TLS Configuration - "unable to get TLS client DN, error=49"

1 Aug 2008


      Hi.  We're trying to configure a basic SSL (TLS) connection through
OpenLDAP version 2.4.6.  We're using Linux, Debian Version 4.0 ('etch')
INTEL.
The pertinent info...
slapd.conf
include		/usr/local/etc/openldap/schema/core.schema
include		/usr/local/etc/openldap/schema/cosine.schema
include		/usr/local/etc/openldap/schema/inetorgperson.schema
pidfile	/usr/local/var/run/slapd.pid
argsfile	/usr/local/var/run/slapd.args
loglevel -1
logfile /usr/local/var/openldap-data/logb
TLSCACertificateFile           /home/bwaldorf/certs/1024pcert.pem
TLSCertificateFile             /home/bwaldorf/certs/1024pcert.pem
TLSCertificateKeyFile          /home/bwaldorf/certs/1024pkey.pem
TLSCipherSuite                 DES-CBC-SHA
TLSVerifyClient                never
#TLSRandFile
#TLSEphemeralDHParamFile
#######################################################################
# BDB database definitions
#######################################################################
database    bdb
suffix		"o=replDB"
rootdn      "cn=replman,o=replDB"
rootpw            password
timelimit      1
idletimeout    4
access to attrs=userPassword
      by self write
      by anonymous auth
      by * none
access to *
      by self write
      by * read
directory	/usr/local/var/openldap-data
index sn,mail,uid,title eq
ldap.conf
TLS_CACERT     /home/bwaldorf/certs/1024pcert.pem
TLS_CERT       /home/bwaldorf/certs/1024pcert.pem
TLS_KEY        /home/bwaldorf/certs/1024pkey.pem
So we try the following search (-ZZ to force the command to be
successful)...
ldapsearch -x -D "cn=replman,o=replDB" -w password -b "o=replDB1" -ZZ
And we get the following output (below) with -d -1... (sorry for the
excessive messages).
Looks like the problem is...
"connection_read(13): unable to get TLS client DN, error=49 id=5"
I did some googling for this error, but never found a thread with a
cause/solution.
Thanks in advance for your time and help!
daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(8):
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 busy
...
...
...
slap_listener(ldap:///)
daemon: activity on 1 descriptor
daemon: listen=8, new connection on 13
daemon: activity on:daemon: added 13r (active) listener=(nil)
conn=5 fd=13 ACCEPT from IP=127.0.0.1:32933 (IP=0.0.0.0:389))
daemon: epoll: listen=7 active_threads=1 tvp=zero.
daemon: epoll: listen=8 active_threads=1 tvp=zero.
daemon: activity on 1 descriptor
daemon: activity on: 13r
daemon: read active on 13
daemon: epoll: listen=7 active_threads=1 tvp=zero.
connection_get(13)
daemon: epoll: listen=8 active_threads=1 tvp=zero.
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
ber_get_next
ldap_read: want=8, got=8
  0000:  30 1d 02 01 01 77 18 80                            0....w..
ldap_read: want=23, got=23
  0000:  16 31 2e 33 2e 36 2e 31  2e 34 2e 31 2e 31 34
36   .1.3.6.1.4.1.146
  0010:  36 2e 32 30 30 33 37                               6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_dump: buf=0xa0c11fc8 ptr=0xa0c11fc8 end=0xa0c11fe5 len=29.
  0000:  02 01 01 77 18 80 16 31  2e 33 2e 36 2e 31 2e
34   ...w...1.3.6.1.4
  0010:  2e 31 2e 31 34 36 36 2e  32 30 30 33 37            .1.1466.20037
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=5 op=0 do_extended
ber_scanf fmt ({m) ber:
ber_dump: buf=0xa0c11fc8 ptr=0xa0c11fcb end=0xa0c11fe5 len=26
  0000:  77 18 80 16 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e
w...1.3.6.1.4.1.
  0010:  31 34 36 36 2e 32 30 30  33 37                     1466.20037
conn=5 op=0 EXT oid=1.3.6.1.4.1.1466.20037
do_extended: oid=1.3.6.1.4.1.1466.20037
daemon: activity on 1 descriptor
conn=5 op=0 STARTTLS
daemon: activity on:send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
daemon: epoll: listen=7 active_threads=1 tvp=zero
ber_flush2: 14 bytes to sd 13
  0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........
conn=5 op=0 RESULT oid= err=0 text=
daemon: epoll: listen=8 active_threads=1 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 13r
daemon: read active on 13
daemon: epoll: listen=7 active_threads=1 tvp=zero
connection_get(13)
daemon: epoll: listen=8 active_threads=1 tvp=zero
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
  0000:  80 74 01 03 01 00 4b 00  00 00 20                  .t....K.......
tls_read: want=107, got=107
  0000:  00 00 39 00 00 38 00 00  35 00 00 16 00 00 13
00   ..9..8..5.......
