Re: Ambiguous SSL/TLS error messages from slapd

List overview All Threads
Download

newer

older

Replicated cluster reindexing and...

pass through authentication problem

Brian A. Seklecki (CFI NOC)

18 Feb 2010 18 Feb '10

3:15 p.m.

Steve, I agree:

This error gets printed with "-1" under too many conditions. Just look at: libraries/libldap/tls2.c::ldap_pvt_tls_set_option()

RC Return Code -1 could happen in about a dozen places.

I think we need to take a two step approach to fixing this:

1) Long term, implement OpenSSL's err(3) 2) Short term, in servers/slapd/main.c:

Debug( LDAP_DEBUG_ANY, "main: TLS init def ctx failed: %d\n", rc, 0, 0 );

We should change / append to this to clarify:

if (rc < 0) Debug( LDAP_DEBUG_ANY, "main: something has gone terribly wrong in creation of the SSL data structure. Check filesystem permissions, ownership bits, ACLs, configuration file paths. Resort to strace(1)/ktrace(1) debugging.\n",rc,0,0);

if (rc > 0) Debug( LDAP_DEBUG_ANY, "main: something has gone wrong in creation of the SSL socket data structure. Please check the OpenSSL error code above against: /usr/include/openssl/ssl until we err(3) support\n",rc,0,0);

I will submit a patch.

~BAS

Show replies by date

Howard Chu

19 Feb 19 Feb

8:51 a.m.

New subject: Ambiguous SSL/TLS error messages from slapd

Brian A. Seklecki (CFI NOC) wrote:

...

Steve, I agree:

This error gets printed with "-1" under too many
conditions.  Just look at:
   libraries/libldap/tls2.c::ldap_pvt_tls_set_option()

RC Return Code -1 could happen in about a dozen places.

I think we need to take a two step approach to fixing this:

1) Long term, implement OpenSSL's err(3)

What are you talking about? tlso_report_error() already prints the OpenSSL error messages. All OpenSSL error messages have been fully logged, for years.

...

2) Short term, in servers/slapd/main.c:

 Debug( LDAP_DEBUG_ANY,
   "main: TLS init def ctx failed: %d\n",
      rc, 0, 0 );

We should change / append to this to clarify:

  if (rc<  0)
Debug( LDAP_DEBUG_ANY, "main: something has gone terribly wrong in creation of the SSL data structure. Check filesystem permissions, ownership bits, ACLs, configuration file paths. Resort to strace(1)/ktrace(1) debugging.\n",rc,0,0);
 if (rc>  0)
Debug( LDAP_DEBUG_ANY, "main: something has gone wrong in creation of the SSL socket data structure. Please check the OpenSSL error code above against: /usr/include/openssl/ssl until we err(3) support\n",rc,0,0);

Pointless, since all failures inside init_ctx already call tlso_report_error().

-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

Steve Polyack

10:41 a.m.

New subject: Ambiguous SSL/TLS error messages from slapd

On 02/19/10 11:51, Howard Chu wrote:

...

Brian A. Seklecki (CFI NOC) wrote:

...

Steve, I agree:

This error gets printed with "-1" under too many
conditions.  Just look at:
   libraries/libldap/tls2.c::ldap_pvt_tls_set_option()

RC Return Code -1 could happen in about a dozen places.

I think we need to take a two step approach to fixing this:

1) Long term, implement OpenSSL's err(3)

What are you talking about? tlso_report_error() already prints the OpenSSL error messages. All OpenSSL error messages have been fully logged, for years.

...

2) Short term, in servers/slapd/main.c:

 Debug( LDAP_DEBUG_ANY,
   "main: TLS init def ctx failed: %d\n",
      rc, 0, 0 );

We should change / append to this to clarify:

  if (rc<  0)
Debug( LDAP_DEBUG_ANY, "main: something has gone terribly
        wrong in creation of the SSL data structure.  Check
        filesystem permissions, ownership bits, ACLs, configuration
        file paths.  Resort to strace(1)/ktrace(1)
         debugging.\n",rc,0,0);

 if (rc>  0)
Debug( LDAP_DEBUG_ANY, "main: something has gone wrong
        in creation of the SSL socket data structure.  Please
        check the OpenSSL error code above against:
        /usr/include/openssl/ssl until we err(3) support\n",rc,0,0);

Pointless, since all failures inside init_ctx already call tlso_report_error().

