HI!
(cross-posted since OpenLDAP and OpenDJ are involved)
I have some SSL client cert authc problems with a OpenLDAP 2.4.23 LDAP client (dynamically linked to OpenSSL 0.9.8e on RHEL 5.6) and OpenDJ 2.4.5 running under control of Java 1.6.0_31. I cross-checked all the cert and trust stuff several times. It seems to be correct. Unfortunately we're stuck with 2.4.23 in this setup because of OpenLDAP's ITS#6997.
(I manually obfuscated parameters and log lines herein.)
At first glance OpenLDAP's ldapwhoami seems to work correctly with the first OpenDJ replica:
$ LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=client.key ldapwhoami -H ldaps://master1.example.com -Y EXTERNAL SASL/EXTERNAL authentication started SASL username: cn=ldapclient,o=example,c=DE SASL SSF: 0 dn:cn=ldapclient,ou=Users,cn=example
But in OpenDJ's access-log file there's written:
[18/May/2012:16:52:00 +0200] CONNECT conn=15 from=x.x.x.x:33358 to=x.x.x.x:63677 protocol=LDAPS [18/May/2012:16:52:00 +0200] BIND REQ conn=15 op=0 msgID=1 type=SASL mechanism=EXTERNAL dn="" [18/May/2012:16:52:00 +0200] BIND RES conn=15 op=0 msgID=1 result=0 authDN="cn=ldapclient,o=example,c=DE" etime=0 [18/May/2012:16:52:00 +0200] EXTENDED REQ conn=15 op=1 msgID=2 name="Who Am I?" oid="1.3.6.1.4.1.4203.1.11.3" [18/May/2012:16:52:00 +0200] EXTENDED RES conn=15 op=1 msgID=2 result=0 additionalInfo="authzID="dn:cn=ldapclient,ou=Users,cn=example"" etime=1 [18/May/2012:16:52:00 +0200] DISCONNECT conn=15 reason="Protocol Error" msg="The client sent a request to the Directory Server that could not be properly decoded as an LDAP message: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?"
The attempt to do the same on another OpenDJ replica fails completely (no differences in TLS configuration - checked cn=config for potential differences with diff):
$ LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=client.key ldapwhoami -H ldaps://consumer1.example.com -Y EXTERNAL ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
In OpenDJ's access-log file there's written:
[18/May/2012:16:52:38 +0200] CONNECT conn=6 from=x.x.x.x:61841 to=x.x.x.x:63677 protocol=LDAPS [18/May/2012:16:52:38 +0200] DISCONNECT conn=6 reason="Protocol Error" msg="The client sent a request to the Directory Server that could not be properly decoded as an LDAP message: javax.net.ssl.SSLHandshakeException: General SSLEngine problem" [18/May/2012:16:53:06 +0200] CONNECT conn=7 from=x.x.x.x:61842 to=x.x.x.x:63677 protocol=LDAPS [18/May/2012:16:53:07 +0200] DISCONNECT conn=7 reason="Protocol Error" msg="The client sent a request to the Directory Server that could not be properly decoded as an LDAP message: javax.net.ssl.SSLHandshakeException: General SSLEngine problem"
Any clue what's going on here?
Ciao, Michael.