  0010:  00 0a 07 00 c0 00 00 33  00 00 32 00 00 2f 03
00   .......3..2../..
  0020:  80 00 00 05 00 00 04 01  00 80 00 00 15 00 00
12   ................
  0030:  00 00 09 06 00 40 00 00  14 00 00 11 00 00 08
00   .....@..........
  0040:  00 06 04 00 80 00 00 03  02 00 80 15 2d dd 5d
9a   ............-.].
  0050:  f5 29 55 3b 15 f2 e5 47  18 9c 22 f2 7d 07 51
72   .)U;...G..".}.Qr
  0060:  60 1f 38 61 8d 9a e7 67  2a 5e 9e                  `.8a...g*^..}.
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=985, written=985
  0000:  16 03 01 00 4a 02 00 00  46 03 01 48 92 1d e7
69   ....J...F..H...i
  0010:  f3 a0 ea 95 0f 3b 21 71  a5 b0 11 34 27 91 b8
0b   .....;!q...4'...
  0020:  d1 25 4f ca d5 56 fd 55  d2 0f 33 20 a7 fe 44
07   .%O..V.U..3 ..D.
  0030:  8a 33 a1 ec 46 61 01 94  2a 05 9a 59 9e 95 02
ec   .3..Fa..*..Y....
  0040:  99 82 42 77 1d f6 bf 6e  b4 0f 05 23 00 09 00
16   ..Bw...n...#....
  0050:  03 01 03 7c 0b 00 03 78  00 03 75 00 03 72 30
82   ...|...x..u..r0.
  0060:  03 6e 30 82 02 d7 a0 03  02 01 02 02 01 00 30
0d   .n0...........0.
  0070:  06 09 2a 86 48 86 f7 0d  01 01 04 05 00 30 81
87   ..*.H........0..
  0080:  31 0b 30 09 06 03 55 04  06 13 02 55 53 31 11 30
1.0...U....US1.0
  0090:  0f 06 03 55 04 08 13 08  4e 65 77 20 59 6f 72 6b   ...U....New
York
  00a0:  31 15 30 13 06 03 55 04  07 13 0c 50 6f 75 67 68
1.0...U....Pough
  00b0:  6b 65 65 70 73 69 65 31  0c 30 0a 06 03 55 04 0a
keepsie1.0...U..
  00c0:  13 03 49 42 4d 31 0c 30  0a 06 03 55 04 0b 13
03   ..IBM1.0...U....
  00d0:  54 50 46 31 0e 30 0c 06  03 55 04 03 13 05 44 61
TPF1.0...U....Da
  00e0:  76 69 64 31 22 30 20 06  09 2a 86 48 86 f7 0d 01
vid1"0 ..*.H....
  00f0:  09 01 16 13 6d 6f 7a 65  73 68 74 61 40 75 73
2e   ....mozeshta@us.
  0100:  69 62 6d 2e 63 6f 6d 30  1e 17 0d 30 38 30 33 31
ibm.com0...08031
  0110:  31 30 31 31 36 31 31 5a  17 0d 31 30 31 32 30 37
1011611Z..101207
  0120:  30 31 31 36 31 31 5a 30  81 87 31 0b 30 09 06 03
011611Z0..1.0...
  0130:  55 04 06 13 02 55 53 31  11 30 0f 06 03 55 04 08
U....US1.0...U..
  0140:  13 08 4e 65 77 20 59 6f  72 6b 31 15 30 13 06 03   ..New
York1.0...
  0150:  55 04 07 13 0c 50 6f 75  67 68 6b 65 65 70 73 69
U....Poughkeepsi
  0160:  65 31 0c 30 0a 06 03 55  04 0a 13 03 49 42 4d 31
e1.0...U....IBM1
  0170:  0c 30 0a 06 03 55 04 0b  13 03 54 50 46 31 0e
30   .0...U....TPF1.0
  0180:  0c 06 03 55 04 03 13 05  44 61 76 69 64 31 22
30   ...U....David1"0
  0190:  20 06 09 2a 86 48 86 f7  0d 01 09 01 16 13 6d
6f    ..*.H........mo
  01a0:  7a 65 73 68 74 61 40 75  73 2e 69 62 6d 2e 63 6f
zeshta@us.ibm.co
  01b0:  6d 30 81 9f 30 0d 06 09  2a 86 48 86 f7 0d 01 01
m0..0...*.H.....
