I’ve built and installed the openssl 1.1.1c thinking my issues are incompatibility between the version of openldap and original openssl v1.0.2f installed on my Centos 7
I get one step farther now, from the client’s debug output, but still fail at “tls_post_process_client_hello:no shared cipher.”
Does anyone know why there is no shared cipher, when both server and client run on the same machine, and use the same libssl ??
Is there a config option I’m not aware of?
Server---------------------------------------------------------
5e0fb9f5 daemon: activity on 1 descriptor
5e0fb9f5 daemon: activity on:
5e0fb9f5 slap_listener_activate(7):
5e0fb9f5 daemon: epoll: listen=7 busy
5e0fb9f5 >>> slap_listener(ldaps://server.my-domain.com:636)
5e0fb9f5 daemon: accept() = 11
5e0fb9f5 daemon: listen=7, new connection on 11
5e0fb9f5 daemon: added 11r (active) listener=(nil)
5e0fb9f5 conn=1000 fd=11 ACCEPT from IP=127.0.0.1:52044 (IP=127.0.0.1:636)
5e0fb9f5 daemon: activity on 1 descriptor
5e0fb9f5 daemon: activity on:
5e0fb9f5 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5e0fb9f5 daemon: activity on 1 descriptor
5e0fb9f5 daemon: activity on: 11r
5e0fb9f5 daemon: read active on 11
5e0fb9f5 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5e0fb9f5 connection_get(11)
5e0fb9f5 connection_get(11): got connid=1000
5e0fb9f5 connection_read(11): checking for input on id=1000
TLS trace: SSL_accept:before SSL initialization
tls_read: want=5, got=5
0000: 16 03 01 01 20 ....
tls_read: want=288, got=288
0000: 01 00 01 1c 03 03 c5 6e 9e 33 03 28 e6 22 df 0f .......n.3.(."..
0010: ca 0d ca ec 17 54 b1 dd 8b 35 b0 55 ca d2 23 ca .....T...5.U..#.
0020: 07 f1 c2 69 3b ca 20 7d 07 1c 28 37 b5 b4 69 7b ...i;. }..(7..i{
0030: 16 ad 62 dd 8e 97 6e 78 3a 9f c7 69 13 bd c7 fe ..b...nx:..i....
0040: bb 0f 4a f4 92 78 21 00 3e 13 02 13 03 13 01 c0 ..J..x!.>.......
0050: 2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00 ,.0.........+./.
0060: 9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0 ..$.(.k.#.'.g...
0070: 14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00 ..9.....3.....=.
0080: 3c 00 35 00 2f 00 ff 01 00 00 95 00 0b 00 04 03 <.5./...........
0090: 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 ................
00a0: 19 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00 ....#...........
00b0: 0d 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 ..0.............
00c0: 09 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 ................
00d0: 01 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 ................
00e0: 02 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 ....+...........
00f0: 00 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 .-.....3.&.$...
0100: 84 ce 50 d7 96 90 49 13 4b dd b0 71 51 52 51 c6 ..P...I.K..qQRQ.
0110: 21 6e 87 46 7f 33 f6 b4 fd f8 03 84 a1 96 c7 77 !n.F.3.........w
TLS trace: SSL_accept:before SSL initialization
tls_write: want=7, written=7
0000: 15 03 03 00 02 02 28 ......(
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in error
TLS: can't accept: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher.
5e0fb9f5 connection_read(11): TLS accept failure error=-1 id=1000, closing
5e0fb9f5 connection_closing: readying conn=1000 sd=11 for close
5e0fb9f5 connection_close: conn=1000 sd=11
5e0fb9f5 daemon: removing 11
5e0fb9f5 conn=1000 fd=11 closed (TLS negotiation failure)
5e0fb9f5 daemon: activity on 1 descriptor
5e0fb9f5 daemon: activity on:
5e0fb9f5 daemon: epoll: listen=7 active_threads=0 tvp=NULL
Client----------------------------------------------------------
[root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -x -ZZ -d -1
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP server.my-domain.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
tls_write: want=293, written=293
0000: 16 03 01 01 20 01 00 01 1c 03 03 c5 6e 9e 33 03 .... .......n.3.
0010: 28 e6 22 df 0f ca 0d ca ec 17 54 b1 dd 8b 35 b0 (.".......T...5.
0020: 55 ca d2 23 ca 07 f1 c2 69 3b ca 20 7d 07 1c 28 U..#....i;. }..(
0030: 37 b5 b4 69 7b 16 ad 62 dd 8e 97 6e 78 3a 9f c7 7..i{..b...nx:..
