Hi. We're trying to configure a basic SSL (TLS) connection through OpenLDAP version 2.4.6. We're using Linux, Debian Version 4.0 ('etch') INTEL.
The pertinent info...
slapd.conf
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
loglevel -1 logfile /usr/local/var/openldap-data/logb
TLSCACertificateFile /home/bwaldorf/certs/1024pcert.pem TLSCertificateFile /home/bwaldorf/certs/1024pcert.pem TLSCertificateKeyFile /home/bwaldorf/certs/1024pkey.pem TLSCipherSuite DES-CBC-SHA TLSVerifyClient never
#TLSRandFile #TLSEphemeralDHParamFile
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "o=replDB" rootdn "cn=replman,o=replDB" rootpw password timelimit 1 idletimeout 4
access to attrs=userPassword by self write by anonymous auth by * none
access to * by self write by * read
directory /usr/local/var/openldap-data
index sn,mail,uid,title eq
ldap.conf
TLS_CACERT /home/bwaldorf/certs/1024pcert.pem TLS_CERT /home/bwaldorf/certs/1024pcert.pem TLS_KEY /home/bwaldorf/certs/1024pkey.pem
So we try the following search (-ZZ to force the command to be successful)...
ldapsearch -x -D "cn=replman,o=replDB" -w password -b "o=replDB1" -ZZ
And we get the following output (below) with -d -1... (sorry for the excessive messages).
Looks like the problem is... "connection_read(13): unable to get TLS client DN, error=49 id=5"
I did some googling for this error, but never found a thread with a cause/solution.
Thanks in advance for your time and help!
daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(8): daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 busy
slap_listener(ldap:///)
daemon: activity on 1 descriptor daemon: listen=8, new connection on 13 daemon: activity on:daemon: added 13r (active) listener=(nil)
conn=5 fd=13 ACCEPT from IP=127.0.0.1:32933 (IP=0.0.0.0:389)) daemon: epoll: listen=7 active_threads=1 tvp=zero. daemon: epoll: listen=8 active_threads=1 tvp=zero. daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=1 tvp=zero. connection_get(13) daemon: epoll: listen=8 active_threads=1 tvp=zero. connection_get(13): got connid=5 connection_read(13): checking for input on id=5 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_dump: buf=0xa0c11fc8 ptr=0xa0c11fc8 end=0xa0c11fe5 len=29. 0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4 0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=5 op=0 do_extended ber_scanf fmt ({m) ber: ber_dump: buf=0xa0c11fc8 ptr=0xa0c11fcb end=0xa0c11fe5 len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 conn=5 op=0 EXT oid=1.3.6.1.4.1.1466.20037 do_extended: oid=1.3.6.1.4.1.1466.20037 daemon: activity on 1 descriptor conn=5 op=0 STARTTLS daemon: activity on:send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0 daemon: epoll: listen=7 active_threads=1 tvp=zero ber_flush2: 14 bytes to sd 13 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ conn=5 op=0 RESULT oid= err=0 text= daemon: epoll: listen=8 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=1 tvp=zero connection_get(13) daemon: epoll: listen=8 active_threads=1 tvp=zero connection_get(13): got connid=5 connection_read(13): checking for input on id=5 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 74 01 03 01 00 4b 00 00 00 20 .t....K....... tls_read: want=107, got=107 0000: 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 ..9..8..5....... 