Re: Question about ldap_init, ldap_initialize, start_tls, LDAP_OPT_X_TLS_ALLOW and TLS/SSL
Howard,
I use OpenSuse 10.2 with libldap-2.3.so.0.2.15 and if I have an empty ~/.ldaprc file ldap_start_tls_s comes back with error -11 Connect error
ldap_int_select read1msg: ld 0x8054608 msgid 1 all 1 read1msg: ld 0x8054608 msgid 1 message type extended-result read1msg: ld 0x8054608 0 new referrals read1msg: mark request completed, ld 0x8054608 msgid 1 request done: ld 0x8054608 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string Error while setting start_tls for ldap server: Connect error(-11) ldap_free_connection 1 1 ldap_send_unbind
When I add tls_reqcert allow to ~/.ldaprc I get
ldap_int_select read1msg: ld 0x8054608 msgid 1 all 1 read1msg: ld 0x8054608 msgid 1 message type extended-result read1msg: ld 0x8054608 0 new referrals read1msg: mark request completed, ld 0x8054608 msgid 1 request done: ld 0x8054608 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS certificate verification: depth: 0, err: 27, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to verify the first certificate TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer certificate. Successfully set up TLS protected connection to ldap server w2k3.windows2003.home:389
So, this setting definitely does something !!
Regards Markus
----- Original Message ----- From: "Howard Chu" hyc@symas.com Newsgroups: gmane.network.openldap.general To: "Markus Moeller" huaraz@moeller.plus.com Cc: openldap-software@openldap.org Sent: Tuesday, June 19, 2007 12:33 AM Subject: Re: Question about ldap_init, ldap_initialize, start_tls,LDAP_OPT_X_TLS_ALLOW and TLS/SSL
Markus Moeller wrote:
But it is allowed to be set in ldap.conf,
That doesn't necessarily mean anything. Lots of things can be set in ldap.conf that don't mean anything at all, since the parser ignores any keywords it doesn't recognize.
What evidence do you have that this particular setting actually does anything? A quick scan of the source code proves that it actually does nothing.
so why can't or shouldn't I be able to set it in my client without the pain of checking all the different config files ldap.conf, .ldaprc, ldaprc ... I'd like to be able to control my client options without the use of config files.
Go ahead and do that then. But don't waste time with options that don't actually have any meaning.
Regards Markus
----- Original Message ----- From: "Howard Chu" hyc@symas.com To: "Markus Moeller" huaraz@moeller.plus.com Cc: openldap-software@openldap.org Sent: Tuesday, June 19, 2007 12:01 AM Subject: Re: Question about ldap_init, ldap_initialize, start_tls, LDAP_OPT_X_TLS_ALLOW and TLS/SSL
Markus Moeller wrote:
Does anybody have some sample code of how to use LDAP_OPT_X_TLS_ALLOW in a client program with ldap_start_tls_s ? Is it a bug if it doesn't work ?
The LDAP_OPT_X_TLS option is incompatible with ldap_start_tls. You cannot use both together. In general, the LDAP_OPT_X_TLS option is deprecated and should not be used at all.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Markus Moeller wrote:
Howard,
I use OpenSuse 10.2 with libldap-2.3.so.0.2.15 and if I have an empty ~/.ldaprc file ldap_start_tls_s comes back with error -11 Connect error
LDAP_OPT_X_TLS is not the same as LDAP_OPT_X_TLS_REQUIRE_CERT.
By default, certificate checking is enforced, and you must supply a valid CA cert, just like it says in the manpages and the Admin Guide.
ldap_int_select read1msg: ld 0x8054608 msgid 1 all 1 read1msg: ld 0x8054608 msgid 1 message type extended-result read1msg: ld 0x8054608 0 new referrals read1msg: mark request completed, ld 0x8054608 msgid 1 request done: ld 0x8054608 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string Error while setting start_tls for ldap server: Connect error(-11) ldap_free_connection 1 1 ldap_send_unbind
When I add tls_reqcert allow to ~/.ldaprc I get
ldap_int_select read1msg: ld 0x8054608 msgid 1 all 1 read1msg: ld 0x8054608 msgid 1 message type extended-result read1msg: ld 0x8054608 0 new referrals read1msg: mark request completed, ld 0x8054608 msgid 1 request done: ld 0x8054608 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS certificate verification: depth: 0, err: 27, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to verify the first certificate TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer certificate. Successfully set up TLS protected connection to ldap server w2k3.windows2003.home:389
So, this setting definitely does something !!
Now I see my error. I used a wrong option value pair. LDAP_OPT_X_TLS_ALLOW belongs to the LDAP_OPT_X_TLS_REQUIRE_CERT option and not as I understood LDAP_OPT_X_TLS is generic for all TLS options.
Thank you Markus ----- Original Message ----- From: "Howard Chu" hyc@symas.com To: "Markus Moeller" huaraz@moeller.plus.com Cc: openldap-software@openldap.org Sent: Tuesday, June 19, 2007 1:50 AM Subject: Re: Question about ldap_init, ldap_initialize, start_tls, LDAP_OPT_X_TLS_ALLOW and TLS/SSL
Markus Moeller wrote:
Howard,
I use OpenSuse 10.2 with libldap-2.3.so.0.2.15 and if I have an empty ~/.ldaprc file ldap_start_tls_s comes back with error -11 Connect error
LDAP_OPT_X_TLS is not the same as LDAP_OPT_X_TLS_REQUIRE_CERT.
By default, certificate checking is enforced, and you must supply a valid CA cert, just like it says in the manpages and the Admin Guide.
ldap_int_select read1msg: ld 0x8054608 msgid 1 all 1 read1msg: ld 0x8054608 msgid 1 message type extended-result read1msg: ld 0x8054608 0 new referrals read1msg: mark request completed, ld 0x8054608 msgid 1 request done: ld 0x8054608 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string Error while setting start_tls for ldap server: Connect error(-11) ldap_free_connection 1 1 ldap_send_unbind
When I add tls_reqcert allow to ~/.ldaprc I get
ldap_int_select read1msg: ld 0x8054608 msgid 1 all 1 read1msg: ld 0x8054608 msgid 1 message type extended-result read1msg: ld 0x8054608 0 new referrals read1msg: mark request completed, ld 0x8054608 msgid 1 request done: ld 0x8054608 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS certificate verification: depth: 0, err: 27, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to verify the first certificate TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer certificate. Successfully set up TLS protected connection to ldap server w2k3.windows2003.home:389
So, this setting definitely does something !!
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
openldap-software@openldap.org
-
Howard Chu -
Markus Moeller