It seems like my ldapsearch can't find the get local issuer certificate. what configuration files tells the ldapsearch of which
certificate to use?
Oh, my certificate and keys and cacert files are good, I've tested them using the openssl s_server and s_client to get a basic connection.
can someone help me, I don't know what else could be the problem.

here's the log for ldapsearch:
/usr/local/bin/ldapsearch -x -LLL -ZZ -d 1                  
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ::1 389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_close_socket: 4
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 4
ldap_result ld 60888 msgid 1
ldap_chkResponseList ld 60888 msgid 1 all 1
ldap_chkResponseList returns ld 60888 NULL
wait4msg ld 60888 msgid 1 (infinite timeout)
wait4msg continue ld 60888 msgid 1 all 1
** ld 60888 Connections:
* host: localhost  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Feb 13 20:49:25 2008

** ld 60888 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 60888 Response Queue:
   Empty
ldap_chkResponseList ld 60888 msgid 1 all 1
ldap_chkResponseList returns ld 60888 NULL
ldap_int_select
read1msg: ld 60888 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 60888 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 60888 0 new referrals
read1msg:  mark request completed, ld 60888 msgid 1
request done: ld 60888 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject: /CN=ldap1.mylan/emailAddress=abc@mylan, issuer: /CN=ldap1.mylan/emailAddress=abc@mylan
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