  01c0:  01 05 00 03 81 8d 00 30  81 89 02 81 81 00 ac
ee   .......0........
  01d0:  f9 a7 40 cc 73 af 67 a0  ea 46 08 45 a5 fd 44
71   ..@.s.g..F.E..Dq
  01e0:  a4 04 3e 51 f7 39 51 82  3d 7e 9b 99 ae 1d c1
22   ..>Q.9Q.=~....."
  01f0:  67 10 e7 15 d1 a9 65 75  e9 3e 0f 77 64 d1 14 4d
g.....eu.>.wd..M
  0200:  28 f0 8c ba d3 ed 87 e9  b1 5b 11 c1 3f 11 ed 1a
(........[..?...
  0210:  96 9a 3f b3 4b f3 db bd  84 41 11 aa ea 37 6d
ab   ..?.K....A...7m.
  0220:  c5 fb a9 bb ab 9d 87 66  b2 31 7a c8 35 06 06
ec   .......f.1z.5...
  0230:  fb 07 f1 29 f5 f3 fd 29  f4 df 33 bf 40 de 84
6f   ...)...)..3.@..o
  0240:  9d 66 ea 57 42 ab 0f 13  a0 07 71 d5 e0 6d 02
03   .f.WB.....q..m..
  0250:  01 00 01 a3 81 e7 30 81  e4 30 1d 06 03 55 1d
0e   ......0..0...U..
  0260:  04 16 04 14 11 76 af b1  5a bd 99 53 a5 de 02
35   .....v..Z..S...5
  0270:  06 51 c4 01 74 71 2c c6  30 81 b4 06 03 55 1d
23   .Q..tq,.0....U.#
  0280:  04 81 ac 30 81 a9 80 14  11 76 af b1 5a bd 99
53   ...0.....v..Z..S
  0290:  a5 de 02 35 06 51 c4 01  74 71 2c c6 a1 81 8d
a4   ...5.Q..tq,.....
  02a0:  81 8a 30 81 87 31 0b 30  09 06 03 55 04 06 13
02   ..0..1.0...U....
  02b0:  55 53 31 11 30 0f 06 03  55 04 08 13 08 4e 65 77
US1.0...U....New
  02c0:  20 59 6f 72 6b 31 15 30  13 06 03 55 04 07 13 0c
York1.0...U....
  02d0:  50 6f 75 67 68 6b 65 65  70 73 69 65 31 0c 30 0a
Poughkeepsie1.0.
  02e0:  06 03 55 04 0a 13 03 49  42 4d 31 0c 30 0a 06
03   ..U....IBM1.0...
  02f0:  55 04 0b 13 03 54 50 46  31 0e 30 0c 06 03 55 04
U....TPF1.0...U.
  0300:  03 13 05 44 61 76 69 64  31 22 30 20 06 09 2a
86   ...David1"0 ..*.
  0310:  48 86 f7 0d 01 09 01 16  13 6d 6f 7a 65 73 68 74
H........mozesht
  0320:  61 40 75 73 2e 69 62 6d  2e 63 6f 6d 82 01 00 30
a@us.ibm.com...0
  0330:  0c 06 03 55 1d 13 04 05  30 03 01 01 ff 30 0d
06   ...U....0....0..
  0340:  09 2a 86 48 86 f7 0d 01  01 04 05 00 03 81 81
00   .*.H............
  0350:  a8 39 22 f9 88 b2 c1 e6  95 5e af 4d ae f6 89
e5   .9"......^.M....
  0360:  64 82 37 42 f6 5b 00 56  22 d0 c6 b9 5f 70 36 2f
d.7B.[.V"..._p6/
  0370:  8f 10 bb 5a d1 18 33 2a  37 8a a0 f2 c3 53 21
12   ...Z..3*7....S!.
  0380:  2c 28 8a 62 a9 e0 b5 5a  70 4c 77 f1 5c 33 d2
a3   ,(.b...ZpLw.\3..
  0390:  6d 77 e8 6e e8 7e 5b 74  d9 3a 70 24 38 89 ce 11   mw.n.~[t.:p
$8...
  03a0:  4c ec 64 51 f2 be 61 4c  18 09 25 13 48 e2 5b 13
L.dQ..aL..%.H.[.