0010: 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 03 00 .......3..2../.. 0020: 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 ................ 0030: 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 .....@.......... 0040: 00 06 04 00 80 00 00 03 02 00 80 15 2d dd 5d 9a ............-.]. 0050: f5 29 55 3b 15 f2 e5 47 18 9c 22 f2 7d 07 51 72 .)U;...G..".}.Qr 0060: 60 1f 38 61 8d 9a e7 67 2a 5e 9e `.8a...g*^..}. TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=985, written=985 0000: 16 03 01 00 4a 02 00 00 46 03 01 48 92 1d e7 69 ....J...F..H...i 0010: f3 a0 ea 95 0f 3b 21 71 a5 b0 11 34 27 91 b8 0b .....;!q...4'... 0020: d1 25 4f ca d5 56 fd 55 d2 0f 33 20 a7 fe 44 07 .%O..V.U..3 ..D. 0030: 8a 33 a1 ec 46 61 01 94 2a 05 9a 59 9e 95 02 ec .3..Fa..*..Y.... 0040: 99 82 42 77 1d f6 bf 6e b4 0f 05 23 00 09 00 16 ..Bw...n...#.... 0050: 03 01 03 7c 0b 00 03 78 00 03 75 00 03 72 30 82 ...|...x..u..r0. 0060: 03 6e 30 82 02 d7 a0 03 02 01 02 02 01 00 30 0d .n0...........0. 0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 87 ..*.H........0.. 0080: 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 11 30 1.0...U....US1.0 0090: 0f 06 03 55 04 08 13 08 4e 65 77 20 59 6f 72 6b ...U....New York 00a0: 31 15 30 13 06 03 55 04 07 13 0c 50 6f 75 67 68 1.0...U....Pough 00b0: 6b 65 65 70 73 69 65 31 0c 30 0a 06 03 55 04 0a keepsie1.0...U.. 00c0: 13 03 49 42 4d 31 0c 30 0a 06 03 55 04 0b 13 03 ..IBM1.0...U.... 00d0: 54 50 46 31 0e 30 0c 06 03 55 04 03 13 05 44 61 TPF1.0...U....Da 00e0: 76 69 64 31 22 30 20 06 09 2a 86 48 86 f7 0d 01 vid1"0 ..*.H.... 00f0: 09 01 16 13 6d 6f 7a 65 73 68 74 61 40 75 73 2e ....mozeshta@us. 0100: 69 62 6d 2e 63 6f 6d 30 1e 17 0d 30 38 30 33 31 ibm.com0...08031 0110: 31 30 31 31 36 31 31 5a 17 0d 31 30 31 32 30 37 1011611Z..101207 0120: 30 31 31 36 31 31 5a 30 81 87 31 0b 30 09 06 03 011611Z0..1.0... 0130: 55 04 06 13 02 55 53 31 11 30 0f 06 03 55 04 08 U....US1.0...U.. 0140: 13 08 4e 65 77 20 59 6f 72 6b 31 15 30 13 06 03 ..New York1.0... 0150: 55 04 07 13 0c 50 6f 75 67 68 6b 65 65 70 73 69 U....Poughkeepsi 0160: 65 31 0c 30 0a 06 03 55 04 0a 13 03 49 42 4d 31 e1.0...U....IBM1 0170: 0c 30 0a 06 03 55 04 0b 13 03 54 50 46 31 0e 30 .0...U....TPF1.0 0180: 0c 06 03 55 04 03 13 05 44 61 76 69 64 31 22 30 ...U....David1"0 0190: 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 6d 6f ..*.H........mo 01a0: 7a 65 73 68 74 61 40 75 73 2e 69 62 6d 2e 63 6f zeshta@us.ibm.co 01b0: 6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 m0..0...*.H..... 01c0: 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 ac ee .......0........ 01d0: f9 a7 40 cc 73 af 67 a0 ea 46 08 45 a5 fd 44 71 ..@.s.g..F.E..Dq 01e0: a4 04 3e 51 f7 39 51 82 3d 7e 9b 99 ae 1d c1 22 ..>Q.9Q.=~....." 01f0: 67 10 e7 15 d1 a9 65 75 e9 3e 0f 77 64 d1 14 4d g.....eu.>.wd..M 0200: 28 f0 8c ba d3 ed 87 e9 b1 5b 11 c1 3f 11 ed 1a (........[..?... 0210: 96 9a 3f b3 4b f3 db bd 84 41 11 aa ea 37 6d ab ..?.K....A...7m. 0220: c5 fb a9 bb ab 9d 87 66 b2 31 7a c8 35 06 06 ec .......f.1z.5... 