I am trying to get a basic TLS connection working on my Linux server using OpenLDAP and the ldapsearch command, but it does not connect with TLS.
I've created an SSL certificate with the usual command: openssl req -new -x509 -nodes -out ldcert.pem -keyout ldkey.pem -days 3650
I've added the requisite lines to slapd.conf (TLSCertificateFile TLSCertificateKeyFile) and to ldap.conf (TLS_CACERT) (since my certificate is self-signed).
I've started the OpenLDAP server with the command: slapd -d 10
If I issue the command: ldapsearch -x -b 'dc=com' -H 'ldap://localhost/' -D 'uid=root' -W -v And everything works and I see a list of all the directory entries in the server.
However, if I issue the same command except with the -ZZ option to use TLS: ldapsearch -x -b 'dc=com' -H 'ldap://localhost/' -D 'uid=root' -W -v -ZZ Then I get an error that reads: ldap_start_tls: Connect error (-11)
So I analyzed the debug log coming from the server (during the ldapsearch ... -ZZ command) and I get the debug log below (I've snipped out the actual buffer exchanges for brevity). As you can see, it goes through several handshakes successfully, but then suddenly the server is looking for more data but the client doesn't send it, so the server closes the connection.
Can someone please help to analyze this problem so I can get this working. LDAP 2.4.12, OpenSSL 0.9.8i. Thank you in advance for any advice you can offer me.
-Eric
slap_listener_activate(8):
slap_listener(ldap:///)
connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_dump: buf=0x83881e8 ptr=0x83881e8 end=0x8388205 len=29 0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4 0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=0 op=0 do_extended ber_scanf fmt ({m) ber: ber_dump: buf=0x83881e8 ptr=0x83881eb end=0x8388205 len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 12 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ connection_get(12): got connid=0 connection_read(12): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 7a 01 03 01 00 51 00 00 00 20 .z....Q... tls_read: want=113, got=113 <... snip ...> TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=1105, written=1105 <... snip ...> TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 0000: 16 03 01 01 06 ..... tls_read: want=262, got=262 <... snip ...> TLS trace: SSL_accept:SSLv3 read client key exchange A tls_read: want=5, got=5 0000: 14 03 01 00 01 ..... tls_read: want=1, got=1 0000: 01 . tls_read: want=5, got=5 0000: 16 03 01 00 30 ....0 tls_read: want=48, got=48 <... snip ...> TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A tls_write: want=59, written=59 <... snip ...> TLS trace: SSL_accept:SSLv3 flush data connection_read(12): unable to get TLS client DN, error=49 id=0 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next tls_read: want=5, got=0 ldap_read: want=8, got=0 ber_get_next on fd 12 failed errno=0 (Success) connection_closing: readying conn=0 sd=12 for close connection_close: conn=0 sd=12
--- -Eric Johanson Principle Software Engineer Newpoint Technologies, Inc.
Did you setup TLS certs in your ldap.conf for your client too ?
Citando Eric Johanson epj@newpointtech.com:
I am trying to get a basic TLS connection working on my Linux server using OpenLDAP and the ldapsearch command, but it does not connect with TLS.
I've created an SSL certificate with the usual command: openssl req -new -x509 -nodes -out ldcert.pem -keyout ldkey.pem -days 3650
I've added the requisite lines to slapd.conf (TLSCertificateFile TLSCertificateKeyFile) and to ldap.conf (TLS_CACERT) (since my certificate is self-signed).
I've started the OpenLDAP server with the command: slapd -d 10
If I issue the command: ldapsearch -x -b 'dc=com' -H 'ldap://localhost/' -D 'uid=root' -W -v And everything works and I see a list of all the directory entries in the server.
However, if I issue the same command except with the -ZZ option to use TLS: ldapsearch -x -b 'dc=com' -H 'ldap://localhost/' -D 'uid=root' -W -v -ZZ Then I get an error that reads: ldap_start_tls: Connect error (-11)
So I analyzed the debug log coming from the server (during the ldapsearch ... -ZZ command) and I get the debug log below (I've snipped out the actual buffer exchanges for brevity). As you can see, it goes through several handshakes successfully, but then suddenly the server is looking for more data but the client doesn't send it, so the server closes the connection.
Can someone please help to analyze this problem so I can get this working. LDAP 2.4.12, OpenSSL 0.9.8i. Thank you in advance for any advice you can offer me.
-Eric
slap_listener_activate(8):
slap_listener(ldap:///)
connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_dump: buf=0x83881e8 ptr=0x83881e8 end=0x8388205 len=29 0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4 0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=0 op=0 do_extended ber_scanf fmt ({m) ber: ber_dump: buf=0x83881e8 ptr=0x83881eb end=0x8388205 len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 12 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ connection_get(12): got connid=0 connection_read(12): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 7a 01 03 01 00 51 00 00 00 20 .z....Q... tls_read: want=113, got=113 <... snip ...> TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=1105, written=1105 <... snip ...> TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 0000: 16 03 01 01 06 ..... tls_read: want=262, got=262 <... snip ...> TLS trace: SSL_accept:SSLv3 read client key exchange A tls_read: want=5, got=5 0000: 14 03 01 00 01 ..... tls_read: want=1, got=1 0000: 01 . tls_read: want=5, got=5 0000: 16 03 01 00 30 ....0 tls_read: want=48, got=48 <... snip ...> TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A tls_write: want=59, written=59 <... snip ...> TLS trace: SSL_accept:SSLv3 flush data connection_read(12): unable to get TLS client DN, error=49 id=0 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next tls_read: want=5, got=0 ldap_read: want=8, got=0 ber_get_next on fd 12 failed errno=0 (Success) connection_closing: readying conn=0 sd=12 for close connection_close: conn=0 sd=12
-Eric Johanson Principle Software Engineer Newpoint Technologies, Inc.
openldap-software@openldap.org
-
Eric Johanson -
Jeronimo Zucco