Great, however it doesn't change the fact that no meaningful error is being reported:

(slapd runs as the user ldap) # chown root certs/ldap.key.pem # ls -la certs/ldap.key.pem -r-------- 1 root wheel 1679 Feb 19 18:29 certs/ldap.key.pem # /usr/local/etc/rc.d/slapd start Starting slapd. Feb 19 18:36:45 slapd[85526]: @(#) $OpenLDAP: slapd 2.4.21 (Jan 11 2010 22:02:31) $ root@:/var/ports/usr/ports/net/openldap24-server/work/openldap-2.4.21/servers/slapd Feb 19 18:36:45 slapd[85526]: line 33 (modulepath /usr/local/libexec/openldap) Feb 19 18:36:45 slapd[85526]: line 34 (moduleload back_bdb) Feb 19 18:36:45 slapd[85526]: loaded module back_bdb Feb 19 18:36:45 slapd[85526]: module back_bdb: null module registered Feb 19 18:36:45 slapd[85526]: line 35 (moduleload back_ldap) Feb 19 18:36:45 slapd[85526]: loaded module back_ldap Feb 19 18:36:45 slapd[85526]: module back_ldap: null module registered Feb 19 18:36:45 slapd[85526]: line 38 (disallow bind_anon) Feb 19 18:36:45 slapd[85526]: line 59 (database bdb) Feb 19 18:36:45 slapd[85526]: line 60 (suffix "dc=xxxxxxxx,dc=com") Feb 19 18:36:45 slapd[85526]: line 61 (rootdn "cn=xxx,dc=xxxxxxxx,dc=com") Feb 19 18:36:45 slapd[85526]: line 66 (rootpw ***) Feb 19 18:36:45 slapd[85526]: line 71 (TLSCipherSuite HIGH:MEDIUM:+SSLv2) Feb 19 18:36:45 slapd[85526]: line 72 (TLSVerifyClient allow) Feb 19 18:36:45 slapd[85526]: line 76 (TLSCACertificateFile /usr/local/etc/openldap/certs/cacert.pem) Feb 19 18:36:45 slapd[85526]: line 80 (TLSCertificateFile /usr/local/etc/openldap/certs/ldap.crt.pem) Feb 19 18:36:45 slapd[85526]: line 81 (TLSCertificateKeyFile /usr/local/etc/openldap/certs/ldap.key.pem) Feb 19 18:36:45 slapd[85526]: line 86 (directory /var/db/openldap-data) Feb 19 18:36:45 slapd[85526]: line 89 (index objectClass,entryCSN,entryUUID eq) Feb 19 18:36:45 slapd[85526]: index objectClass 0x0004 Feb 19 18:36:45 slapd[85526]: index entryCSN 0x0004 Feb 19 18:36:45 slapd[85526]: index entryUUID 0x0004 Feb 19 18:36:45 slapd[85526]: main: TLS init def ctx failed: -1 Feb 19 18:36:45 slapd[85526]: slapd stopped. Feb 19 18:36:45 slapd[85526]: connections_destroy: nothing to destroy.

# chown ldap certs/ldap.key.pem # /usr/local/etc/rc.d/slapd start Starting slapd. Feb 19 18:37:49 slapd[85545]: @(#) $OpenLDAP: slapd 2.4.21 (Jan 11 2010 22:02:31) $ root@:/var/ports/usr/ports/net/openldap24-server/work/openldap-2.4.21/servers/slapd Feb 19 18:37:49 slapd[85545]: line 33 (modulepath /usr/local/libexec/openldap) Feb 19 18:37:49 slapd[85545]: line 34 (moduleload back_bdb) Feb 19 18:37:49 slapd[85545]: loaded module back_bdb Feb 19 18:37:49 slapd[85545]: module back_bdb: null module registered Feb 19 18:37:49 slapd[85545]: line 35 (moduleload back_ldap) Feb 19 18:37:49 slapd[85545]: loaded module back_ldap Feb 19 18:37:49 slapd[85545]: module back_ldap: null module registered Feb 19 18:37:49 slapd[85545]: line 38 (disallow bind_anon) Feb 19 18:37:49 slapd[85545]: line 59 (database bdb) Feb 19 18:37:49 slapd[85545]: line 60 (suffix "dc=xxxxxxxx,dc=com") Feb 19 18:37:49 slapd[85545]: line 61 (rootdn "cn=xxx,dc=xxxxxxxx,dc=com") Feb 19 18:37:49 slapd[85545]: line 66 (rootpw ***) Feb 19 18:37:49 slapd[85545]: line 71 (TLSCipherSuite HIGH:MEDIUM:+SSLv2) Feb 19 18:37:49 slapd[85545]: line 72 (TLSVerifyClient allow) Feb 19 18:37:49 slapd[85545]: line 76 (TLSCACertificateFile /usr/local/etc/openldap/certs/cacert.pem) Feb 19 18:37:49 slapd[85545]: line 80 (TLSCertificateFile /usr/local/etc/openldap/certs/ldap.crt.pem) Feb 19 18:37:49 slapd[85545]: line 81 (TLSCertificateKeyFile /usr/local/etc/openldap/certs/ldap.key.pem) Feb 19 18:37:49 slapd[85545]: line 86 (directory /var/db/openldap-data) Feb 19 18:37:49 slapd[85545]: line 89 (index objectClass,entryCSN,entryUUID eq) Feb 19 18:37:49 slapd[85545]: index objectClass 0x0004 Feb 19 18:37:49 slapd[85545]: index entryCSN 0x0004 Feb 19 18:37:49 slapd[85545]: index entryUUID 0x0004 Feb 19 18:37:50 slapd[85546]: bdb_db_open: "dc=xxxxxxxx,dc=com" Feb 19 18:37:50 slapd[85546]: slapd starting Feb 19 18:37:50 slapd[85546]: daemon: added 4r listener=0x0 Feb 19 18:37:50 slapd[85546]: daemon: added 6r listener=0x801839180 Feb 19 18:37:50 slapd[85546]: daemon: added 7r listener=0x801839240 Feb 19 18:37:50 slapd[85546]: daemon: select: listen=6 active_threads=0 tvp=NULL Feb 19 18:37:50 slapd[85546]: daemon: select: listen=7 active_threads=0 tvp=NULL Feb 19 18:37:50 slapd[85546]: daemon: activity on 1 descriptor Feb 19 18:37:50 slapd[85546]: daemon: waked Feb 19 18:37:50 slapd[85546]: daemon: select: listen=6 active_threads=0 tvp=NULL Feb 19 18:37:50 slapd[85546]: daemon: select: listen=7 active_threads=0 tvp=NULL