0230: fb 07 f1 29 f5 f3 fd 29 f4 df 33 bf 40 de 84 6f ...)...)..3.@..o 0240: 9d 66 ea 57 42 ab 0f 13 a0 07 71 d5 e0 6d 02 03 .f.WB.....q..m.. 0250: 01 00 01 a3 81 e7 30 81 e4 30 1d 06 03 55 1d 0e ......0..0...U.. 0260: 04 16 04 14 11 76 af b1 5a bd 99 53 a5 de 02 35 .....v..Z..S...5 0270: 06 51 c4 01 74 71 2c c6 30 81 b4 06 03 55 1d 23 .Q..tq,.0....U.# 0280: 04 81 ac 30 81 a9 80 14 11 76 af b1 5a bd 99 53 ...0.....v..Z..S 0290: a5 de 02 35 06 51 c4 01 74 71 2c c6 a1 81 8d a4 ...5.Q..tq,..... 02a0: 81 8a 30 81 87 31 0b 30 09 06 03 55 04 06 13 02 ..0..1.0...U.... 02b0: 55 53 31 11 30 0f 06 03 55 04 08 13 08 4e 65 77 US1.0...U....New 02c0: 20 59 6f 72 6b 31 15 30 13 06 03 55 04 07 13 0c York1.0...U.... 02d0: 50 6f 75 67 68 6b 65 65 70 73 69 65 31 0c 30 0a Poughkeepsie1.0. 02e0: 06 03 55 04 0a 13 03 49 42 4d 31 0c 30 0a 06 03 ..U....IBM1.0... 02f0: 55 04 0b 13 03 54 50 46 31 0e 30 0c 06 03 55 04 U....TPF1.0...U. 0300: 03 13 05 44 61 76 69 64 31 22 30 20 06 09 2a 86 ...David1"0 ..*. 0310: 48 86 f7 0d 01 09 01 16 13 6d 6f 7a 65 73 68 74 H........mozesht 0320: 61 40 75 73 2e 69 62 6d 2e 63 6f 6d 82 01 00 30 a@us.ibm.com...0 0330: 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30 0d 06 ...U....0....0.. 0340: 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81 81 00 .*.H............ 0350: a8 39 22 f9 88 b2 c1 e6 95 5e af 4d ae f6 89 e5 .9"......^.M.... 0360: 64 82 37 42 f6 5b 00 56 22 d0 c6 b9 5f 70 36 2f d.7B.[.V"..._p6/ 0370: 8f 10 bb 5a d1 18 33 2a 37 8a a0 f2 c3 53 21 12 ...Z..3*7....S!. 0380: 2c 28 8a 62 a9 e0 b5 5a 70 4c 77 f1 5c 33 d2 a3 ,(.b...ZpLw.\3.. 0390: 6d 77 e8 6e e8 7e 5b 74 d9 3a 70 24 38 89 ce 11 mw.n.~[t.:p $8... 03a0: 4c ec 64 51 f2 be 61 4c 18 09 25 13 48 e2 5b 13 L.dQ..aL..%.H.[. 03b0: d9 fa 8c 0c b7 a2 dd 09 dd e8 da 01 c7 29 2b 9a .............)+. 03c0: 22 51 6f 19 54 e7 02 90 75 0e a9 3a 4b e0 d1 a4 "Qo.T...u..:K... 03d0: 16 03 01 00 04 0e 00 00 00 ...........: TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5 error=Resource temporarily unavailable TLS trace: SSL_accept:error in SSLv3 read client certificate A.........: TLS trace: SSL_accept:error in SSLv3 read client certificate A.........: daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=1 tvp=zero daemon: epoll: listen=8 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=1 tvp=zero connection_get(13) daemon: epoll: listen=8 active_threads=1 tvp=zero connection_get(13): got connid=5 connection_read(13): checking for input on id=5 tls_read: want=5, got=5 0000: 16 03 01 00 86 ...........: tls_read: want=134, got=134 0000: 10 00 00 82 00 80 91 6b 72 70 d5 4e 89 66 4e 5f .......krp.N.fN_ 0010: f2 d6 d6 41 e7 3a 85 1e 8e ce 85 4d 90 ac 4a ec ...A.:.....M..J. 0020: 81 f6 4d 2c 1d 94 85 e8 78 cf c9 68 11 77 b3 4e ..M,....x..h.w.N 0030: 13 97 62 43 e2 e8 12 44 42 46 c6 bc c3 74 c7 ad ..bC...DBF...t.. 0040: f7 46 22 2b ac 8c 8e 59 5d de f4 fd f9 73 3f 76 .F"+...Y]....s?v 0050: 1b 58 1f da 5c 95 49 a6 73 ec 75 37 fc 38 fa 53 .X...I.s.u7.8.S 0060: 6d 3c a9 fd 2a 7d c3 f7 b9 79 e7 3f 8f da df 04 m<..*}...y.?.... 0070: cb 06 e2 67 75 3c 57 cf 8e 60 6e e4 27 fa 23 a3 ...gu<W..`n.'.#. 0080: b8 fb c6 5b 14 7e ...[.