It seems like my ldapsearch can't find the get local issuer certificate. what configuration files tells the ldapsearch of which certificate to use? Oh, my certificate and keys and cacert files are good, I've tested them using the openssl s_server and s_client to get a basic connection. can someone help me, I don't know what else could be the problem.
here's the log for ldapsearch: /usr/local/bin/ldapsearch -x -LLL -ZZ -d 1 ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying ::1 389 ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_close_socket: 4 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 4 ldap_result ld 60888 msgid 1 ldap_chkResponseList ld 60888 msgid 1 all 1 ldap_chkResponseList returns ld 60888 NULL wait4msg ld 60888 msgid 1 (infinite timeout) wait4msg continue ld 60888 msgid 1 all 1 ** ld 60888 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Wed Feb 13 20:49:25 2008
** ld 60888 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 60888 Response Queue: Empty ldap_chkResponseList ld 60888 msgid 1 all 1 ldap_chkResponseList returns ld 60888 NULL ldap_int_select read1msg: ld 60888 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 60888 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 60888 0 new referrals read1msg: mark request completed, ld 60888 msgid 1 request done: ld 60888 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=ldap1.mylan/emailAddress=abc@mylan, issuer: /CN=ldap1.mylan/emailAddress=abc@mylan TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>>>>END>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
and here's the server's log for that search
daemon: activity on 1 descriptor
slap_listener(ldap:///)
daemon: listen=8, new connection on 14 daemon: added 14r (active) listener=0 daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: select: listen=10 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 14r daemon: read activity on 14 connection_get(14) connection_get(14): got connid=6 connection_read(14): checking for input on id=6 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_dump: buf=0x002094f0 ptr=0x002094f0 end=0x0020950d len=29 0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4
0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037
ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: select: listen=10 active_threads=0 tvp=NULL do_extended ber_scanf fmt ({m) ber: ber_dump: buf=0x002094f0 ptr=0x002094f3 end=0x0020950d len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 do_extended: oid=1.3.6.1.4.1.1466.20037 send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
daemon: activity on 1 descriptor daemon: activity on: 14r daemon: read activity on 14 connection_get(14) connection_get(14): got connid=6 connection_read(14): checking for input on id=6 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 7a 01 03 01 00 51 00 00 00 20 .z....Q... tls_read: want=113, got=113 0000: 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 ..9..8..5.......
0010: 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 00 00 .......3..2../..
0020: 07 05 00 80 03 00 80 00 00 05 00 00 04 01 00 80 ................
0030: 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 ...........@....
0040: 00 11 00 00 08 00 00 06 04 00 80 00 00 03 02 00 ................
0050: 80 32 4e ca 88 41 1f 3a 73 cd a1 1c 29 73 a6 81 .2N..A.:s...)s..
0060: 8c c5 af c3 af 93 bf 13 4a c7 54 90 b7 82 d2 69 ........J.T....i
0070: 2f / TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=810, written=810 0000: 16 03 01 00 4a 02 00 00 46 03 01 47 b3 58 84 43 ....J...F..G.X.C
0010: c3 a5 64 a9 b5 7c 0b 8b 25 1c d6 e9 ce f2 1f 9b ..d..|..%.......
0020: 82 00 e0 6d 33 e7 e6 44 53 6c 52 20 7d 72 fe 41 ...m3..DSlR }r.A 0030: 17 4c 96 5c 5c 9c 6b df 32 0d c0 32 45 fe 7b bf .L.\.k.2..2E.{.
0040: a9 5e 16 4b 62 ec 3b 11 76 6e ee ce 00 35 00 16 .^.Kb.;.vn...5..
0050: 03 01 02 cd 0b 00 02 c9 00 02 c6 00 02 c3 30 82 ..............0.
0060: 02 bf 30 82 02 28 a0 03 02 01 02 02 01 01 30 0d ..0..(........0.
0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 30 31 ..*.H........001
0080: 14 30 12 06 03 55 04 03 13 0b 6c 64 61 70 31 2e .0...U....ldap1.
