-domain objectClass: top objectClass: organizationalUnit
# search result search: 2 result: 0 Success
# numResponses: 3 # numEntries: 2
https://bugs.openldap.org/show_bug.cgi?id=10112
cscowx 228844797@qq.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|We are working with the |We cannot connect to |client that comes with |TLS/SSL ldaps using |openldap and cannot connect |openldap's built-in tools |to TLS/SSL ldaps |
https://bugs.openldap.org/show_bug.cgi?id=10112
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- The ITS system is for bug reports. Usage questions belong on the openldap-technical list
If you're looking for paid support, see the OpenLDAP support page for a list of vendors that provide it:
https://www.openldap.org/support/
https://bugs.openldap.org/show_bug.cgi?id=10112
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED Keywords|needs_review |
-
openldap-its@openldap.org