Hello,
i have a problem with connecting Solaris10 native LDAP Client to a openLDAP Server (slapd 2.4.11) with TLS.
The replication from Server ldap01 to ldap02 works fine with TLS, so i think that the problem must be on client site (Solaris 10 native LDAP Client - latest Patchset). Without TLS it works.
Maybe someone can give me a hint - -(slapd - debug)---
slap_listener(ldaps:///)
connection_get(11): got connid=207 connection_read(11): checking for input on id=207 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=207 connection_read(11): checking for input on id=207 TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053 connection_read(11): TLS accept failure error=-1 id=207, closing connection_closing: readying conn=207 sd=11 for close connection_close: conn=207 sd=11
-( slapd.conf - tls part)--- TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /opt/openldap/var/openldap-data/ca-cert.pem TLSCertificateFile /opt/openldap/var/openldap-data/ldap01.kleinfeld.ch.pem TLSCertificateKeyFile /opt/openldap/var/openldap-data/ldap01.kleinfeld.ch TLSVerifyClient never
-( solaris 10 - client )----
# import the ca-cert certutil -N -d /var/ldap certutil -A -n "ca-cert" -i /tmp/ldap/ca-cert.pem -a -t CT -d /var/ldap/ # import ldap-server certs certutil -A -d /var/ldap/ -n "ldap01.kleinfeld.ch" -t C,, -i ldap01.kleinfeld.ch.pem certutil -A -d /var/ldap/ -n "ldap02.kleinfeld.ch" -t C,, -i ldap02.kleinfeld.ch.pem # list cert-db certutil -L -d /var/ldap ca-cert CT,, ldap02.kleinfeld.ch C,, ldap01.kleinfeld.ch C,,
# initialize ldap-client ldapclient manual -v \ -a credentialLevel=proxy \ -a authenticationMethod=tls:simple \ -a serviceAuthenticationMethod=pam_ldap:tls:simple \ -a proxyDN=cn=proxyAgent,ou=profile,o=kleinfeld,c=ch \ -a proxyPassword=xxxxxxxxxxxx \ -a defaultsearchbase=ou=unix,o=kleinfeld,c=ch \ -a defaultServerList="ldap01.kleinfeld.ch ldap02.kleinfeld.ch" \ -a certificatePath=/var/ldap \ -a domainName=kleinfeld.ch \ -a attributeMap=passwd:gecos=cn \ -a objectClassMap=group:posixGroup=posixGroup \ -a objectClassMap=passwd:posixAccount=posixAccount \ -a objectClassMap=shadow:shadowAccount=shadowAccount \ -a serviceSearchDescriptor=passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one \ -a serviceSearchDescriptor=group:ou=groups,ou=unix,o=kleinfeld,c=ch?one \ -a serviceSearchDescriptor=netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one
# output from ldapclient Parsing credentialLevel=proxy Parsing authenticationMethod=tls:simple Parsing serviceAuthenticationMethod=pam_ldap:tls:simple Parsing proxyDN=cn=proxyAgent,ou=profile,o=kleinfeld,c=ch Parsing proxyPassword=UnIXpRoXY Parsing defaultsearchbase=ou=unix,o=kleinfeld,c=ch Parsing defaultServerList=ldap01.kleinfeld.ch Parsing certificatePath=/var/ldap Parsing domainName=kleinfeld.ch Parsing attributeMap=passwd:gecos=cn Parsing objectClassMap=group:posixGroup=posixGroup Parsing objectClassMap=passwd:posixAccount=posixAccount Parsing objectClassMap=shadow:shadowAccount=shadowAccount Parsing serviceSearchDescriptor=passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one Parsing serviceSearchDescriptor=group:ou=groups,ou=unix,o=kleinfeld,c=ch?one Parsing serviceSearchDescriptor=netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one Arguments parsed: Handling manual option Proxy DN: cn=proxyAgent,ou=profile,o=kleinfeld,c=ch Proxy password: {NS1}xxxxxxxxxxxxxxxxxxxxx Credential level: 1 Authentication method: 3 About to modify this machines configuration by writing the files Stopping network services sendmail not running nscd not running autofs not running Stopping ldap stop: sleep 100000 microseconds stop: sleep 200000 microseconds stop: network/ldap/client:default... success nisd not running nis(yp) not running Removing existing restore directory