0090: 6d 79 6c 61 6e 31 18 30 16 06 09 2a 86 48 86 f7 mylan1.0...*.H..
00a0: 0d 01 09 01 16 09 61 62 63 40 6d 79 6c 61 6e 30 ......abc@mylan0
00b0: 1e 17 0d 30 38 30 32 31 33 31 36 31 34 32 32 5a ...080213161422Z
00c0: 17 0d 31 38 30 32 31 32 31 36 31 34 32 32 5a 30 ..180212161422Z0
00d0: 30 31 14 30 12 06 03 55 04 03 13 0b 6c 64 61 70 01.0...U....ldap
00e0: 31 2e 6d 79 6c 61 6e 31 18 30 16 06 09 2a 86 48 1.mylan1.0...*.H
00f0: 86 f7 0d 01 09 01 16 09 61 62 63 40 6d 79 6c 61 ........abc@myla
0100: 6e 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 n0..0...*.H.....
0110: 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 ef 80 .......0........
0120: 03 36 0f 1e e0 19 e7 1d 03 a9 cb 13 53 81 d6 f7 .6..........S...
0130: bf b6 e4 1c 84 38 77 bd 85 39 e6 f6 9c 50 70 82 .....8w..9...Pp.
0140: 3e 7e e0 17 e9 86 4f a3 48 8f bb 1a f1 04 92 72 >~....O.H......r
0150: bc 02 a7 dd 97 54 c1 cd 09 bd f8 d8 da 23 04 8e .....T.......#..
0160: e7 77 de 44 f8 54 f9 5e 35 1e 05 50 71 b2 dc 25 .w.D.T.^5..Pq..%
0170: 71 7b e9 48 99 bf 93 a2 07 4e 4e 1f 1f 96 c8 b8 q{.H.....NN.....
0180: 76 21 3b fc c7 60 ab b2 4a 01 2d 8a 15 ee af e7 v!;..`..J.-.....
0190: 76 4e 50 1b 61 8f 5c a1 b3 07 4a cc 82 43 02 03 vNP.a....J..C..
01a0: 01 00 01 a3 81 e8 30 81 e5 30 09 06 03 55 1d 13 ......0..0...U..
01b0: 04 02 30 00 30 2c 06 09 60 86 48 01 86 f8 42 01 ..0.0,..`.H...B.
01c0: 0d 04 1f 16 1d 4f 70 65 6e 53 53 4c 20 47 65 6e .....OpenSSL Gen 01d0: 65 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 erated Certifica 01e0: 74 65 30 1d 06 03 55 1d 0e 04 16 04 14 18 e5 ab te0...U.........
01f0: 2a 99 96 50 78 35 71 52 a6 ad 1f 8a 53 c6 72 cd *..Px5qR....S.r.
0200: dc 30 60 06 03 55 1d 23 04 59 30 57 80 14 25 ba .0`..U.#.Y0W..%.
0210: f3 49 07 88 d2 aa 76 2f 59 fc f0 bb 08 6d b5 17 .I....v/Y....m..
0220: f3 e8 a1 34 a4 32 30 30 31 14 30 12 06 03 55 04 ...4.2001.0...U.
0230: 03 13 0b 6c 64 61 70 31 2e 6d 79 6c 61 6e 31 18 ...ldap1.mylan1.
0240: 30 16 06 09 2a 86 48 86 f7 0d 01 09 01 16 09 61 0...*.H........a
0250: 62 63 40 6d 79 6c 61 6e 82 09 00 8e 0f 59 9d 05 bc@mylan.....Y..
0260: 90 4f f0 30 29 06 03 55 1d 11 04 22 30 20 82 0a .O.0)..U..."0 .. 0270: 6c 64 61 70 2e 6d 79 6c 61 6e 82 12 6c 6f 61 64 ldap.mylan..load
0280: 62 61 6c 61 6e 63 65 72 2e 6d 79 6c 61 6e 30 0d balancer.mylan0.