0040: 69 13 bd c7 fe bb 0f 4a f4 92 78 21 00 3e 13 02 i......J..x!.>..
0050: 13 03 13 01 c0 2c c0 30 00 9f cc a9 cc a8 cc aa .....,.0........
0060: c0 2b c0 2f 00 9e c0 24 c0 28 00 6b c0 23 c0 27 .+./...$.(.k.#.'
0070: 00 67 c0 0a c0 14 00 39 c0 09 c0 13 00 33 00 9d .g.....9.....3..
0080: 00 9c 00 3d 00 3c 00 35 00 2f 00 ff 01 00 00 95 ...=.<.5./......
0090: 00 0b 00 04 03 00 01 02 00 0a 00 0c 00 0a 00 1d ................
00a0: 00 17 00 1e 00 19 00 18 00 23 00 00 00 16 00 00 .........#......
00b0: 00 17 00 00 00 0d 00 30 00 2e 04 03 05 03 06 03 .......0........
00c0: 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 ................
00d0: 04 01 05 01 06 01 03 03 02 03 03 01 02 01 03 02 ................
00e0: 02 02 04 02 05 02 06 02 00 2b 00 09 08 03 04 03 .........+......
00f0: 03 03 02 03 01 00 2d 00 02 01 01 00 33 00 26 00 ......-.....3.&.
0100: 24 00 1d 00 20 84 ce 50 d7 96 90 49 13 4b dd b0 $... ..P...I.K..
0110: 71 51 52 51 c6 21 6e 87 46 7f 33 f6 b4 fd f8 03 qQRQ.!n.F.3.....
0120: 84 a1 96 c7 77 ....w
TLS trace: SSL_connect:SSLv3/TLS write client hello
tls_read: want=5, got=5
0000: 15 03 03 00 02 .....
tls_read: want=2, got=2
0000: 02 28 .(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure.
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
additional info: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
thanks in advance for considering my problem !
Ken
From: openldap-technical <openldap-technical-bounces@openldap.org>
On Behalf Of [ext] Dunne, Kenneth
Sent: Friday, January 3, 2020 10:41 AM
To: openldap-technical@openldap.org
Subject: RE: Issues with OpenLdap using OpenTLS
Thanks for the suggestions everyone,
I’ve corrected an issue with the generation of the self-signed CA , I was using the wrong ‘cert’
For OpenSSL this gets put into:
/etc/pki/CA/cacert.pem
I have used the “Common Name” in the cert-generation as:
server.my-domain.com
I have it in /etc/hosts as:
127.0.0.1 server.my-domain.com
I am using ‘localhost’ first in this investigation-stage, and will be used for our unit-tests
The port 636 does not appear to be firewalled
I get a little farther now with these changes, 8 bytes are sent/received: see below
TLS: can't connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure.
----------------------------------------------------ldap server
/usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -h ldaps://server.my-domain.com:636 -d -1
.
.
5e0f6aa1 daemon: activity on:
5e0f6aa1 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5e0f6b65 daemon: activity on 1 descriptor
5e0f6b65 daemon: activity on:
5e0f6b65 slap_listener_activate(7):
5e0f6b65 daemon: epoll: listen=7 busy
5e0f6b65 >>> slap_listener(ldaps://server.my-domain.com:636)
5e0f6b65 daemon: accept() = 11
5e0f6b65 daemon: listen=7, new connection on 11
5e0f6b65 daemon: added 11r (active) listener=(nil)
5e0f6b65 conn=1001 fd=11 ACCEPT from IP=127.0.0.1:51880 (IP=127.0.0.1:636)
5e0f6b65 daemon: activity on 1 descriptor
5e0f6b65 daemon: activity on:
5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5e0f6b65 daemon: activity on 1 descriptor
5e0f6b65 daemon: activity on: 11r
5e0f6b65 daemon: read active on 11
5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL
5e0f6b65 connection_get(11)
5e0f6b65 connection_get(11): got connid=1001
5e0f6b65 connection_read(11): checking for input on id=1001
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 16 03 01 01 1c 01 00 01 18 03 03 ...........
tls_read: want=278, got=278
0000: c7 eb 10 c3 5a af 18 e7 9b 3b ad 08 e6 cc b2 7d ....Z....;.....}
0010: ee a7 7d 0f c4 fe 01 49 8a 5b d3 94 c5 25 08 1d ..}....I.[...%..
0020: 00 00 ac c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 ....0.,.(.$.....
0030: a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 ........k.j.i.h.
0040: 39 00 38 00 37 00 36 00 88 00 87 00 86 00 85 c0 9.8.7.6.........