file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: stat(/var/nis/NIS_COLD_START)=-1 file_backup: No /var/nis/NIS_COLD_START file. file_backup: nis domain is "kleinfeld.ch" file_backup: stat(/var/yp/binding/kleinfeld.ch)=-1 file_backup: No /var/yp/binding/kleinfeld.ch directory. file_backup: stat(/var/ldap/ldap_client_file)=0 file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file) file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred) Starting network services start: /usr/bin/domainname kleinfeld.ch... success start: sleep 100000 microseconds start: network/ldap/client:default... success restart: sleep 100000 microseconds restart: milestone/name-services:default... success System successfully configured authenticationMethod: tls:simple serviceAuthenticationMethod: arg[0]: pam_ldap:tls:simple defaultSearchBase: ou=unix,o=kleinfeld,c=ch credentialLevel: proxy domainName: kleinfeld.ch proxyDN: cn=proxyAgent,ou=profile,o=kleinfeld,c=ch objectclassMap: arg[0]: group:posixGroup=posixGroup arg[1]: passwd:posixAccount=posixAccount arg[2]: shadow:shadowAccount=shadowAccount attributeMap: arg[0]: passwd:gecos=cn serviceSearchDescriptor: arg[0]: passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one arg[1]: group:ou=groups,ou=unix,o=kleinfeld,c=ch?one arg[2]: netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one proxyPassword: xxxxxxxxxxxxx defaultServerList: ldap01.kleinfeld.ch certificatePath: /var/ldap
thanks in advance John
John Gee john@kleinfeld.ch writes:
Hello,
i have a problem with connecting Solaris10 native LDAP Client to a openLDAP Server (slapd 2.4.11) with TLS.
[...]
TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053 connection_read(11): TLS accept failure error=-1 id=207, closing connection_closing: readying conn=207 sd=11 for close connection_close: conn=207 sd=11
slapd refuses the client certificate
-( solaris 10 - client )----
# import the ca-cert certutil -N -d /var/ldap certutil -A -n "ca-cert" -i /tmp/ldap/ca-cert.pem -a -t CT -d /var/ldap/ # import ldap-server certs certutil -A -d /var/ldap/ -n "ldap01.kleinfeld.ch" -t C,, -i ldap01.kleinfeld.ch.pem certutil -A -d /var/ldap/ -n "ldap02.kleinfeld.ch" -t C,, -i ldap02.kleinfeld.ch.pem # list cert-db certutil -L -d /var/ldap ca-cert CT,, ldap02.kleinfeld.ch C,, ldap01.kleinfeld.ch C,,
The server presents the server certificate (ldap01.kleinfeld.ch), the ldap client presents the CA but the server expects a client certificate. Change slapd.conf not to verfiy a client certificate.
-Dieter
Thanks for your reply Dieter.
On Tue, Oct 07, 2008 at 09:03:21PM +0200, Dieter Kluenter wrote:
John Gee john@kleinfeld.ch writes:
-( solaris 10 - client )----
[...]
# list cert-db certutil -L -d /var/ldap ca-cert CT,, ldap02.kleinfeld.ch C,, ldap01.kleinfeld.ch C,,
The server presents the server certificate (ldap01.kleinfeld.ch), the ldap client presents the CA but the server expects a client certificate. Change slapd.conf not to verfiy a client certificate.
Well, i already have "TLSVerifyClient never" entry in slapd.conf. I think there must be a option on client side (Solaris 10 native client). When using openLDAP Client with the following options in ldap.conf it works (but not with the native client) TLS_CACERT /etc/ssl/certs/cacert.pem TLS_REQCERT never
- John
Hello John,
Am Mittwoch, den 08.10.2008, 08:08 +0200 schrieb John Gee:
Thanks for your reply Dieter.
On Tue, Oct 07, 2008 at 09:03:21PM +0200, Dieter Kluenter wrote:
John Gee john@kleinfeld.ch writes:
-( solaris 10 - client )----
[...]
# list cert-db certutil -L -d /var/ldap ca-cert CT,, ldap02.kleinfeld.ch C,, ldap01.kleinfeld.ch C,,
The server presents the server certificate (ldap01.kleinfeld.ch), the ldap client presents the CA but the server expects a client certificate. Change slapd.conf not to verfiy a client certificate.
