Sorry, forgot to mention that I've tested that certificates are OK.
# starting slapd
/usr/local/libexec/slapd -u ldap -d 1 -h ldaps:///
# making test:
openssl s_client -connect 127.0.0.1:636 -CAfile /usr/local/etc/openldap/ssl-client/root.crt -showcerts
# output of test in openssl command:
CONNECTED(00000003) depth=1 /C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com verify return:1 depth=0 /C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com verify return:1 --- Certificate chain 0 s:/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com i:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com -----BEGIN CERTIFICATE----- <certificate> ..... </certificate> -----END CERTIFICATE----- 1 s:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com i:/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com -----BEGIN CERTIFICATE----- <certificate> ..... </certificate> -----END CERTIFICATE----- --- Server certificate subject=/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com issuer=/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com --- No client certificate CA names sent --- SSL handshake has read 1811 bytes and written 462 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: <SOMESESSIONID> Session-ID-ctx: Master-Key: <SOMEMASTERKEY> Key-Arg : None Start Time: 1284557075 Timeout : 300 (sec) Verify return code: 0 (ok) ---
# in slapd debug at that moment:
slap_listener_activate(7):
slap_listener(ldaps:///)
connection_get(11): got connid=1001 connection_read(11): checking for input on id=1001 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=1001 connection_read(11): checking for input on id=1001 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=1001
# in openssl I enter QUIT and reviece DONE # in slapd debug after I entered QUIT i recieve folowing debug:
connection_get(11): got connid=1001 connection_read(11): checking for input on id=1001 ber_get_next TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 11 failed errno=0 (Undefined error: 0) connection_close: conn=1001 sd=11 TLS trace: SSL3 alert write:warning:close notify
Without -CAfile /usr/local/etc/openldap/ssl-client/root.crt I get folowing:
# openssl s_client -connect 127.0.0.1:636 -showcerts CONNECTED(00000003) depth=1 /C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=RU/ST=MSK/L=MSK/O=NRD/OU=IT/CN=ldap.domain.com i:/C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com -----BEGIN CERTIFICATE----- <certificate> ... </certificate> -----END CERTIFICATE----- 1 s:/C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com i:/C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com -----BEGIN CERTIFICATE----- <certificate> ... </certificate> -----END CERTIFICATE----- --- Server certificate subject=/C=RU/ST=MSK/L=MSK/O=NRD/OU=IT/CN=ldap.domain.com issuer=/C=RU/ST=MSK/L=MSk/O=NRD/OU=IT/CN=ca.domain.com --- No client certificate CA names sent --- SSL handshake has read 1811 bytes and written 462 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: <SOMESESSIONID> Session-ID-ctx: Master-Key: <SOMEMASTERKEY> Key-Arg : None Start Time: 1284557459 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---
# and slapd says folowing:
slap_listener_activate(7):
slap_listener(ldaps:///)
connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=1000
# after I eter quit slapd says this:
connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 ber_get_next TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 11 failed errno=0 (Undefined error: 0) connection_close: conn=1000 sd=11 TLS trace: SSL3 alert write:warning:close notify
And i've got ldap.domain.com record in /etc/hosts...
2010/9/15 Dieter Kluenter dieter@dkluenter.de:
c0re nr1c0re@gmail.com writes:
Yes, same output of debug as in my first post, nothing changed.
Also I tryed to use "ssl on" and connect to 636 port - same debug output...
2010/9/15 Dieter Kluenter dieter@dkluenter.de:
c0re nr1c0re@gmail.com writes:
I tried to set "disallow tls_authc" and/or "TLSVerifyClient never" in slapd.conf - no changes.
What do you mean by 'no changes' do you still see the line unable to get TLS client DN, error=49 Or is there an other error reported?
please start slapd as ldaps on port 636 and try openssl s_client -connect hostanme:636 -showcerts
-Dieter
-- Dieter Klünter | Systemberatung sip: 7770535@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6