~ TLS trace: SSL_accept:SSLv3 read client key exchange A tls_read: want=5, got=5 0000: 14 03 01 00 01 ..... tls_read: want=1, got=1 0000: 01 ..... tls_read: want=5, got=5 0000: 16 03 01 00 28 ....( tls_read: want=40, got=40 0000: 77 34 09 6c 45 e9 f1 f0 a2 e6 cb 2d e4 49 27 42 w4.lE......-.I'B 0010: 45 a5 84 74 bb bd 0f 6e 24 70 e1 b0 0f 19 83 4a E..t...n $p.....J 0020: 7a 41 c3 b3 ca fe 80 68 zA.....h TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A tls_write: want=51, written=51 0000: 14 03 01 00 01 01 16 03 01 00 28 97 a6 bb b1 8c ..........(..... 0010: 50 d4 6f 60 2c fb c7 d1 10 a6 a6 37 ff ea 0b e8 P.o`,......7.... 0020: 60 d0 f1 6b 34 d7 26 7b a9 c8 c0 45 72 33 7c 67 `..k4.&{...Er3| g 0030: b4 07 93 ... TLS trace: SSL_accept:SSLv3 flush data connection_read(13): unable to get TLS client DN, error=49 id=5 conn=5 fd=13 TLS established tls_ssf=56 ssf=56 daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=1 tvp=zero daemon: epoll: listen=8 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=1 tvp=zero connection_get(13) daemon: epoll: listen=8 active_threads=1 tvp=zero connection_get(13): got connid=5 connection_read(13): checking for input on id=5 ber_get_next tls_read: want=5, got=0
ldap_read: want=8, got=0
ber_get_next on fd 13 failed errno=0 (Success) connection_read(13): input error=-2 id=5, closing. connection_closing: readying conn=5 sd=13 for close connection_close: conn=5 sd=13 daemon: removing 13 daemon: activity on 1 descriptor tls_write: want=29, written=29 0000: 15 03 01 00 18 73 41 45 4f f9 51 03 05 e6 66 c2 .....sAEO.Q...f. 0010: f5 65 d2 a9 ab 03 aa 8d d1 79 ef 18 8c .e.......y.... TLS trace: SSL3 alert write:warning:close notify conn=5 fd=13 closed (connection lost) daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL
I might be wrong but I think there is a certain problem with Debian/*buntu for LDAPS clients... Sambuddho On Fri, 2008-08-01 at 16:14 -0400, Brad T Waldorf wrote:
Hi. We're trying to configure a basic SSL (TLS) connection through OpenLDAP version 2.4.6. We're using Linux, Debian Version 4.0 ('etch') INTEL.
The pertinent info...
slapd.conf
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
loglevel -1 logfile /usr/local/var/openldap-data/logb
TLSCACertificateFile /home/bwaldorf/certs/1024pcert.pem TLSCertificateFile /home/bwaldorf/certs/1024pcert.pem TLSCertificateKeyFile /home/bwaldorf/certs/1024pkey.pem TLSCipherSuite DES-CBC-SHA TLSVerifyClient never
#TLSRandFile #TLSEphemeralDHParamFile
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "o=replDB" rootdn "cn=replman,o=replDB" rootpw password timelimit 1 idletimeout 4
access to attrs=userPassword by self write by anonymous auth by * none
access to * by self write by * read
directory /usr/local/var/openldap-data
index sn,mail,uid,title eq
ldap.conf
TLS_CACERT /home/bwaldorf/certs/1024pcert.pem TLS_CERT /home/bwaldorf/certs/1024pcert.pem TLS_KEY /home/bwaldorf/certs/1024pkey.pem
So we try the following search (-ZZ to force the command to be successful)...
ldapsearch -x -D "cn=replman,o=replDB" -w password -b "o=replDB1" -ZZ
And we get the following output (below) with -d -1... (sorry for the excessive messages).
