It seems like my ldapsearch can't find the get local issuer certificate.
what configuration files tells the ldapsearch of which
certificate to use?
Oh, my certificate and keys and cacert files are good, I've tested them
using the openssl s_server and s_client to get a basic connection.
can someone help me, I don't know what else could be the problem.
here's the log for ldapsearch:
/usr/local/bin/ldapsearch -x -LLL -ZZ -d 1
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ::1 389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_close_socket: 4
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 4
ldap_result ld 60888 msgid 1
ldap_chkResponseList ld 60888 msgid 1 all 1
ldap_chkResponseList returns ld 60888 NULL
wait4msg ld 60888 msgid 1 (infinite timeout)
wait4msg continue ld 60888 msgid 1 all 1
** ld 60888 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Feb 13 20:49:25 2008
** ld 60888 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 60888 Response Queue:
Empty
ldap_chkResponseList ld 60888 msgid 1 all 1
ldap_chkResponseList returns ld 60888 NULL
ldap_int_select
read1msg: ld 60888 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 60888 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 60888 0 new referrals
read1msg: mark request completed, ld 60888 msgid 1
request done: ld 60888 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/CN=ldap1.mylan/emailAddress=abc@mylan, issuer:
/CN=ldap1.mylan/emailAddress=abc@mylan
TLS certificate verification: Error, unable to get local issuer
certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>>>>>>>>>>END>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
and here's the server's log for that search
daemon: activity on 1 descriptor
>>> slap_listener(ldap:///)
daemon: listen=8, new connection on 14
daemon: added 14r (active) listener=0
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 14r
daemon: read activity on 14
connection_get(14)
connection_get(14): got connid=6
connection_read(14): checking for input on id=6
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_dump: buf=0x002094f0 ptr=0x002094f0 end=0x0020950d len=29
0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4
0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
do_extended
ber_scanf fmt ({m) ber:
ber_dump: buf=0x002094f0 ptr=0x002094f3 end=0x0020950d len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
do_extended: oid=1.3.6.1.4.1.1466.20037
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
daemon: activity on 1 descriptor
daemon: activity on: 14r
daemon: read activity on 14
connection_get(14)
connection_get(14): got connid=6
connection_read(14): checking for input on id=6
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 7a 01 03 01 00 51 00 00 00 20 .z....Q...
tls_read: want=113, got=113
0000: 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 ..9..8..5.......
0010: 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 00 00 .......3..2../..
0020: 07 05 00 80 03 00 80 00 00 05 00 00 04 01 00 80 ................
0030: 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 ...........@....
0040: 00 11 00 00 08 00 00 06 04 00 80 00 00 03 02 00 ................
0050: 80 32 4e ca 88 41 1f 3a 73 cd a1 1c 29 73 a6 81 .2N..A.:s...)s..
0060: 8c c5 af c3 af 93 bf 13 4a c7 54 90 b7 82 d2 69 ........J.T....i
0070: 2f /
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=810, written=810
0000: 16 03 01 00 4a 02 00 00 46 03 01 47 b3 58 84 43 ....J...F..G.X.C
0010: c3 a5 64 a9 b5 7c 0b 8b 25 1c d6 e9 ce f2 1f 9b ..d..|..%.......
0020: 82 00 e0 6d 33 e7 e6 44 53 6c 52 20 7d 72 fe 41 ...m3..DSlR
}r.A
0030: 17 4c 96 5c 5c 9c 6b df 32 0d c0 32 45 fe 7b bf .L.\\.k.2..2E.{.
0040: a9 5e 16 4b 62 ec 3b 11 76 6e ee ce 00 35 00 16 .^.Kb.;.vn...5..
0050: 03 01 02 cd 0b 00 02 c9 00 02 c6 00 02 c3 30 82 ..............0.
0060: 02 bf 30 82 02 28 a0 03 02 01 02 02 01 01 30 0d ..0..(........0.