0050: 32 c0 2e c0 2a c0 26 c0 0f c0 05 00 9d 00 3d 00 2...*.&.......=.
0060: 35 00 84 c0 2f c0 2b c0 27 c0 23 c0 13 c0 09 00 5.../.+.'.#.....
0070: a4 00 a2 00 a0 00 9e 00 67 00 40 00 3f 00 3e 00
........g.@.?.>.
0080: 33 00 32 00 31 00 30 00 9a 00 99 00 98 00 97 00 3.2.1.0.........
0090: 45 00 44 00 43 00 42 c0 31 c0 2d c0 29 c0 25 c0 E.D.C.B.1.-.).%.
00a0: 0e c0 04 00 9c 00 3c 00 2f 00 96 00 41 c0 12 c0 ......<./...A...
00b0: 08 00 16 00 13 00 10 00 0d c0 0d c0 03 00 0a 00 ................
00c0: 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 ff 01 ................
00d0: 00 00 43 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 ..C.............
00e0: 08 00 17 00 19 00 18 00 16 00 23 00 00 00 0d 00 ..........#.....
00f0: 20 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 04 ...............
0100: 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 ................
0110: 03 00 0f 00 01 01 ......
tls_write: want=7, written=7
0000: 15 03 03 00 02 02 28 ......(
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in error
TLS trace: SSL_accept:error in error
TLS: can't accept: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher.
5e0f6b65 connection_read(11): TLS accept failure error=-1 id=1001, closing
5e0f6b65 connection_closing: readying conn=1001 sd=11 for close
5e0f6b65 connection_close: conn=1001 sd=11
5e0f6b65 daemon: removing 11
5e0f6b65 conn=1001 fd=11 closed (TLS negotiation failure)
5e0f6b65 daemon: activity on 1 descriptor
5e0f6b65 daemon: activity on:
5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL
^C5e0f6e38 daemon: shutdown requested and initiated.
5e0f6e38 daemon: removing 7r
5e0f6e38 daemon: closing 7
5e0f6e38 slapd shutdown: waiting for 0 operations/tasks to finish
5e0f6e38 slapd shutdown: initiated
5e0f6e38 slapd destroy: freeing system resources.
5e0f6e38 slapd stopped.
---------------------------------------------------- client
[root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts -H ldaps://server.my-domain.com:636 -d -1
ldap_url_parse_ext(ldaps://server.my-domain.com:636)
ldap_create
ldap_url_parse_ext(ldaps://server.my-domain.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP server.my-domain.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
tls_write: want=289, written=289
0000: 16 03 01 01 1c 01 00 01 18 03 03 8b 5c ad c3 76 ............\..v
0010: a2 eb 75 4f df e3 f3 7b 5c 55 73 5e 2c 43 62 de ..uO...{\Us^,Cb.
0020: 98 5f 5d b8 3b c0 82 32 46 86 cd 00 00 ac c0 30 ._].;..2F......0
0030: c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 .,.(.$..........
0040: 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7
0050: 00 36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a .6.........2...*
0060: c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f .&.......=.5.../
0070: c0 2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 .+.'.#..........
0080: 00 9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31
...g.@.?.>.3.2.1
0090: 00 30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 .0.........E.D.C
00a0: 00 42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c .B.1.-.).%......
00b0: 00 3c 00 2f 00 96 00 41 c0 12 c0 08 00 16 00 13 .<./...A........
00c0: 00 10 00 0d c0 0d c0 03 00 0a 00 07 c0 11 c0 07 ................
00d0: c0 0c c0 02 00 05 00 04 00 ff 01 00 00 43 00 0b .............C..
00e0: 00 04 03 00 01 02 00 0a 00 0a 00 08 00 17 00 19 ................
00f0: 00 18 00 16 00 23 00 00 00 0d 00 20 00 1e 06 01 .....#..... ....
0100: 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 ................
0110: 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 ................
0120: 01 .
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 15 03 03 00 02 02 28 ......(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
From: openldap-technical <openldap-technical-bounces@openldap.org>
On Behalf Of Christopher Paul
Sent: Thursday, January 2, 2020 6:17 PM
To: openldap-technical@openldap.org
Subject: Re: Issues with OpenLdap using OpenTLS
I
On 1/2/20 8:36 AM, Dunne, Kenneth wrote:
All
I am able to connect to my home-built OpenSSL installation (from Dec-19 sources) on CentOS-7 without the TLS bind
[...]
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0
Hey Ken, is port 636 open on the host-based firewall if it's running? any other firewalls blocking 636?
CP