Looks like the problem is... "connection_read(13): unable to get TLS client DN, error=49 id=5"
I did some googling for this error, but never found a thread with a cause/solution.
Thanks in advance for your time and help!
daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(8): daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 busy
slap_listener(ldap:///)
daemon: activity on 1 descriptor daemon: listen=8, new connection on 13 daemon: activity on:daemon: added 13r (active) listener=(nil)
conn=5 fd=13 ACCEPT from IP=127.0.0.1:32933 (IP=0.0.0.0:389)) daemon: epoll: listen=7 active_threads=1 tvp=zero. daemon: epoll: listen=8 active_threads=1 tvp=zero. daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=1 tvp=zero. connection_get(13) daemon: epoll: listen=8 active_threads=1 tvp=zero. connection_get(13): got connid=5 connection_read(13): checking for input on id=5 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_dump: buf=0xa0c11fc8 ptr=0xa0c11fc8 end=0xa0c11fe5 len=29. 0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4 0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=5 op=0 do_extended ber_scanf fmt ({m) ber: ber_dump: buf=0xa0c11fc8 ptr=0xa0c11fcb end=0xa0c11fe5 len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 conn=5 op=0 EXT oid=1.3.6.1.4.1.1466.20037 do_extended: oid=1.3.6.1.4.1.1466.20037 daemon: activity on 1 descriptor conn=5 op=0 STARTTLS daemon: activity on:send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0 daemon: epoll: listen=7 active_threads=1 tvp=zero ber_flush2: 14 bytes to sd 13 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ conn=5 op=0 RESULT oid= err=0 text= daemon: epoll: listen=8 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=1 tvp=zero connection_get(13) daemon: epoll: listen=8 active_threads=1 tvp=zero connection_get(13): got connid=5 connection_read(13): checking for input on id=5 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 74 01 03 01 00 4b 00 00 00 20 .t....K....... tls_read: want=107, got=107 0000: 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 ..9..8..5....... 0010: 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 03 00 .......3..2../.. 0020: 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 ................ 0030: 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 .....@.......... 0040: 00 06 04 00 80 00 00 03 02 00 80 15 2d dd 5d 9a ............-.]. 0050: f5 29 55 3b 15 f2 e5 47 18 9c 22 f2 7d 07 51 72 .)U;...G..".}.Qr 0060: 60 1f 38 61 8d 9a e7 67 2a 5e 9e `.8a...g*^..}. TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=985, written=985 0000: 16 03 01 00 4a 02 00 00 46 03 01 48 92 1d e7 69 ....J...F..H...i 0010: f3 a0 ea 95 0f 3b 21 71 a5 b0 11 34 27 91 b8 0b .....;!q...4'... 0020: d1 25 4f ca d5 56 fd 55 d2 0f 33 20 a7 fe 44 07 .%O..V.U..3 ..D. 0030: 8a 33 a1 ec 46 61 01 94 2a 05 9a 59 9e 95 02 ec .3..Fa..*..Y.... 0040: 99 82 42 77 1d f6 bf 6e b4 0f 05 23 00 09 00 16 ..Bw...n...#.... 0050: 03 01 03 7c 0b 00 03 78 00 03 75 00 03 72 30 82 ...