Re: Out of ideas when troubleshooting TLS negotiation failure

8 Jan 2016


      On 01/08/2016 03:45 PM, Quanah Gibson-Mount wrote:
...
Error in error is a pretty interesting.  What SSL libs is samba linked
to? What SSL libs is your test program linked to?
It did make me wonder! The failure right after "write client key 
exchange A" does seem to correlate with my wireshark capture (client 
sends a "decrypt error" (TLS alert code 51) to the ldap server after 
receiving the certificate).
The actual error from ldap_simple_bind_s is:
error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
This is a FreeBSD 10.2 system, which uses openssl 1.0.1p. Both smbd and 
my test should be linked to the same ldap and ssl libraries - here's ldd 
output:
...
ldaptest:
        libldap-2.4.so.2 => /usr/local/lib/libldap-2.4.so.2 (0x800820000)
        libc.so.7 => /lib/libc.so.7 (0x800a66000)
        liblber-2.4.so.2 => /usr/local/lib/liblber-2.4.so.2 (0x800e12000)
        libssl.so.7 => /usr/lib/libssl.so.7 (0x801020000)
        libcrypto.so.7 => /lib/libcrypto.so.7 (0x80128c000)
and
...
/usr/local/sbin/smbd:
        libldap-2.4.so.2 => /usr/local/lib/libldap-2.4.so.2 (0x80103f000)
        liblber-2.4.so.2 => /usr/local/lib/liblber-2.4.so.2 (0x801285000)
        libcrypt.so.5 => /lib/libcrypt.so.5 (0x801493000)
        libpam.so.5 => /usr/lib/libpam.so.5 (0x8016b3000)
        libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x8018bf000)
        libmd.so.6 => /lib/libmd.so.6 (0x801ac2000)
        librt.so.1 => /usr/lib/librt.so.1 (0x801cd2000)
        libthr.so.3 => /lib/libthr.so.3 (0x801ed8000)
        libpopt.so.0 => /usr/local/lib/libpopt.so.0 (0x8020fc000)
        libtalloc.so.2 => /usr/local/lib/libtalloc.so.2 (0x802308000)
        libtevent.so.0 => /usr/local/lib/libtevent.so.0 (0x802515000)
        libtdb.so.1 => /usr/local/lib/libtdb.so.1 (0x802723000)
        libz.so.6 => /lib/libz.so.6 (0x802938000)
        libc.so.7 => /lib/libc.so.7 (0x802b4e000)
        libssl.so.7 => /usr/lib/libssl.so.7 (0x802efa000)
        libcrypto.so.7 => /lib/libcrypto.so.7 (0x803166000)
        libelf.so.1 => /usr/lib/libelf.so.1 (0x80355a000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x80376f000)
        libintl.so.8 => /usr/local/lib/libintl.so.8 (0x80397d000)
Thanks for any ideas!
Graham
--

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: Out of ideas when troubleshooting TLS negotiation failure