>>>>>>>>>>>>END>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

and here's the server's log for that search


daemon: activity on 1 descriptor
>>> slap_listener(ldap:///)
daemon: listen=8, new connection on 14
daemon: added 14r (active) listener=0
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 14r
daemon: read activity on 14
connection_get(14)
connection_get(14): got connid=6
connection_read(14): checking for input on id=6
ber_get_next
ldap_read: want=8, got=8
  0000:  30 1d 02 01 01 77 18 80                            0....w..          
ldap_read: want=23, got=23
  0000:  16 31 2e 33 2e 36 2e 31  2e 34 2e 31 2e 31 34 36   .1.3.6.1.4.1.146  
  0010:  36 2e 32 30 30 33 37                               6.20037          
ber_get_next: tag 0x30 len 29 contents:
ber_dump: buf=0x002094f0 ptr=0x002094f0 end=0x0020950d len=29
  0000:  02 01 01 77 18 80 16 31  2e 33 2e 36 2e 31 2e 34   ...w...1.3.6.1.4  
  0010:  2e 31 2e 31 34 36 36 2e  32 30 30 33 37            .1.1466.20037    
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
do_extended
ber_scanf fmt ({m) ber:
ber_dump: buf=0x002094f0 ptr=0x002094f3 end=0x0020950d len=26
  0000:  77 18 80 16 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e   w...1.3.6.1.4.1.  
  0010:  31 34 36 36 2e 32 30 30  33 37                     1466.20037        
do_extended: oid=1.3.6.1.4.1.1466.20037
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 14
  0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........    
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 78 07 0a  01 00 04 00 04 00         0....x........    
daemon: activity on 1 descriptor
daemon: activity on: 14r
daemon: read activity on 14
connection_get(14)
connection_get(14): got connid=6
connection_read(14): checking for input on id=6
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
  0000:  80 7a 01 03 01 00 51 00  00 00 20                  .z....Q...        
tls_read: want=113, got=113
  0000:  00 00 39 00 00 38 00 00  35 00 00 16 00 00 13 00   ..9..8..5.......  
  0010:  00 0a 07 00 c0 00 00 33  00 00 32 00 00 2f 00 00   .......3..2../..  
  0020:  07 05 00 80 03 00 80 00  00 05 00 00 04 01 00 80   ................  
  0030:  00 00 15 00 00 12 00 00  09 06 00 40 00 00 14 00   ...........@....  
  0040:  00 11 00 00 08 00 00 06  04 00 80 00 00 03 02 00   ................  
  0050:  80 32 4e ca 88 41 1f 3a  73 cd a1 1c 29 73 a6 81   .2N..A.:s...)s..  
  0060:  8c c5 af c3 af 93 bf 13  4a c7 54 90 b7 82 d2 69   ........J.T....i  
  0070:  2f                                                 /                
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=810, written=810
  0000:  16 03 01 00 4a 02 00 00  46 03 01 47 b3 58 84 43   ....J...F..G.X.C  
  0010:  c3 a5 64 a9 b5 7c 0b 8b  25 1c d6 e9 ce f2 1f 9b   ..d..|..%.......  
  0020:  82 00 e0 6d 33 e7 e6 44  53 6c 52 20 7d 72 fe 41   ...m3..DSlR }r.A  
  0030:  17 4c 96 5c 5c 9c 6b df  32 0d c0 32 45 fe 7b bf   .L.\\.k.2..2E.{.  
  0040:  a9 5e 16 4b 62 ec 3b 11  76 6e ee ce 00 35 00 16   .^.Kb.;.vn...5..  
  0050:  03 01 02 cd 0b 00 02 c9  00 02 c6 00 02 c3 30 82   ..............0.  
  0060:  02 bf 30 82 02 28 a0 03  02 01 02 02 01 01 30 0d   ..0..(........0.  
  0070:  06 09 2a 86 48 86 f7 0d  01 01 04 05 00 30 30 31   ..*.H........001  
  0080:  14 30 12 06 03 55 04 03  13 0b 6c 64 61 70 31 2e   .0...U....ldap1.  
  0090:  6d 79 6c 61 6e 31 18 30  16 06 09 2a 86 48 86 f7   mylan1.0...*.H..  
  00a0:  0d 01 09 01 16 09 61 62  63 40 6d 79 6c 61 6e 30   ......abc@mylan0  
  00b0:  1e 17 0d 30 38 30 32 31  33 31 36 31 34 32 32 5a   ...080213161422Z  
  00c0:  17 0d 31 38 30 32 31 32  31 36 31 34 32 32 5a 30   ..180212161422Z0  
  00d0:  30 31 14 30 12 06 03 55  04 03 13 0b 6c 64 61 70   01.0...U....ldap  
  00e0:  31 2e 6d 79 6c 61 6e 31  18 30 16 06 09 2a 86 48   1.mylan1.0...*.H  
  00f0:  86 f7 0d 01 09 01 16 09  61 62 63 40 6d 79 6c 61   ........abc@myla  
  0100:  6e 30 81 9f 30 0d 06 09  2a 86 48 86 f7 0d 01 01   n0..0...*.H.....  
  0110:  01 05 00 03 81 8d 00 30  81 89 02 81 81 00 ef 80   .......0........  
  0120:  03 36 0f 1e e0 19 e7 1d  03 a9 cb 13 53 81 d6 f7   .6..........S...  
  0130:  bf b6 e4 1c 84 38 77 bd  85 39 e6 f6 9c 50 70 82   .....8w..9...Pp.  
  0140:  3e 7e e0 17 e9 86 4f a3  48 8f bb 1a f1 04 92 72   >~....O.H......r  
  0150:  bc 02 a7 dd 97 54 c1 cd  09 bd f8 d8 da 23 04 8e   .....T.......#..  
  0160:  e7 77 de 44 f8 54 f9 5e  35 1e 05 50 71 b2 dc 25   .w.D.T.^5..Pq..%  
  0170:  71 7b e9 48 99 bf 93 a2  07 4e 4e 1f 1f 96 c8 b8   q{.H.....NN.....  
  0180:  76 21 3b fc c7 60 ab b2  4a 01 2d 8a 15 ee af e7   v!;..`..J.-.....  
  0190:  76 4e 50 1b 61 8f 5c a1  b3 07 4a cc 82 43 02 03   vNP.a.\...J..C..  
  01a0:  01 00 01 a3 81 e8 30 81  e5 30 09 06 03 55 1d 13   ......0..0...U..  
  01b0:  04 02 30 00 30 2c 06 09  60 86 48 01 86 f8 42 01   ..0.0,..`.H...B.  
  01c0:  0d 04 1f 16 1d 4f 70 65  6e 53 53 4c 20 47 65 6e   .....OpenSSL Gen  
  01d0:  65 72 61 74 65 64 20 43  65 72 74 69 66 69 63 61   erated Certifica  
  01e0:  74 65 30 1d 06 03 55 1d  0e 04 16 04 14 18 e5 ab   te0...U.........  
  01f0:  2a 99 96 50 78 35 71 52  a6 ad 1f 8a 53 c6 72 cd   *..Px5qR....S.r.  
  0200:  dc 30 60 06 03 55 1d 23  04 59 30 57 80 14 25 ba   .0`..U.#.Y0W..%.  
  0210:  f3 49 07 88 d2 aa 76 2f  59 fc f0 bb 08 6d b5 17   .I....v/Y....m..  
  0220:  f3 e8 a1 34 a4 32 30 30  31 14 30 12 06 03 55 04   ...4.2001.0...U.  
  0230:  03 13 0b 6c 64 61 70 31  2e 6d 79 6c 61 6e 31 18   ...ldap1.mylan1.  
  0240:  30 16 06 09 2a 86 48 86  f7 0d 01 09 01 16 09 61   0...*.H........a  
  0250:  62 63 40 6d 79 6c 61 6e  82 09 00 8e 0f 59 9d 05   bc@mylan.....Y..  
  0260:  90 4f f0 30 29 06 03 55  1d 11 04 22 30 20 82 0a   .O.0)..U..."0 ..  
  0270:  6c 64 61 70 2e 6d 79 6c  61 6e 82 12 6c 6f 61 64   ldap.mylan..load  
  0280:  62 61 6c 61 6e 63 65 72  2e 6d 79 6c 61 6e 30 0d   balancer.mylan0.  
  0290:  06 09 2a 86 48 86 f7 0d  01 01 04 05 00 03 81 81   ..*.H...........  
  02a0:  00 89 b9 5b c0 9e 57 39  32 c0 55 79 d6 dd cd 55   ...[..W92.Uy...U  
  02b0:  2f 6c a4 7e 96 96 f8 f2  51 38 85 35 f1 a9 42 45   /l.~....Q8.5..BE  
  02c0:  b8 f7 e4 a8 68 46 43 c5  5a d8 74 3e e8 a1 f3 25   ....hFC.Z.t>...%  
  02d0:  a7 57 2c bd 0c a2 5d f3  ae 19 57 f6 13 f1 07 2f   .W,...]...W..../  
  02e0:  df da 39 85 bd 0f 60 7b  98 52 8b ae 5d 7a 1a c5   ..9...`{.R..]z..  
  02f0:  59 b5 6f 49 74 05 87 5f  a4 72 49 7d 59 79 da 97   Y.oIt.._.rI}Yy..  
  0300:  5d 01 9c e2 fb b5 42 21  19 f6 9a ef 05 5e cb 8b   ].....B!.....^..  
  0310:  e4 b3 2a 7f f2 5e 87 73  23 ed c0 31 78 53 7e 18   ..*..^.s#..1xS~.  
  0320:  39 16 03 01 00 04 0e 00  00 00                     9.........        
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
  0000:  15 03 01 00 02                                     .....            
tls_read: want=2, got=2
  0000:  02 30                                              .0                
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053
connection_read(14): TLS accept failure error=-1 id=6, closing
connection_closing: readying conn=6 sd=14 for close
connection_close: conn=6 sd=14
daemon: removing 14
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: waked
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL

>>>>>>>>>>>>>>>>>>>>END>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Thanks,
Vinh




Vinh CTR Hoang/ACT/CNTR/FAA@FAA
Sent by: openldap-technical-bounces+vinh.ctr.hoang=faa.gov@OpenLDAP.org

02/12/2008 05:27 PM

To
openldap-technical@openldap.org
cc
Subject
SSL Help






Hi, I'm having some troubles with openldap w/ TLS.  
I can't seem to do a ldapsearch -x -LLL -ZZ, as it is giving be back
 "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
On the server side log I'm getting:
  TLS trace: SSL3 alert read: fatal:unknown CA
  TLS trace: SSL_accept:failed in SSLv3 read client certificate A
  TLS: can't accept
  TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053


I've tried and tested my ssl connection using:
  openssl s_client -connect ldap1.mylan:636 -showcerts -state -CAfile /usr/local/etc/openldap/cacert.pem
and that works, althought if I use "TLSVerifyClient demand" in slapd.conf, the server will reject the connection
saying that the client didn't send the certificate.  
 
I also tried the client authentication ssl test and the works w/ and w/o the TLSVerifyClient demand option:
  openssl s_client -connect ldap1.mylan:636 -state \
  -CAfile /usr/local/etc/openldap/cacert.pem \
  -cert /usr/local/etc/openldap/slapd-cert-ldap1.pem \
 -key /usr/local/etc/openldap/slapd-key-ldap1.pem

Does any know what i'm doing wrong?

Here are the tls part of my configs:
slapd.conf
....
#TLS SSL keys
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:SSLv3
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem
#TLSVerifyClient demand
....


ldap.conf

BASE        dc=mylan
HOST        ldap1.mylan
#URI        ldaps://127.0.0.1:636
TLS_CACERT        /usr/local/etc/openldap/cacert.pem
.....

/etc/ldap.conf

# network or connect timeouts (see bind_timelimit).
host 127.0.0.1

# The distinguished name of the search base.
#base dc=caplan,dc=org
base dc=mylan

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
host ldap1.mylan
#uri ldap://127.0.0.1/
#uri ldap://127.0.0.1/ ldaps://127.0.0.1/  
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=NonAnon,dc=caplan,dc=org

# The credentials to bind with.
# Optional: default is no credential.
#bindpw SeCrEt

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=root,dc=padl,dc=com

# The port.
# Optional: default is 389.
port 389
..
...
..

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
tls_cacertfile /usr/local/etc/openldap/cacert.pem

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key



Thanks,
Vinh