|...x..u..r0. 0060: 03 6e 30 82 02 d7 a0 03 02 01 02 02 01 00 30 0d .n0...........0. 0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 87 ..*.H........0.. 0080: 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 11 30 1.0...U....US1.0 0090: 0f 06 03 55 04 08 13 08 4e 65 77 20 59 6f 72 6b ...U....New York 00a0: 31 15 30 13 06 03 55 04 07 13 0c 50 6f 75 67 68 1.0...U....Pough 00b0: 6b 65 65 70 73 69 65 31 0c 30 0a 06 03 55 04 0a keepsie1.0...U.. 00c0: 13 03 49 42 4d 31 0c 30 0a 06 03 55 04 0b 13 03 ..IBM1.0...U.... 00d0: 54 50 46 31 0e 30 0c 06 03 55 04 03 13 05 44 61 TPF1.0...U....Da 00e0: 76 69 64 31 22 30 20 06 09 2a 86 48 86 f7 0d 01 vid1"0 ..*.H.... 00f0: 09 01 16 13 6d 6f 7a 65 73 68 74 61 40 75 73 2e ....mozeshta@us. 0100: 69 62 6d 2e 63 6f 6d 30 1e 17 0d 30 38 30 33 31 ibm.com0...08031 0110: 31 30 31 31 36 31 31 5a 17 0d 31 30 31 32 30 37 1011611Z..101207 0120: 30 31 31 36 31 31 5a 30 81 87 31 0b 30 09 06 03 011611Z0..1.0... 0130: 55 04 06 13 02 55 53 31 11 30 0f 06 03 55 04 08 U....US1.0...U.. 0140: 13 08 4e 65 77 20 59 6f 72 6b 31 15 30 13 06 03 ..New York1.0... 0150: 55 04 07 13 0c 50 6f 75 67 68 6b 65 65 70 73 69 U....Poughkeepsi 0160: 65 31 0c 30 0a 06 03 55 04 0a 13 03 49 42 4d 31 e1.0...U....IBM1 0170: 0c 30 0a 06 03 55 04 0b 13 03 54 50 46 31 0e 30 .0...U....TPF1.0 0180: 0c 06 03 55 04 03 13 05 44 61 76 69 64 31 22 30 ...U....David1"0 0190: 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 6d 6f ..*.H........mo 01a0: 7a 65 73 68 74 61 40 75 73 2e 69 62 6d 2e 63 6f zeshta@us.ibm.co 01b0: 6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 m0..0...*.H..... 01c0: 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 ac ee .......0........ 01d0: f9 a7 40 cc 73 af 67 a0 ea 46 08 45 a5 fd 44 71 ..@.s.g..F.E..Dq 01e0: a4 04 3e 51 f7 39 51 82 3d 7e 9b 99 ae 1d c1 22 ..>Q.9Q.=~....." 01f0: 67 10 e7 15 d1 a9 65 75 e9 3e 0f 77 64 d1 14 4d g.....eu.>.wd..M 0200: 28 f0 8c ba d3 ed 87 e9 b1 5b 11 c1 3f 11 ed 1a (........[..?... 0210: 96 9a 3f b3 4b f3 db bd 84 41 11 aa ea 37 6d ab ..?.K....A...7m. 0220: c5 fb a9 bb ab 9d 87 66 b2 31 7a c8 35 06 06 ec .......f.1z.5... 0230: fb 07 f1 29 f5 f3 fd 29 f4 df 33 bf 40 de 84 6f ...)...)..3.@..o 0240: 9d 66 ea 57 42 ab 0f 13 a0 07 71 d5 e0 6d 02 03 .f.WB.....q..m.. 0250: 01 00 01 a3 81 e7 30 81 e4 30 1d 06 03 55 1d 0e ......0..0...U.. 0260: 04 16 04 14 11 76 af b1 5a bd 99 53 a5 de 02 35 .....v..Z..S...5 0270: 06 51 c4 01 74 71 2c c6 30 81 b4 06 03 55 1d 23 .Q..tq,.0....U.# 0280: 04 81 ac 30 81 a9 80 14 11 76 af b1 5a bd 99 53 ...0.....v..Z..S 0290: a5 de 02 35 06 51 c4 01 74 71 2c c6 a1 81 8d a4 ...5.Q..tq,..... 02a0: 81 8a 30 81 87 31 0b 30 09 06 03 55 04 06 13 02 ..0..1.0...U.... 02b0: 55 53 31 11 30 0f 06 03 55 04 08 13 08 4e 65 77 US1.0...U....New 02c0: 20 59 6f 72 6b 31 15 30 13 06 03 55 04 07 13 0c York1.0...U.... 02d0: 50 6f 75 67 68 6b 65 65 70 73 69 65 31 0c 30 0a Poughkeepsie1.0. 02e0: 06 03 55 04 0a 13 03 49 42 4d 31 0c 30 0a 06 03 ..U....IBM1.0... 