On 08/09/2011 02:03 PM, Daniel Qian wrote:
On 11-08-09 3:37 PM, Rich Megginson wrote:
On 08/09/2011 01:36 PM, Daniel Qian wrote:
On 11-08-09 3:32 PM, Rich Megginson wrote:
On 08/09/2011 01:31 PM, Daniel Qian wrote:
On 11-08-09 2:45 PM, Rich Megginson wrote:
On 08/09/2011 12:43 PM, Daniel Qian wrote: > On 11-08-09 2:12 PM, Rich Megginson wrote: >> On 08/09/2011 11:59 AM, Daniel Qian wrote: >>> On 11-08-09 12:55 PM, Rich Megginson wrote: >>>> On 08/09/2011 10:15 AM, Daniel Qian wrote: >>>>> On 11-08-09 11:21 AM, Rich Megginson wrote: >>>>>> On 08/09/2011 09:07 AM, Daniel Qian wrote: >>>>>>> On 11-08-09 10:49 AM, Rich Megginson wrote: >>>>>>>> On 08/09/2011 08:33 AM, Daniel Qian wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I have slapd 2.4.24 and everything works without TLS. >>>>>>>>> but if I add a -Z option to the ldapsearch command I get >>>>>>>>> this: >>>>>>>>> >>>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b >>>>>>>>> cn=config -D cn=admin,cn=config -wxxxxxxx -Z -H >>>>>>>>> ldap://ldaprov1.prod cn=config >>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>> ldap_result: Can't contact LDAP server (-1) >>>>>>>>> >>>>>>>>> slapd.log shows something like this : >>>>>>>>> connection_read(16): TLS accept failure error=-1 >>>>>>>>> id=1006, closing >>>>>>>>> >>>>>>>>> Output from openssl debug: >>>>>>>>> >>>>>>>>> [root@ldaprov1 cacerts]# openssl s_client -connect >>>>>>>>> hostname:389 -showcerts -state -CAfile cacert.pem >>>>>>>>> CONNECTED(00000003) >>>>>>>>> SSL_connect:before/connect initialization >>>>>>>>> SSL_connect:SSLv2/v3 write client hello A >>>>>>>>> 140225133647680:error:140790E5:SSL >>>>>>>>> routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: >>>>>>>>> --- >>>>>>>>> no peer certificate available >>>>>>>>> --- >>>>>>>>> No client certificate CA names sent >>>>>>>>> --- >>>>>>>>> SSL handshake has read 0 bytes and written 113 bytes >>>>>>>>> --- >>>>>>>>> New, (NONE), Cipher is (NONE) >>>>>>>>> Secure Renegotiation IS NOT supported >>>>>>>>> Compression: NONE >>>>>>>>> Expansion: NONE >>>>>>>>> --- >>>>>>>>> >>>>>>>>> The configurations are as follow (same command as above >>>>>>>>> but without the -Z option): >>>>>>>>> >>>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b >>>>>>>>> cn=config -D cn=admin,cn=config -wxxxxxx -H >>>>>>>>> ldap://hostname cn=config >>>>>>>>> dn: cn=config >>>>>>>>> objectClass: olcGlobal >>>>>>>>> cn: config >>>>>>>>> olcConfigFile: /etc/openldap/slapd.conf >>>>>>>>> olcConfigDir: /etc/openldap/slapd.d >>>>>>>>> olcAllows: bind_v2 >>>>>>>>> olcArgsFile: /var/run/openldap/slapd.args >>>>>>>>> olcAttributeOptions: lang- >>>>>>>>> olcAuthzPolicy: none >>>>>>>>> olcConcurrency: 0 >>>>>>>>> olcConnMaxPending: 100 >>>>>>>>> olcConnMaxPendingAuth: 1000 >>>>>>>>> olcGentleHUP: FALSE >>>>>>>>> olcIdleTimeout: 0 >>>>>>>>> olcIndexSubstrIfMaxLen: 4 >>>>>>>>> olcIndexSubstrIfMinLen: 2 >>>>>>>>> olcIndexSubstrAnyLen: 4 >>>>>>>>> olcIndexSubstrAnyStep: 2 >>>>>>>>> olcIndexIntLen: 4 >>>>>>>>> olcLocalSSF: 71 >>>>>>>>> olcLogLevel: 9 >>>>>>>>> olcPidFile: /var/run/openldap/slapd.pid >>>>>>>>> olcReadOnly: FALSE >>>>>>>>> olcReverseLookup: FALSE >>>>>>>>> olcSaslSecProps: noplain,noanonymous >>>>>>>>> olcSockbufMaxIncoming: 262143 >>>>>>>>> olcSockbufMaxIncomingAuth: 16777215 >>>>>>>>> olcThreads: 16 >>>>>>>>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >>>>>>>>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >>>>>>>>> olcTLSCertificateKeyFile: >>>>>>>>> /etc/openldap/cacerts/ldaprov1.key >>>>>>>>> olcTLSVerifyClient: never >>>>>>>>> olcToolThreads: 1 >>>>>>>>> olcWriteTimeout: 0 >>>>>>>>> >>>>>>>>> >>>>>>>>> I verified the ldap user can read all the TLS files and >>>>>>>>> they are setup fine >>>>>>>>> >>>>>>>>> [root@ldaprov1 cacerts]# openssl verify -purpose >>>>>>>>> sslserver -CAfile cacert.pem ldaprov1.crt >>>>>>>>> ldaprov1.crt: OK >>>>>>>>> >>>>>>>>> >>>>>>>>> Anyone can tell me what I am missing here? >>>>>>>> No, but we're missing >>>>>>>> 1) platform >>>>>>>> 2) tls implementation (openssl, moznss, gnutls) >>>>>>>> 3) output of ldapsearch -x -d 1 -Z ...... rest of >>>>>>>> arguments ..... >>>>>>>> >>>>>>> >>>>>>> Its Fedora 15 >>>>>>> >>>>>>> ldd /usr/sbin/slapd >>>>>>> linux-vdso.so.1 => (0x00007fff76fff000) >>>>>>> libltdl.so.7 => /usr/lib64/libltdl.so.7 >>>>>>> (0x00007f0f29fcd000) >>>>>>> libdb-4.8.so => /lib64/libdb-4.8.so >>>>>>> (0x00007f0f29c53000) >>>>>>> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 >>>>>>> (0x00007f0f29a38000) >>>>>>> libcrypt.so.1 => /lib64/libcrypt.so.1 >>>>>>> (0x00007f0f29801000) >>>>>>> libresolv.so.2 => /lib64/libresolv.so.2 >>>>>>> (0x00007f0f295e6000) >>>>>>> libssl3.so => /usr/lib64/libssl3.so >>>>>>> (0x00007f0f293b0000) >>>>>>> libsmime3.so => /usr/lib64/libsmime3.so >>>>>>> (0x00007f0f29183000) >>>>>>> libnss3.so => /usr/lib64/libnss3.so >>>>>>> (0x00007f0f28e4b000) >>>>>>> libnssutil3.so => /usr/lib64/libnssutil3.so >>>>>>> (0x00007f0f28c2b000) >>>>>>> libplds4.so => /lib64/libplds4.so >>>>>>> (0x00007f0f28a28000) >>>>>>> libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) >>>>>>> libnspr4.so => /lib64/libnspr4.so >>>>>>> (0x00007f0f285e6000) >>>>>>> libpthread.so.0 => /lib64/libpthread.so.0 >>>>>>> (0x00007f0f283cb000) >>>>>>> libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) >>>>>>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) >>>>>>> libfreebl3.so => /lib64/libfreebl3.so >>>>>>> (0x00007f0f27bcc000) >>>>>>> libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) >>>>>>> /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000) >>>>>>> >>>>>>> >>>>>>> the ldapsearch -d 1 option tells me a lot more: >>>>>>> ..... >>>>>>> ldap_msgfree >>>>>>> TLS: file ldaprov1.crt does not end in [.0] - does not >>>>>>> appear to be a CA certificate directory file with a >>>>>>> properly hashed file name - skipping. >>>>>>> TLS: file cacert.pem does not end in [.0] - does not >>>>>>> appear to be a CA certificate directory file with a >>>>>>> properly hashed file name - skipping. >>>>>>> TLS: file ldaprov1.key does not end in [.0] - does not >>>>>>> appear to be a CA certificate directory file with a >>>>>>> properly hashed file name - skipping. >>>>>>> ..... >>>>>>> >>>>>>> I tell slapd to look for specific files but how come it is >>>>>>> still checking in a directory? >>>>>> I don't know. What does /etc/openldap/ldap.conf say? Do >>>>>> you have a ~/.ldaprc or ~/ldaprc for the user "ldap"? >>>>> >>>>> So even for slapd the setting TLS_CACERTDIR in >>>>> /etc/openldap/ldap.conf takes precedence over >>>>> olcTLSCACertificateFile in cn=config? I set >>>>> /etc/openldap/ldap.conf for client only and did not mean it >>>>> for slapd. >>>> I don't know. Can someone confirm that this is how it works >>>> when using openssl or gnutls for crypto? That is, I don't >>>> think this problem is specific to moznss. >>>>> >>>>> Now after I removed it from /etc/openldap/ldap.conf, >>>>> ldapsearch -d 1 is indicating the CA certificate not valid: >>>>> >>>>> TLS: certificate [CA certificate details omitted here...] is >>>>> not valid - error -8172:Unknown code ___f 20. >>>>> error -8172:Unknown code ___f 20. >>>>> tls_write: want=7, written=7 >>>>> 0000: 15 03 01 00 02 02 30 >>>>> ......0 >>>>> TLS: error: connect - force handshake failure: errno 21 - >>>>> moznss error -8172 >>>>> TLS: can't connect: TLS error -8172:Unknown code ___f 20. >>>>> ldap_err2string >>>>> ldap_start_tls: Connect error (-11) >>>>> additional info: TLS error -8172:Unknown code ___f 20 >>>>> >>>>> Does this mean all the certificates I created on the same >>>>> server with openssl can not be used by modnss in slapd? I >>>>> never delt with modnss before >>>> 20 means SEC_ERROR_UNTRUSTED_ISSUER >>>> >>>> Can you provide the entire log leading up to this point? you >>>> can paste it to fpaste.org if you don't want to spam the list >>>> with too much information. >>>> >>>> Yes, openldap with moznss should work _exactly_ like openldap >>>> with openssl. If this is something that was working before >>>> this is a bug that needs to be fixed asap. >>> >>> I ran the same ldapsearch command from a Centos box which has >>> openssl and the error messages says this : >>> >>> TLS certificate verification: Error, self signed certificate >>> in certificate chain >>> >>> which is not true. I have separate CA certificate and server >>> certificate. The server certificate is signed by the CA >>> certificate. >> openssl seems to be complaining about the CA certificate: >> # >> TLS certificate verification: depth: 1, err: 19, subject: >> /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic >> Media Group root >> CA/emailAddress=sysadmin@theepicmediagroup.com, issuer: >> /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic >> Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com >> # >> TLS certificate verification: Error, self signed certificate in >> certificate chain >> >> Note that the subject: is the same as the issuer: - that is, it >> is a self signed certificate (self issued). >> >> But I'm not sure if this is the real problem. > > That certificate it is complaining about is actually the ROOT > CA. But I have another server certificate specified by > "olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt" in > cn=config and its subject and issuer are shown below: > > certs]# openssl x509 -noout -issuer -subject -in > /etc/ssl/certs/ldaprov1.crt > issuer= /C=CA/ST=Ontario/L=Toronto/O=Epic Media > Group/OU=IT/CN=Epic Media Group root > CA/emailAddress=sysadmin@theepicmediagroup.com > subject= /C=CA/ST=Ontario/L=Toronto/O=Epic Media > Group/OU=IT/CN=ldaprov1.prod/emailAddress=sysadmin@theepicmediagroup.com > > > Its that the client can't seem to get it for some reasons. >> # >> TLS trace: SSL3 alert write:fatal:unknown CA >> >> Do you have the CA cert on the client machine? > > I put the same CA cert on the client machine, both in > /etc/ldap.conf(/etc/nss_ldap.conf on Fedora now) and > /etc/openldap/ldap.conf > >>> >>> Seems the server certificate defined in olcTLSCertificateFile >>> never gets recognized by the client. >>> >>> Centos openssl output pasted - http://fpaste.org/7Hju/ >>> Fedora moznss output pasted - http://fpaste.org/aE19/ >> >> If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and >> then specify >> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key >> > That is what I have been doing, or trying to do the whole time. > Note the last three lines from the current configuration as > shown below from the Centos client: > > .prod:/etc/openldap/cacerts]# ldapsearch -x -LLL -b cn=config > -D cn=admin,cn=config -wtesting123 -H ldap://ldaprov1.prod > cn=config > dn: cn=config > objectClass: olcGlobal > cn: config > olcConfigFile: /etc/openldap/slapd.conf > olcConfigDir: /etc/openldap/slapd.d > olcAllows: bind_v2 > olcArgsFile: /var/run/openldap/slapd.args > olcAttributeOptions: lang- > olcAuthzPolicy: none > olcConcurrency: 0 > olcConnMaxPending: 100 > olcConnMaxPendingAuth: 1000 > olcGentleHUP: FALSE > olcIdleTimeout: 0 > olcIndexSubstrIfMaxLen: 4 > olcIndexSubstrIfMinLen: 2 > olcIndexSubstrAnyLen: 4 > olcIndexSubstrAnyStep: 2 > olcIndexIntLen: 4 > olcLocalSSF: 71 > olcLogLevel: 9 > olcPidFile: /var/run/openldap/slapd.pid > olcReadOnly: FALSE > olcReverseLookup: FALSE > olcSaslSecProps: noplain,noanonymous > olcSockbufMaxIncoming: 262143 > olcSockbufMaxIncomingAuth: 16777215 > olcThreads: 16 > olcTLSVerifyClient: never > olcToolThreads: 1 > olcWriteTimeout: 0 > olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem > olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt > olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key try starting slapd with -d 1
got the following from the log:
With -d 1 there should be a lot more output than this?
You mean those produced when it starts up?
Yes, and also when it's running - there should be a lot more messages from the TLS related code
and this is the log when I did the query
slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 29 contents: op tag 0x77, time 1312934328 ber_get_next conn=1000 op=0 do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 12 connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 TLS: loaded CA certificate file /etc/ssl/certs/cacert.pem. TLS: certificate [E=sysadmin@theepicmediagroup.com,CN=ldaprov1.prod,OU=IT,O=Epic Media Group,L=Toronto,ST=Ontario,C=CA] is valid connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 TLS: error: accept - force handshake failure: errno 11 - moznss error -12195 TLS: can't accept: TLS error -12195:Unknown code ___P 93. connection_read(12): TLS accept failure error=-1 id=1000, closing connection_close: conn=1000 sd=12
So it looks like the server picks up the certificate fine (CN=ldaprov1.prod)
Error -12195 is SSL_ERROR_UNKNOWN_CA_ALERT - it means the client does not know about or does not trust the CA cert that issued the SSL server cert of the server.