Hello,
I have a strange behaviour regarding TLS encryption with an LDAP server. Everything works like a charm for a while, and without any sign, the server begins to not respond for TLS traffic. As the server is partially open on internet, I force TLS, so it is very annoying for us.
I change a lot of parameters, I already read several thread about that (and more specially, the one with exactly the same error message as me, where it was solved by specifying the same ciphers in slapd.conf and ldap.conf, but it doesn't work for me ...)
You will find all my parameters below, hope I forget nothing. I can provide more log files with and without the problem on demand.
The ldap server is used by apache, postfix, saslauthd, pam_ldap, nss_ldap ...
Thanks in advance if someone can found a solution for me !!!
Best regards
Denis Sacchet
===================
Here are all the information I can give you :
@(#) $OpenLDAP: slapd 2.3.30 (Mar 9 2007 05:43:02) $
on a Debian Etch server, here are the link information for slapd:
linux-gate.so.1 => (0xffffe000) libldap_r-2.3.so.0 => /usr/lib/libldap_r-2.3.so.0 (0xb7f41000) liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f35000) libiodbc.so.2 => /usr/lib/libiodbc.so.2 (0xb7eed000) libslp.so.1 => /usr/lib/libslp.so.1 (0xb7ede000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7ec8000) libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7e89000) libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7d4f000) libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7d21000) libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7d0d000) libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7cfb000) libltdl.so.3 => /usr/lib/libltdl.so.3 (0xb7cf4000) libwrap.so.0 => /lib/libwrap.so.0 (0xb7cec000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7bbb000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7bb7000) libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7ba0000) libz.so.1 => /usr/lib/libz.so.1 (0xb7b8c000) /lib/ld-linux.so.2 (0xb7f88000)
The same for ldapsearch :
linux-gate.so.1 => (0xffffe000) libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0xb7f8d000) liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f81000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f6a000) libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7f2b000) libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7df1000) libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7dc3000) libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7db0000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7c7f000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7c7a000) libz.so.1 => /usr/lib/libz.so.1 (0xb7c66000) /lib/ld-linux.so.2 (0xb7fca000)
A part of my slapd.conf (no acl, no pass :) ) :
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/rfc2307bis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/mozillaabpersonalpha.schema include /etc/ldap/schema/evolutionperson.schema include /etc/ldap/schema/ouba.schema include /etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap moduleload back_bdb moduleload smbk5pwd backend bdb checkpoint 512 30
sizelimit 500 tool-threads 1
security ssf=128 disasllow bind_anon password-hash {SHA}
TLSCACertificateFile /etc/ssl/certs/<hiddendomain>.pem TLSCertificateFile /etc/ldap/ssl/ldap.<hiddendomain>.com.crt TLSCertificateKeyFile /etc/ldap/ssl/ldap.<hiddendomain>.com.key TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLSVerifyClient never TLSCRLCheck none TLSRandFile /dev/hwrng
loglevel any
####################################################################### # <hiddendomain>.com database database bdb overlay smbk5pwd suffix "dc=<hiddendomain>,dc=com" rootdn "cn=Manager,dc=<hiddendomain>,dc=com" directory "/var/lib/ldap/<hiddendomain>.com" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq uid uidNumber memberUid gidNumber service lastmod on replogfile /var/lib/ldap/<hiddendomain>.com/replog
My ldap.conf file :
TLS_CACERT /etc/ssl/certs/<hiddendomain>.pem TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
BASE dc=<hiddendomain>, dc=com URI ldap://ldap.<hiddendomain>.com:389
A trace of ldapsearch when there is the problem :
ldapsearch -D "uid=dsacchet,ou=accounts,dc=<hiddendomain>,dc=com" -h "ldap.<hiddendomain>.com" -ZZ -W -x -d 9 "(objectClass=*)" ldap_create ldap_url_parse_ext(ldap://ldap.<hiddendomain>.com) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.<hiddendomain>.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 88.191.47.236:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x8057558 msgid 1 ldap_chkResponseList ld 0x8057558 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057558 NULL wait4msg ld 0x8057558 msgid 1 (infinite timeout) wait4msg continue ld 0x8057558 msgid 1 all 1 ** ld 0x8057558 Connections: * host: ldap.<hiddendomain>.com port: 389 (default) refcnt: 2 status: Connected last used: Mon Dec 10 08:21:46 2007
** ld 0x8057558 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x8057558 Response Queue: Empty ldap_chkResponseList ld 0x8057558 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057558 NULL ldap_int_select read1msg: ld 0x8057558 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x8057558 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x8057558 0 new referrals read1msg: mark request completed, ld 0x8057558 msgid 1 request done: ld 0x8057558 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com, issuer: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com TLS certificate verification: depth: 0, err: 0, subject: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=smtp.<hiddendomain>.com/emailAddress=it@<hiddendomain>.com, issuer: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
The same just after a fresh restart :
# ldapsearch -D "uid=dsacchet,ou=accounts,dc=<hiddendomain>,dc=com" -h "ldap.<hiddendomain>.com" -ZZ -W -x -d 9 "(objectClass=*)" ldap_create ldap_url_parse_ext(ldap://ldap.<hiddendomain>.com) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.<hiddendomain>.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 88.191.47.236:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x8057558 msgid 1 ldap_chkResponseList ld 0x8057558 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057558 NULL wait4msg ld 0x8057558 msgid 1 (infinite timeout) wait4msg continue ld 0x8057558 msgid 1 all 1 ** ld 0x8057558 Connections: * host: ldap.<hiddendomain>.com port: 389 (default) refcnt: 2 status: Connected last used: Mon Dec 10 08:22:20 2007
** ld 0x8057558 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x8057558 Response Queue: Empty ldap_chkResponseList ld 0x8057558 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057558 NULL ldap_int_select read1msg: ld 0x8057558 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x8057558 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x8057558 0 new referrals read1msg: mark request completed, ld 0x8057558 msgid 1 request done: ld 0x8057558 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com, issuer: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com TLS certificate verification: depth: 0, err: 0, subject: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=smtp.<hiddendomain>.com/emailAddress=it@<hiddendomain>.com, issuer: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A Enter LDAP Password: