Re: Out of ideas when troubleshooting TLS negotiation failure
--On Friday, January 08, 2016 3:38 PM -0600 Graham Allan
<allan(a)physics.umn.edu> wrote:
Replying to my own message here, but I continue to investigate my
problem
and can't explain what I see. I put together a small test program to
connect to our ldap server using same parameters as smbd. Setting "ldap
debug level = 1" in smb.conf, and the equivalent LDAP_DEBUG_TRACE in my
test program shows the smbd output complaining of certificate signature
failure.
smbd output:
> [LDAP] ldap_simple_bind_s
> [LDAP] ldap_sasl_bind_s
> [LDAP] ldap_sasl_bind
> [LDAP] ldap_send_initial_request
> [LDAP] ldap_new_connection 1 1 0
> [LDAP] ldap_int_open_connection
> [LDAP] ldap_connect_to_host: TCP ldap.spa.umn.edu:636
> [LDAP] ldap_new_socket: 9
> [LDAP] ldap_prepare_socket: 9
> [LDAP] ldap_connect_to_host: Trying 128.101.220.24:636
> [LDAP] ldap_pvt_connect: fd: 9 tm: -1 async: 0
> [LDAP] attempting to connect:
> [LDAP] connect success
> [LDAP] TLS trace: SSL_connect:before/connect initialization
> [LDAP] TLS trace: SSL_connect:SSLv2/v3 write client hello A
> [LDAP] TLS trace: SSL_connect:SSLv3 read server hello A
> [LDAP] TLS certificate verification: depth: 3, err: 0, subject:
> /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root,[LDAP] issuer: /C=SE/O=AddTrust AB/OU=AddTrust
> External TTP Network/CN=AddTrust External CA Root [LDAP] TLS certificate
> verification: depth: 2, err: 0, subject: /C=US/ST=New Jersey/L=Jersey
> City/O=The USERTRUST Network/CN=USERTrust RSA Certification
> Authority,[LDAP] issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP
> Network/CN=AddTrust External CA Root [LDAP] TLS certificate
> verification: depth: 1, err: 0, subject: /C=US/ST=MI/L=Ann
> Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA,[LDAP] issuer:
> /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust
> RSA Certification Authority [LDAP] TLS certificate verification: depth:
> 0, err: 7, subject:
> /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street
> SE/O=University of Minnesota/OU=School of Physics and
> Astronomy/CN=ldap.spa.umn.edu,[LDAP] issuer: /C=US/ST=MI/L=Ann
> Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA [LDAP] TLS
> certificate verification: Error, certificate signature failure [LDAP]
> TLS certificate verification: depth: 0, err: 7, subject:
> /C=US/postalCode=55455/ST=MN/L=Minneapolis/street=100 Union Street
> SE/O=University of Minnesota/OU=School of Physics and
> Astronomy/CN=ldap.spa.umn.edu,[LDAP] issuer: /C=US/ST=MI/L=Ann
> Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA [LDAP] TLS
> trace: SSL_connect:SSLv3 read server certificate A
> [LDAP] TLS trace: SSL_connect:SSLv3 read server done A
> [LDAP] TLS trace: SSL_connect:SSLv3 write client key exchange A
> [LDAP] TLS trace: SSL_connect:error in error
> [LDAP] TLS trace: SSL_connect:error in error
> [LDAP] TLS: can't connect: .
Error in error is a pretty interesting. What SSL libs is samba linked to?
What SSL libs is your test program linked to?
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration