John Gee wrote:
On Sun, Oct 12, 2008 at 02:56:38PM +0200, Dieter Kluenter wrote: [...]
Did you sign the server cerficates with this ca-cert? And how did you create the CA and the server certificates? I personally use the CA.pl tools from openssl, this is by no means the best way to do, but the simplest. If you follow this path, you may have to edit openssl.cnf to meet your requirements. Then you just do ./CA.pl -newca, which creates es self signed CA ./CA.pl -newreq, this creates a host or user certficate request ./CA.pl -sign, wwhich signs the request openssl rsa -in newreq.pem -out foo-key.pem, this removes password from the requested certificate and creates a key file. mv newcert.pem foo-cert.pem ./CA.pl -verify foo-cert.pem
The CA-Cert and ldap01-Certs created with openssl. When verifying it with openssl all seems to be ok: # openssl s_client -connect ldap01.kleinfeld.ch:636 -CAfile /var/ldap/ca.pem -showcerts ...
New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: E276B6ABD9349FDFD7EA22CCB491D3E9FE423BA1D45B0C18D4019422EF1FF607 Session-ID-ctx: Master-Key: 758F1B898907CDA46E70E37D306517C60E21864E4119846C05597DA19572B1FDF9A4E6D1299848A2E769CA002DA76D93 Key-Arg : None Start Time: 1223891247 Timeout : 300 (sec) Verify return code: 0 (ok)
Slapd - Debug Output: connection_get(11): got connid=9 connection_read(11): checking for input on id=9 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=9
When connecting with ldapsearch (openldap) the conenction established and continues after TLS client error:
connection_read(11): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=0 connection_read(11): checking for input on id=0 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=0 connection_get(11): got connid=0 connection_read(11): checking for input on id=0
(To renember slapd.conf - TLSVerifyClient never)
When doing the same search with ldapsearch (SUNWlldap package), it seems to be forced for tls client verification. connection_get(11): got connid=3 connection_read(11): checking for input on id=3 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=3 connection_read(11): checking for input on id=3 TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053 connection_read(11): TLS accept failure error=-1 id=3, closing connection_closing: readying conn=3 sd=11 for close connection_close: conn=3 sd=11
I will try it later today with a new-ca, but i think the problems must be at ldapclient (SUNWlldap) or inside cerutil.
Use the debug flag on ldapsearch as well. It's obvious from the slapd logs that the problem is in the client, so you won't get any more help from the slapd debug output.