0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 30 31 ..*.H........001
0080: 14 30 12 06 03 55 04 03 13 0b 6c 64 61 70 31 2e .0...U....ldap1.
0090: 6d 79 6c 61 6e 31 18 30 16 06 09 2a 86 48 86 f7 mylan1.0...*.H..
00a0: 0d 01 09 01 16 09 61 62 63 40 6d 79 6c 61 6e 30 ......abc@mylan0
00b0: 1e 17 0d 30 38 30 32 31 33 31 36 31 34 32 32 5a ...080213161422Z
00c0: 17 0d 31 38 30 32 31 32 31 36 31 34 32 32 5a 30 ..180212161422Z0
00d0: 30 31 14 30 12 06 03 55 04 03 13 0b 6c 64 61 70 01.0...U....ldap
00e0: 31 2e 6d 79 6c 61 6e 31 18 30 16 06 09 2a 86 48 1.mylan1.0...*.H
00f0: 86 f7 0d 01 09 01 16 09 61 62 63 40 6d 79 6c 61 ........abc@myla
0100: 6e 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 n0..0...*.H.....
0110: 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 ef 80 .......0........
0120: 03 36 0f 1e e0 19 e7 1d 03 a9 cb 13 53 81 d6 f7 .6..........S...
0130: bf b6 e4 1c 84 38 77 bd 85 39 e6 f6 9c 50 70 82 .....8w..9...Pp.
0140: 3e 7e e0 17 e9 86 4f a3 48 8f bb 1a f1 04 92 72 >~....O.H......r
0150: bc 02 a7 dd 97 54 c1 cd 09 bd f8 d8 da 23 04 8e .....T.......#..
0160: e7 77 de 44 f8 54 f9 5e 35 1e 05 50 71 b2 dc 25 .w.D.T.^5..Pq..%
0170: 71 7b e9 48 99 bf 93 a2 07 4e 4e 1f 1f 96 c8 b8 q{.H.....NN.....
0180: 76 21 3b fc c7 60 ab b2 4a 01 2d 8a 15 ee af e7 v!;..`..J.-.....
0190: 76 4e 50 1b 61 8f 5c a1 b3 07 4a cc 82 43 02 03 vNP.a.\...J..C..
01a0: 01 00 01 a3 81 e8 30 81 e5 30 09 06 03 55 1d 13 ......0..0...U..
01b0: 04 02 30 00 30 2c 06 09 60 86 48 01 86 f8 42 01 ..0.0,..`.H...B.
01c0: 0d 04 1f 16 1d 4f 70 65 6e 53 53 4c 20 47 65 6e .....OpenSSL
Gen
01d0: 65 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 erated
Certifica
01e0: 74 65 30 1d 06 03 55 1d 0e 04 16 04 14 18 e5 ab te0...U.........
01f0: 2a 99 96 50 78 35 71 52 a6 ad 1f 8a 53 c6 72 cd *..Px5qR....S.r.
0200: dc 30 60 06 03 55 1d 23 04 59 30 57 80 14 25 ba .0`..U.#.Y0W..%.
0210: f3 49 07 88 d2 aa 76 2f 59 fc f0 bb 08 6d b5 17 .I....v/Y....m..
0220: f3 e8 a1 34 a4 32 30 30 31 14 30 12 06 03 55 04 ...4.2001.0...U.
0230: 03 13 0b 6c 64 61 70 31 2e 6d 79 6c 61 6e 31 18 ...ldap1.mylan1.
0240: 30 16 06 09 2a 86 48 86 f7 0d 01 09 01 16 09 61 0...*.H........a
0250: 62 63 40 6d 79 6c 61 6e 82 09 00 8e 0f 59 9d 05 bc@mylan.....Y..
0260: 90 4f f0 30 29 06 03 55 1d 11 04 22 30 20 82 0a .O.0)..U..."0
..
