Re: Out of ideas when troubleshooting TLS negotiation failure
On 01/08/2016 03:45 PM, Quanah Gibson-Mount wrote:
Error in error is a pretty interesting. What SSL libs is samba linked
to? What SSL libs is your test program linked to?
It did make me wonder! The failure right after "write client key
exchange A" does seem to correlate with my wireshark capture (client
sends a "decrypt error" (TLS alert code 51) to the ldap server after
receiving the certificate).
The actual error from ldap_simple_bind_s is:
error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
This is a FreeBSD 10.2 system, which uses openssl 1.0.1p. Both smbd and
my test should be linked to the same ldap and ssl libraries - here's ldd
output:
ldaptest:
libldap-2.4.so.2 => /usr/local/lib/libldap-2.4.so.2 (0x800820000)
libc.so.7 => /lib/libc.so.7 (0x800a66000)
liblber-2.4.so.2 => /usr/local/lib/liblber-2.4.so.2 (0x800e12000)
libssl.so.7 => /usr/lib/libssl.so.7 (0x801020000)
libcrypto.so.7 => /lib/libcrypto.so.7 (0x80128c000)
and
/usr/local/sbin/smbd:
libldap-2.4.so.2 => /usr/local/lib/libldap-2.4.so.2 (0x80103f000)
liblber-2.4.so.2 => /usr/local/lib/liblber-2.4.so.2 (0x801285000)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x801493000)
libpam.so.5 => /usr/lib/libpam.so.5 (0x8016b3000)
libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x8018bf000)
libmd.so.6 => /lib/libmd.so.6 (0x801ac2000)
librt.so.1 => /usr/lib/librt.so.1 (0x801cd2000)
libthr.so.3 => /lib/libthr.so.3 (0x801ed8000)
libpopt.so.0 => /usr/local/lib/libpopt.so.0 (0x8020fc000)
libtalloc.so.2 => /usr/local/lib/libtalloc.so.2 (0x802308000)
libtevent.so.0 => /usr/local/lib/libtevent.so.0 (0x802515000)
libtdb.so.1 => /usr/local/lib/libtdb.so.1 (0x802723000)
libz.so.6 => /lib/libz.so.6 (0x802938000)
libc.so.7 => /lib/libc.so.7 (0x802b4e000)
libssl.so.7 => /usr/lib/libssl.so.7 (0x802efa000)
libcrypto.so.7 => /lib/libcrypto.so.7 (0x803166000)
libelf.so.1 => /usr/lib/libelf.so.1 (0x80355a000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x80376f000)
libintl.so.8 => /usr/local/lib/libintl.so.8 (0x80397d000)
Thanks for any ideas!
Graham
--