Hi!

 

After „playing“ significant time with certificate authentication, I managed to authenticate one user. However when I tried to authenticate a different user with a similar certificate, I see a

 

TLS trace: SSL3 alert read:fatal:unsupported certificate

 

Error. Can I can some details about the “usupportedness” of my certificate? The only thing I could think if is that uid of the newer certificate has a CN that is three characters longer than the one that worked.

 

A more complete trace for ldapwhoami woul look like this:

…

ldap_parse_result

ber_scanf fmt ({iAA) ber:

ber_scanf fmt (}) ber:

ldap_msgfree

TLS trace: SSL_connect:before SSL initialization

TLS trace: SSL_connect:SSLv3/TLS write client hello

TLS trace: SSL_connect:SSLv3/TLS write client hello

TLS trace: SSL_connect:SSLv3/TLS read server hello

TLS trace: SSL_connect:TLSv1.3 read encrypted extensions

TLS trace: SSL_connect:SSLv3/TLS read server certificate request

TLS certificate verification: depth: 2, err: 0, subject: /…. Root-CA (2018), issuer: /… Root-CA (2018)

TLS certificate verification: depth: 1, err: 0, subject: /… Host-CA (2018), issuer: /… Root-CA (2018)

TLS certificate verification: depth: 0, err: 0, subject: /… FQHN, issuer: /… Host-CA (2018)

TLS trace: SSL_connect:SSLv3/TLS read server certificate

TLS trace: SSL_connect:TLSv1.3 read server certificate verify

TLS trace: SSL_connect:SSLv3/TLS read finished

TLS trace: SSL_connect:SSLv3/TLS write change cipher spec

TLS trace: SSL_connect:SSLv3/TLS write client certificate

TLS trace: SSL_connect:SSLv3/TLS write certificate verify

TLS trace: SSL_connect:SSLv3/TLS write finished

ldap_sasl_interactive_bind: user selected: EXTERNAL

ldap_int_sasl_bind: EXTERNAL

ldap_int_sasl_open: host=FQHN

SASL/EXTERNAL authentication started

ldap_sasl_bind

ldap_send_initial_request

ldap_send_server_request

ber_scanf fmt ({it) ber:

ber_scanf fmt ({i) ber:

ber_flush2: 26 bytes to sd 3

ldap_msgfree

ldap_result ld 0x56432476ac30 msgid 2

wait4msg ld 0x56432476ac30 msgid 2 (infinite timeout)

wait4msg continue ld 0x56432476ac30 msgid 2 all 1

** ld 0x56432476ac30 Connections:

* host: FQHN  port: 389  (default)

* from: IP=172.20.16.36:57868

  refcnt: 2  status: Connected

  last used: Wed Mar  5 15:42:03 2025

 

 

** ld 0x56432476ac30 Outstanding Requests:

* msgid 2,  origid 2, status InProgress

   outstanding referrals 0, parent count 0

  ld 0x56432476ac30 request count 1 (abandoned 0)

** ld 0x56432476ac30 Response Queue:

   Empty

  ld 0x56432476ac30 response count 0

ldap_chkResponseList ld 0x56432476ac30 msgid 2 all 1

ldap_chkResponseList returns ld 0x56432476ac30 NULL

ldap_int_select

read1msg: ld 0x56432476ac30 msgid 2 all 1

ber_get_next

TLS trace: SSL3 alert read:fatal:unsupported certificate

ber_get_next failed, errno=0.

ldap_err2string

ldap_sasl_interactive_bind: Can't contact LDAP server (-1)

…

 

Kind regards,

Ulrich Windl