0270: 6c 64 61 70 2e 6d 79 6c 61 6e 82 12 6c 6f 61 64 ldap.mylan..load
0280: 62 61 6c 61 6e 63 65 72 2e 6d 79 6c 61 6e 30 0d balancer.mylan0.
0290: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81 81 ..*.H...........
02a0: 00 89 b9 5b c0 9e 57 39 32 c0 55 79 d6 dd cd 55 ...[..W92.Uy...U
02b0: 2f 6c a4 7e 96 96 f8 f2 51 38 85 35 f1 a9 42 45 /l.~....Q8.5..BE
02c0: b8 f7 e4 a8 68 46 43 c5 5a d8 74 3e e8 a1 f3 25 ....hFC.Z.t>...%
02d0: a7 57 2c bd 0c a2 5d f3 ae 19 57 f6 13 f1 07 2f .W,...]...W..../
02e0: df da 39 85 bd 0f 60 7b 98 52 8b ae 5d 7a 1a c5 ..9...`{.R..]z..
02f0: 59 b5 6f 49 74 05 87 5f a4 72 49 7d 59 79 da 97 Y.oIt.._.rI}Yy..
0300: 5d 01 9c e2 fb b5 42 21 19 f6 9a ef 05 5e cb 8b ].....B!.....^..
0310: e4 b3 2a 7f f2 5e 87 73 23 ed c0 31 78 53 7e 18 ..*..^.s#..1xS~.
0320: 39 16 03 01 00 04 0e 00 00 00 9.........
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 30 .0
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1053
connection_read(14): TLS accept failure error=-1 id=6, closing
connection_closing: readying conn=6 sd=14 for close
connection_close: conn=6 sd=14
daemon: removing 14
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: waked
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
>>>>>>>>>>>>>>>>>>>>END>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Thanks,
Vinh
Vinh CTR Hoang/ACT/CNTR/FAA@FAA
Sent by: openldap-technical-bounces+vinh.ctr.hoang=faa.gov(a)OpenLDAP.org
02/12/2008 05:27 PM
To
openldap-technical(a)openldap.org
cc
Subject
SSL Help
Hi, I'm having some troubles with openldap w/ TLS.
I can't seem to do a ldapsearch -x -LLL -ZZ, as it is giving be back
"SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
On the server side log I'm getting:
TLS trace: SSL3 alert read: fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1053
I've tried and tested my ssl connection using:
openssl s_client -connect ldap1.mylan:636 -showcerts -state -CAfile
/usr/local/etc/openldap/cacert.pem
and that works, althought if I use "TLSVerifyClient demand" in slapd.conf,
the server will reject the connection
saying that the client didn't send the certificate.
I also tried the client authentication ssl test and the works w/ and w/o
the TLSVerifyClient demand option:
openssl s_client -connect ldap1.mylan:636 -state \
-CAfile /usr/local/etc/openldap/cacert.pem \
-cert /usr/local/etc/openldap/slapd-cert-ldap1.pem \
-key /usr/local/etc/openldap/slapd-key-ldap1.pem
Does any know what i'm doing wrong?
Here are the tls part of my configs:
slapd.conf
....
#TLS SSL keys
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:SSLv3
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem
#TLSVerifyClient demand
....
ldap.conf
BASE dc=mylan
HOST ldap1.mylan
#URI ldaps://127.0.0.1:636
TLS_CACERT /usr/local/etc/openldap/cacert.pem
.....
/etc/ldap.conf
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1
# The distinguished name of the search base.
#base dc=caplan,dc=org
base dc=mylan
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
host ldap1.mylan
#uri ldap://127.0.0.1/
#uri ldap://127.0.0.1/ ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=NonAnon,dc=caplan,dc=org
# The credentials to bind with.
# Optional: default is no credential.
#bindpw SeCrEt
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=root,dc=padl,dc=com
# The port.
# Optional: default is 389.
port 389
..
...
..
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
tls_cacertfile /usr/local/etc/openldap/cacert.pem
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
Thanks,
Vinh