  03b0:  d9 fa 8c 0c b7 a2 dd 09  dd e8 da 01 c7 29 2b
9a   .............)+.
  03c0:  22 51 6f 19 54 e7 02 90  75 0e a9 3a 4b e0 d1 a4
"Qo.T...u..:K...
  03d0:  16 03 01 00 04 0e 00 00  00                        ...........:
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A.........:
TLS trace: SSL_accept:error in SSLv3 read client certificate A.........:
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=1 tvp=zero
daemon: epoll: listen=8 active_threads=1 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 13r
daemon: read active on 13
daemon: epoll: listen=7 active_threads=1 tvp=zero
connection_get(13)
daemon: epoll: listen=8 active_threads=1 tvp=zero
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
tls_read: want=5, got=5
  0000:  16 03 01 00 86                                     ...........:
tls_read: want=134, got=134
  0000:  10 00 00 82 00 80 91 6b  72 70 d5 4e 89 66 4e
5f   .......krp.N.fN_
  0010:  f2 d6 d6 41 e7 3a 85 1e  8e ce 85 4d 90 ac 4a
ec   ...A.:.....M..J.
  0020:  81 f6 4d 2c 1d 94 85 e8  78 cf c9 68 11 77 b3
4e   ..M,....x..h.w.N
  0030:  13 97 62 43 e2 e8 12 44  42 46 c6 bc c3 74 c7
ad   ..bC...DBF...t..
  0040:  f7 46 22 2b ac 8c 8e 59  5d de f4 fd f9 73 3f
76   .F"+...Y]....s?v
  0050:  1b 58 1f da 5c 95 49 a6  73 ec 75 37 fc 38 fa
53   .X...I.s.u7.8.S
  0060:  6d 3c a9 fd 2a 7d c3 f7  b9 79 e7 3f 8f da df 04
m<..*}...y.?....
  0070:  cb 06 e2 67 75 3c 57 cf  8e 60 6e e4 27 fa 23
a3   ...gu<W..`n.'.#.
  0080:  b8 fb c6 5b 14 7e                                  ...[.~
TLS trace: SSL_accept:SSLv3 read client key exchange A
tls_read: want=5, got=5
  0000:  14 03 01 00 01                                     .....
tls_read: want=1, got=1
  0000:  01                                                 .....
tls_read: want=5, got=5
  0000:  16 03 01 00 28                                     ....(
tls_read: want=40, got=40
  0000:  77 34 09 6c 45 e9 f1 f0  a2 e6 cb 2d e4 49 27 42
w4.lE......-.I'B
  0010:  45 a5 84 74 bb bd 0f 6e  24 70 e1 b0 0f 19 83 4a   E..t...n
$p.....J
  0020:  7a 41 c3 b3 ca fe 80 68                            zA.....h
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
tls_write: want=51, written=51
  0000:  14 03 01 00 01 01 16 03  01 00 28 97 a6 bb b1
8c   ..........(.....
  0010:  50 d4 6f 60 2c fb c7 d1  10 a6 a6 37 ff ea 0b e8
P.o`,......7....
  0020:  60 d0 f1 6b 34 d7 26 7b  a9 c8 c0 45 72 33 7c 67   `..k4.&{...Er3|
g
  0030:  b4 07 93                                           ...
TLS trace: SSL_accept:SSLv3 flush data
connection_read(13): unable to get TLS client DN, error=49 id=5
conn=5 fd=13 TLS established tls_ssf=56 ssf=56
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=1 tvp=zero
daemon: epoll: listen=8 active_threads=1 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 13r
daemon: read active on 13
daemon: epoll: listen=7 active_threads=1 tvp=zero
connection_get(13)
daemon: epoll: listen=8 active_threads=1 tvp=zero
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
ber_get_next
tls_read: want=5, got=0
ldap_read: want=8, got=0
ber_get_next on fd 13 failed errno=0 (Success)
connection_read(13): input error=-2 id=5, closing.
connection_closing: readying conn=5 sd=13 for close
connection_close: conn=5 sd=13
daemon: removing 13
daemon: activity on 1 descriptor
tls_write: want=29, written=29
  0000:  15 03 01 00 18 73 41 45  4f f9 51 03 05 e6 66
c2   .....sAEO.Q...f.
  0010:  f5 65 d2 a9 ab 03 aa 8d  d1 79 ef 18 8c            .e.......y....
TLS trace: SSL3 alert write:warning:close notify
conn=5 fd=13 closed (connection lost)
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

TLS Configuration - "unable to get TLS client DN, error=49"