Any suggestions on getting these errors to actually print?

masarati＠aero.polimi.it

1:03 p.m.

New subject: Ambiguous SSL/TLS error messages from slapd

...

Any suggestions on getting these errors to actually print?

$ slapd -d stats @(#) $OpenLDAP: slapd 2.X (Feb 12 2010 08:50:42) $ masarati@mbdyn-nb.aero.polimi.it:/home/masarati/Lavoro/masarati/Ldap/ldap-devel/servers/slapd TLS: could not use certificate `noaccess/cert.crt'. TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:352 TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:354 TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib ssl_rsa.c:470 main: TLS init def ctx failed: -1 slapd stopped. connections_destroy: nothing to destroy.

Something like this?

Steve Polyack

1:29 p.m.

New subject: Ambiguous SSL/TLS error messages from slapd

On 2/19/2010 4:03 PM, masarati@aero.polimi.it wrote:

...

...
Any suggestions on getting these errors to actually print?

$ slapd -d stats @(#) $OpenLDAP: slapd 2.X (Feb 12 2010 08:50:42) $ masarati@mbdyn-nb.aero.polimi.it:/home/masarati/Lavoro/masarati/Ldap/ldap-devel/servers/slapd TLS: could not use certificate `noaccess/cert.crt'. TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:352 TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:354 TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib ssl_rsa.c:470 main: TLS init def ctx failed: -1 slapd stopped. connections_destroy: nothing to destroy.

Something like this?

p.

Thank you. This is exactly what I was looking for. The problem in my case is that these errors go to stdout and are not logged via syslog. Even with full debugging turned on, you will see no such errors printed to logs, although all the other data is. This doesn't jive well with many systems in which the daemons are started via scripts (FreeBSD / NetBSD rc.d, linux init.d) in which daemon output to stdout is often lost.

masarati＠aero.polimi.it

1:15 p.m.

New subject: Ambiguous SSL/TLS error messages from slapd

...

Brian A. Seklecki (CFI NOC) wrote:

...
Steve, I agree:
This error gets printed with "-1" under too many
conditions.  Just look at:
   libraries/libldap/tls2.c::ldap_pvt_tls_set_option()

RC Return Code -1 could happen in about a dozen places.

I think we need to take a two step approach to fixing this:

1) Long term, implement OpenSSL's err(3)
What are you talking about? tlso_report_error() already prints the OpenSSL error messages. All OpenSSL error messages have been fully logged, for years.

I think I see the issue: tlso_report_error() uses libldap's Debug(), which does not hit syslog. We only see TLS logs with -d stats.

5178

Age (days ago)

5179

Last active (days ago)

openldap-software@openldap.org

5 comments

4 participants

tags (0)

participants (4)

Brian A. Seklecki (CFI NOC)
Howard Chu
masarati＠aero.polimi.it
Steve Polyack