0290: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81 81 ..*.H...........
02a0: 00 89 b9 5b c0 9e 57 39 32 c0 55 79 d6 dd cd 55 ...[..W92.Uy...U
02b0: 2f 6c a4 7e 96 96 f8 f2 51 38 85 35 f1 a9 42 45 /l.~....Q8.5..BE
02c0: b8 f7 e4 a8 68 46 43 c5 5a d8 74 3e e8 a1 f3 25 ....hFC.Z.t>...%
02d0: a7 57 2c bd 0c a2 5d f3 ae 19 57 f6 13 f1 07 2f .W,...]...W..../
02e0: df da 39 85 bd 0f 60 7b 98 52 8b ae 5d 7a 1a c5 ..9...`{.R..]z..
02f0: 59 b5 6f 49 74 05 87 5f a4 72 49 7d 59 79 da 97 Y.oIt.._.rI}Yy..
0300: 5d 01 9c e2 fb b5 42 21 19 f6 9a ef 05 5e cb 8b ].....B!.....^..
0310: e4 b3 2a 7f f2 5e 87 73 23 ed c0 31 78 53 7e 18 ..*..^.s#..1xS~.
0320: 39 16 03 01 00 04 0e 00 00 00 9......... TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 0000: 15 03 01 00 02 ..... tls_read: want=2, got=2 0000: 02 30 .0 TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053 connection_read(14): TLS accept failure error=-1 id=6, closing connection_closing: readying conn=6 sd=14 for close connection_close: conn=6 sd=14 daemon: removing 14 daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: select: listen=10 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: waked daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: select: listen=10 active_threads=0 tvp=NULL
>>>>>>>>>>>>>>END>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Thanks, Vinh
Vinh CTR Hoang/ACT/CNTR/FAA@FAA Sent by: openldap-technical-bounces+vinh.ctr.hoang=faa.gov@OpenLDAP.org 02/12/2008 05:27 PM
To openldap-technical@openldap.org cc
Subject SSL Help
Hi, I'm having some troubles with openldap w/ TLS. I can't seem to do a ldapsearch -x -LLL -ZZ, as it is giving be back "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" On the server side log I'm getting: TLS trace: SSL3 alert read: fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053
I've tried and tested my ssl connection using: openssl s_client -connect ldap1.mylan:636 -showcerts -state -CAfile /usr/local/etc/openldap/cacert.pem and that works, althought if I use "TLSVerifyClient demand" in slapd.conf, the server will reject the connection saying that the client didn't send the certificate.
I also tried the client authentication ssl test and the works w/ and w/o the TLSVerifyClient demand option: openssl s_client -connect ldap1.mylan:636 -state \ -CAfile /usr/local/etc/openldap/cacert.pem \ -cert /usr/local/etc/openldap/slapd-cert-ldap1.pem \ -key /usr/local/etc/openldap/slapd-key-ldap1.pem
Does any know what i'm doing wrong?
Here are the tls part of my configs: slapd.conf .... #TLS SSL keys TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:SSLv3 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem #TLSVerifyClient demand ....
ldap.conf
BASE dc=mylan HOST ldap1.mylan #URI ldaps://127.0.0.1:636 TLS_CACERT /usr/local/etc/openldap/cacert.pem .....
/etc/ldap.conf
# network or connect timeouts (see bind_timelimit). host 127.0.0.1
# The distinguished name of the search base. #base dc=caplan,dc=org base dc=mylan
# Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. host ldap1.mylan #uri ldap://127.0.0.1/ #uri ldap://127.0.0.1/ ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3
# The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=NonAnon,dc=caplan,dc=org
# The credentials to bind with. # Optional: default is no credential. #bindpw SeCrEt
# The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=root,dc=padl,dc=com
# The port. # Optional: default is 389. port 389 .. ... ..
# OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl start_tls #ssl on
# OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". tls_checkpeer yes
# CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs tls_cacertfile /usr/local/etc/openldap/cacert.pem
# Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool
# SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1
# Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key
Thanks, Vinh