02f0: 55 04 0b 13 03 54 50 46 31 0e 30 0c 06 03 55 04 U....TPF1.0...U. 0300: 03 13 05 44 61 76 69 64 31 22 30 20 06 09 2a 86 ...David1"0 ..*. 0310: 48 86 f7 0d 01 09 01 16 13 6d 6f 7a 65 73 68 74 H........mozesht 0320: 61 40 75 73 2e 69 62 6d 2e 63 6f 6d 82 01 00 30 a@us.ibm.com...0 0330: 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30 0d 06 ...U....0....0.. 0340: 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81 81 00 .*.H............ 0350: a8 39 22 f9 88 b2 c1 e6 95 5e af 4d ae f6 89 e5 .9"......^.M.... 0360: 64 82 37 42 f6 5b 00 56 22 d0 c6 b9 5f 70 36 2f d.7B.[.V"..._p6/ 0370: 8f 10 bb 5a d1 18 33 2a 37 8a a0 f2 c3 53 21 12 ...Z..3*7....S!. 0380: 2c 28 8a 62 a9 e0 b5 5a 70 4c 77 f1 5c 33 d2 a3 ,(.b...ZpLw.\3.. 0390: 6d 77 e8 6e e8 7e 5b 74 d9 3a 70 24 38 89 ce 11 mw.n.~[t.:p $8... 03a0: 4c ec 64 51 f2 be 61 4c 18 09 25 13 48 e2 5b 13 L.dQ..aL..%.H.[. 03b0: d9 fa 8c 0c b7 a2 dd 09 dd e8 da 01 c7 29 2b 9a .............)+. 03c0: 22 51 6f 19 54 e7 02 90 75 0e a9 3a 4b e0 d1 a4 "Qo.T...u..:K... 03d0: 16 03 01 00 04 0e 00 00 00 ...........: TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5 error=Resource temporarily unavailable TLS trace: SSL_accept:error in SSLv3 read client certificate A.........: TLS trace: SSL_accept:error in SSLv3 read client certificate A.........: daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=1 tvp=zero daemon: epoll: listen=8 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=1 tvp=zero connection_get(13) daemon: epoll: listen=8 active_threads=1 tvp=zero connection_get(13): got connid=5 connection_read(13): checking for input on id=5 tls_read: want=5, got=5 0000: 16 03 01 00 86 ...........: tls_read: want=134, got=134 0000: 10 00 00 82 00 80 91 6b 72 70 d5 4e 89 66 4e 5f .......krp.N.fN_ 0010: f2 d6 d6 41 e7 3a 85 1e 8e ce 85 4d 90 ac 4a ec ...A.:.....M..J. 0020: 81 f6 4d 2c 1d 94 85 e8 78 cf c9 68 11 77 b3 4e ..M,....x..h.w.N 0030: 13 97 62 43 e2 e8 12 44 42 46 c6 bc c3 74 c7 ad ..bC...DBF...t.. 0040: f7 46 22 2b ac 8c 8e 59 5d de f4 fd f9 73 3f 76 .F"+...Y]....s?v 0050: 1b 58 1f da 5c 95 49 a6 73 ec 75 37 fc 38 fa 53 .X...I.s.u7.8.S 0060: 6d 3c a9 fd 2a 7d c3 f7 b9 79 e7 3f 8f da df 04 m<..*}...y.?.... 0070: cb 06 e2 67 75 3c 57 cf 8e 60 6e e4 27 fa 23 a3 ...gu<W..`n.'.#. 0080: b8 fb c6 5b 14 7e ...[.~ TLS trace: SSL_accept:SSLv3 read client key exchange A tls_read: want=5, got=5 0000: 14 03 01 00 01 ..... tls_read: want=1, got=1 0000: 01 ..... tls_read: want=5, got=5 0000: 16 03 01 00 28 ....( tls_read: want=40, got=40 0000: 77 34 09 6c 45 e9 f1 f0 a2 e6 cb 2d e4 49 27 42 w4.lE......-.I'B 0010: 45 a5 84 74 bb bd 0f 6e 24 70 e1 b0 0f 19 83 4a E..t...n $p.....J 0020: 7a 41 c3 b3 ca fe 80 68 zA.....h TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A tls_write: want=51, written=51 0000: 14 03 01 00 01 01 16 03 01 00 28 97 a6 bb b1 8c ..........(..... 0010: 50 d4 6f 60 2c fb c7 d1 10 a6 a6 37 ff ea 0b e8 P.o`,......7.... 0020: 60 d0 f1 6b 34 d7 26 7b a9 c8 c0 45 72 33 7c 67 `..k4.