On 11-08-09 3:37 PM, Rich Megginson wrote:
On 08/09/2011 01:36 PM, Daniel Qian wrote:
On 11-08-09 3:32 PM, Rich Megginson wrote:
On 08/09/2011 01:31 PM, Daniel Qian wrote:
On 11-08-09 2:45 PM, Rich Megginson wrote:
On 08/09/2011 12:43 PM, Daniel Qian wrote:
On 11-08-09 2:12 PM, Rich Megginson wrote: > On 08/09/2011 11:59 AM, Daniel Qian wrote: >> On 11-08-09 12:55 PM, Rich Megginson wrote: >>> On 08/09/2011 10:15 AM, Daniel Qian wrote: >>>> On 11-08-09 11:21 AM, Rich Megginson wrote: >>>>> On 08/09/2011 09:07 AM, Daniel Qian wrote: >>>>>> On 11-08-09 10:49 AM, Rich Megginson wrote: >>>>>>> On 08/09/2011 08:33 AM, Daniel Qian wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have slapd 2.4.24 and everything works without TLS. but >>>>>>>> if I add a -Z option to the ldapsearch command I get this: >>>>>>>> >>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config >>>>>>>> -D cn=admin,cn=config -wxxxxxxx -Z -H >>>>>>>> ldap://ldaprov1.prod cn=config >>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>> ldap_result: Can't contact LDAP server (-1) >>>>>>>> >>>>>>>> slapd.log shows something like this : >>>>>>>> connection_read(16): TLS accept failure error=-1 id=1006, >>>>>>>> closing >>>>>>>> >>>>>>>> Output from openssl debug: >>>>>>>> >>>>>>>> [root@ldaprov1 cacerts]# openssl s_client -connect >>>>>>>> hostname:389 -showcerts -state -CAfile cacert.pem >>>>>>>> CONNECTED(00000003) >>>>>>>> SSL_connect:before/connect initialization >>>>>>>> SSL_connect:SSLv2/v3 write client hello A >>>>>>>> 140225133647680:error:140790E5:SSL >>>>>>>> routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: >>>>>>>> --- >>>>>>>> no peer certificate available >>>>>>>> --- >>>>>>>> No client certificate CA names sent >>>>>>>> --- >>>>>>>> SSL handshake has read 0 bytes and written 113 bytes >>>>>>>> --- >>>>>>>> New, (NONE), Cipher is (NONE) >>>>>>>> Secure Renegotiation IS NOT supported >>>>>>>> Compression: NONE >>>>>>>> Expansion: NONE >>>>>>>> --- >>>>>>>> >>>>>>>> The configurations are as follow (same command as above >>>>>>>> but without the -Z option): >>>>>>>> >>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config >>>>>>>> -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config >>>>>>>> dn: cn=config >>>>>>>> objectClass: olcGlobal >>>>>>>> cn: config >>>>>>>> olcConfigFile: /etc/openldap/slapd.conf >>>>>>>> olcConfigDir: /etc/openldap/slapd.d >>>>>>>> olcAllows: bind_v2 >>>>>>>> olcArgsFile: /var/run/openldap/slapd.args >>>>>>>> olcAttributeOptions: lang- >>>>>>>> olcAuthzPolicy: none >>>>>>>> olcConcurrency: 0 >>>>>>>> olcConnMaxPending: 100 >>>>>>>> olcConnMaxPendingAuth: 1000 >>>>>>>> olcGentleHUP: FALSE >>>>>>>> olcIdleTimeout: 0 >>>>>>>> olcIndexSubstrIfMaxLen: 4 >>>>>>>> olcIndexSubstrIfMinLen: 2 >>>>>>>> olcIndexSubstrAnyLen: 4 >>>>>>>> olcIndexSubstrAnyStep: 2 >>>>>>>> olcIndexIntLen: 4 >>>>>>>> olcLocalSSF: 71 >>>>>>>> olcLogLevel: 9 >>>>>>>> olcPidFile: /var/run/openldap/slapd.pid >>>>>>>> olcReadOnly: FALSE >>>>>>>> olcReverseLookup: FALSE >>>>>>>> olcSaslSecProps: noplain,noanonymous >>>>>>>> olcSockbufMaxIncoming: 262143 >>>>>>>> olcSockbufMaxIncomingAuth: 16777215 >>>>>>>> olcThreads: 16 >>>>>>>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >>>>>>>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >>>>>>>> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key >>>>>>>> olcTLSVerifyClient: never >>>>>>>> olcToolThreads: 1 >>>>>>>> olcWriteTimeout: 0 >>>>>>>> >>>>>>>> >>>>>>>> I verified the ldap user can read all the TLS files and >>>>>>>> they are setup fine >>>>>>>> >>>>>>>> [root@ldaprov1 cacerts]# openssl verify -purpose >>>>>>>> sslserver -CAfile cacert.pem ldaprov1.crt >>>>>>>> ldaprov1.crt: OK >>>>>>>> >>>>>>>> >>>>>>>> Anyone can tell me what I am missing here? >>>>>>> No, but we're missing >>>>>>> 1) platform >>>>>>> 2) tls implementation (openssl, moznss, gnutls) >>>>>>> 3) output of ldapsearch -x -d 1 -Z ...... rest of >>>>>>> arguments ..... >>>>>>> >>>>>> >>>>>> Its Fedora 15 >>>>>> >>>>>> ldd /usr/sbin/slapd >>>>>> linux-vdso.so.1 => (0x00007fff76fff000) >>>>>> libltdl.so.7 => /usr/lib64/libltdl.so.7 >>>>>> (0x00007f0f29fcd000) >>>>>> libdb-4.8.so => /lib64/libdb-4.8.so >>>>>> (0x00007f0f29c53000) >>>>>> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 >>>>>> (0x00007f0f29a38000) >>>>>> libcrypt.so.1 => /lib64/libcrypt.so.1 >>>>>> (0x00007f0f29801000) >>>>>> libresolv.so.2 => /lib64/libresolv.so.2 >>>>>> (0x00007f0f295e6000) >>>>>> libssl3.so => /usr/lib64/libssl3.so >>>>>> (0x00007f0f293b0000) >>>>>> libsmime3.so => /usr/lib64/libsmime3.so >>>>>> (0x00007f0f29183000) >>>>>> libnss3.so => /usr/lib64/libnss3.so >>>>>> (0x00007f0f28e4b000) >>>>>> libnssutil3.so => /usr/lib64/libnssutil3.so >>>>>> (0x00007f0f28c2b000) >>>>>> libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) >>>>>> libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) >>>>>> libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) >>>>>> libpthread.so.0 => /lib64/libpthread.so.0 >>>>>> (0x00007f0f283cb000) >>>>>> libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) >>>>>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) >>>>>> libfreebl3.so => /lib64/libfreebl3.so >>>>>> (0x00007f0f27bcc000) >>>>>> libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) >>>>>> /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000) >>>>>> >>>>>> >>>>>> the ldapsearch -d 1 option tells me a lot more: >>>>>> ..... >>>>>> ldap_msgfree >>>>>> TLS: file ldaprov1.crt does not end in [.0] - does not >>>>>> appear to be a CA certificate directory file with a >>>>>> properly hashed file name - skipping. >>>>>> TLS: file cacert.pem does not end in [.0] - does not appear >>>>>> to be a CA certificate directory file with a properly >>>>>> hashed file name - skipping. >>>>>> TLS: file ldaprov1.key does not end in [.0] - does not >>>>>> appear to be a CA certificate directory file with a >>>>>> properly hashed file name - skipping. >>>>>> ..... >>>>>> >>>>>> I tell slapd to look for specific files but how come it is >>>>>> still checking in a directory? >>>>> I don't know. What does /etc/openldap/ldap.conf say? Do >>>>> you have a ~/.ldaprc or ~/ldaprc for the user "ldap"? >>>> >>>> So even for slapd the setting TLS_CACERTDIR in >>>> /etc/openldap/ldap.conf takes precedence over >>>> olcTLSCACertificateFile in cn=config? I set >>>> /etc/openldap/ldap.conf for client only and did not mean it >>>> for slapd. >>> I don't know. Can someone confirm that this is how it works >>> when using openssl or gnutls for crypto? That is, I don't >>> think this problem is specific to moznss. >>>> >>>> Now after I removed it from /etc/openldap/ldap.conf, >>>> ldapsearch -d 1 is indicating the CA certificate not valid: >>>> >>>> TLS: certificate [CA certificate details omitted here...] is >>>> not valid - error -8172:Unknown code ___f 20. >>>> error -8172:Unknown code ___f 20. >>>> tls_write: want=7, written=7 >>>> 0000: 15 03 01 00 02 02 30 >>>> ......0 >>>> TLS: error: connect - force handshake failure: errno 21 - >>>> moznss error -8172 >>>> TLS: can't connect: TLS error -8172:Unknown code ___f 20. >>>> ldap_err2string >>>> ldap_start_tls: Connect error (-11) >>>> additional info: TLS error -8172:Unknown code ___f 20 >>>> >>>> Does this mean all the certificates I created on the same >>>> server with openssl can not be used by modnss in slapd? I >>>> never delt with modnss before >>> 20 means SEC_ERROR_UNTRUSTED_ISSUER >>> >>> Can you provide the entire log leading up to this point? you >>> can paste it to fpaste.org if you don't want to spam the list >>> with too much information. >>> >>> Yes, openldap with moznss should work _exactly_ like openldap >>> with openssl. If this is something that was working before >>> this is a bug that needs to be fixed asap. >> >> I ran the same ldapsearch command from a Centos box which has >> openssl and the error messages says this : >> >> TLS certificate verification: Error, self signed certificate in >> certificate chain >> >> which is not true. I have separate CA certificate and server >> certificate. The server certificate is signed by the CA >> certificate. > openssl seems to be complaining about the CA certificate: > # > TLS certificate verification: depth: 1, err: 19, subject: > /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic > Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com, > issuer: /C=CA/ST=Ontario/L=Toronto/O=Epic Media > Group/OU=IT/CN=Epic Media Group root > CA/emailAddress=sysadmin@theepicmediagroup.com > # > TLS certificate verification: Error, self signed certificate in > certificate chain > > Note that the subject: is the same as the issuer: - that is, it > is a self signed certificate (self issued). > > But I'm not sure if this is the real problem.
That certificate it is complaining about is actually the ROOT CA. But I have another server certificate specified by "olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt" in cn=config and its subject and issuer are shown below:
certs]# openssl x509 -noout -issuer -subject -in /etc/ssl/certs/ldaprov1.crt issuer= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com subject= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=ldaprov1.prod/emailAddress=sysadmin@theepicmediagroup.com
Its that the client can't seem to get it for some reasons. > # > TLS trace: SSL3 alert write:fatal:unknown CA > > Do you have the CA cert on the client machine?
I put the same CA cert on the client machine, both in /etc/ldap.conf(/etc/nss_ldap.conf on Fedora now) and /etc/openldap/ldap.conf
>> >> Seems the server certificate defined in olcTLSCertificateFile >> never gets recognized by the client. >> >> Centos openssl output pasted - http://fpaste.org/7Hju/ >> Fedora moznss output pasted - http://fpaste.org/aE19/ > > If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and > then specify > olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem > olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt > olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key > That is what I have been doing, or trying to do the whole time. Note the last three lines from the current configuration as shown below from the Centos client:
.prod:/etc/openldap/cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wtesting123 -H ldap://ldaprov1.prod cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key
try starting slapd with -d 1
got the following from the log:
With -d 1 there should be a lot more output than this?
You mean those produced when it starts up?
Yes, and also when it's running - there should be a lot more messages from the TLS related code
startup log here http://fpaste.org/vy7x/