&{...Er3| g 0030: b4 07 93 ... TLS trace: SSL_accept:SSLv3 flush data connection_read(13): unable to get TLS client DN, error=49 id=5 conn=5 fd=13 TLS established tls_ssf=56 ssf=56 daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=1 tvp=zero daemon: epoll: listen=8 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=1 tvp=zero connection_get(13) daemon: epoll: listen=8 active_threads=1 tvp=zero connection_get(13): got connid=5 connection_read(13): checking for input on id=5 ber_get_next tls_read: want=5, got=0
ldap_read: want=8, got=0
ber_get_next on fd 13 failed errno=0 (Success) connection_read(13): input error=-2 id=5, closing. connection_closing: readying conn=5 sd=13 for close connection_close: conn=5 sd=13 daemon: removing 13 daemon: activity on 1 descriptor tls_write: want=29, written=29 0000: 15 03 01 00 18 73 41 45 4f f9 51 03 05 e6 66 c2 .....sAEO.Q...f. 0010: f5 65 d2 a9 ab 03 aa 8d d1 79 ef 18 8c .e.......y.... TLS trace: SSL3 alert write:warning:close notify conn=5 fd=13 closed (connection lost) daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL
--On Friday, August 01, 2008 4:14 PM -0400 Brad T Waldorf bwaldorf@us.ibm.com wrote:
Hi. We're trying to configure a basic SSL (TLS) connection through OpenLDAP version 2.4.6. We're using Linux, Debian Version 4.0 ('etch') INTEL.
(a) Get the latest release (2.4.11). 2.4.6 was the very first OL 2.4 release, and numerous problems have since been fixed.
(b) What SSL implementation did you compile it against? OpenSSL or GnuTLS?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Thanks Quanah. To answer your points,
(a) We've got a release coming up shortly... We committed to version 2.4.6, and unfortunately don't have enough time to switch and re-test with 2.4.11 at this time -- although our plan is to upgrade for our future releases. We know not to expect much from mirrormode/multimaster in 2.4.6 (buggy)... and now seems like we should consider TLS part of that bucket too?
(b) We compiled it against OpenSSL. Was that ok?
Thanks again!
--On Friday, August 01, 2008 4:14 PM -0400 Brad T Waldorf bwaldorf@us.ibm.com wrote:
Hi. We're trying to configure a basic SSL (TLS) connection through OpenLDAP version 2.4.6. We're using Linux, Debian Version 4.0 ('etch') INTEL.
(a) Get the latest release (2.4.11). 2.4.6 was the very first OL 2.4 release, and numerous problems have since been fixed.
(b) What SSL implementation did you compile it against? OpenSSL or
GnuTLS?
--Quanah
Brad T Waldorf wrote:
Thanks Quanah. To answer your points,
(a) We've got a release coming up shortly... We committed to version 2.4.6, and unfortunately don't have enough time to switch and re-test with 2.4.11 at this time -- although our plan is to upgrade for our future releases. We know not to expect much from mirrormode/multimaster in 2.4.6 (buggy)... and now seems like we should consider TLS part of that bucket too?
(b) We compiled it against OpenSSL. Was that ok?
OpenSSL works fine.
openldap-technical@openldap.org