I just had to switch to my Solaris box in order to test ldapclient. I'am referring to your initial mail now. with certutil you created a cerficate database which includes the server certificates, these are presented to the ldap server as client certificates. Remove this server certificates from the repository and just leave the ca-cert in order to verify the server certificate. This setup I just tested successfully on my Solaris box.
-Dieter
On Wed, Oct 08, 2008 at 06:35:36PM +0200, Dieter Kl?nter wrote: [...]
I just had to switch to my Solaris box in order to test ldapclient. I'am referring to your initial mail now. with certutil you created a cerficate database which includes the server certificates, these are presented to the ldap server as client certificates. Remove this server certificates from the repository and just leave the ca-cert in order to verify the server certificate. This setup I just tested successfully on my Solaris box.
Ok, i removed the Certifcates from my CertDB, so that ca-cert is alone there. It happens exactly the same as already described. Maybe im doing something wrong with the import of self-signed ca to certdb.
John
John Gee john@kleinfeld.ch writes:
On Wed, Oct 08, 2008 at 06:35:36PM +0200, Dieter Kl?nter wrote: [...]
I just had to switch to my Solaris box in order to test ldapclient. I'am referring to your initial mail now. with certutil you created a cerficate database which includes the server certificates, these are presented to the ldap server as client certificates. Remove this server certificates from the repository and just leave the ca-cert in order to verify the server certificate. This setup I just tested successfully on my Solaris box.
Ok, i removed the Certifcates from my CertDB, so that ca-cert is alone there. It happens exactly the same as already described. Maybe im doing something wrong with the import of self-signed ca to certdb.
Did you sign the server cerficates with this ca-cert? And how did you create the CA and the server certificates? I personally use the CA.pl tools from openssl, this is by no means the best way to do, but the simplest. If you follow this path, you may have to edit openssl.cnf to meet your requirements. Then you just do ./CA.pl -newca, which creates es self signed CA ./CA.pl -newreq, this creates a host or user certficate request ./CA.pl -sign, wwhich signs the request openssl rsa -in newreq.pem -out foo-key.pem, this removes password from the requested certificate and creates a key file. mv newcert.pem foo-cert.pem ./CA.pl -verify foo-cert.pem
-Dieter
On Sun, Oct 12, 2008 at 02:56:38PM +0200, Dieter Kluenter wrote: [...]
Did you sign the server cerficates with this ca-cert? And how did you create the CA and the server certificates? I personally use the CA.pl tools from openssl, this is by no means the best way to do, but the simplest. If you follow this path, you may have to edit openssl.cnf to meet your requirements. Then you just do ./CA.pl -newca, which creates es self signed CA ./CA.pl -newreq, this creates a host or user certficate request ./CA.pl -sign, wwhich signs the request openssl rsa -in newreq.pem -out foo-key.pem, this removes password from the requested certificate and creates a key file. mv newcert.pem foo-cert.pem ./CA.pl -verify foo-cert.pem
The CA-Cert and ldap01-Certs created with openssl. When verifying it with openssl all seems to be ok: # openssl s_client -connect ldap01.kleinfeld.ch:636 -CAfile /var/ldap/ca.pem -showcerts ... --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: E276B6ABD9349FDFD7EA22CCB491D3E9FE423BA1D45B0C18D4019422EF1FF607 Session-ID-ctx: Master-Key: 758F1B898907CDA46E70E37D306517C60E21864E4119846C05597DA19572B1FDF9A4E6D1299848A2E769CA002DA76D93 Key-Arg : None Start Time: 1223891247 Timeout : 300 (sec) Verify return code: 0 (ok) ---
Slapd - Debug Output: connection_get(11): got connid=9 connection_read(11): checking for input on id=9 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=9
When connecting with ldapsearch (openldap) the conenction established and continues after TLS client error:
connection_read(11): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=0 connection_read(11): checking for input on id=0 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=0 connection_get(11): got connid=0 connection_read(11): checking for input on id=0
(To renember slapd.conf - TLSVerifyClient never)
When doing the same search with ldapsearch (SUNWlldap package), it seems to be forced for tls client verification. connection_get(11): got connid=3 connection_read(11): checking for input on id=3 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=3 connection_read(11): checking for input on id=3 TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053 connection_read(11): TLS accept failure error=-1 id=3, closing connection_closing: readying conn=3 sd=11 for close connection_close: conn=3 sd=11
I will try it later today with a new-ca, but i think the problems must be at ldapclient (SUNWlldap) or inside cerutil.
John
John Gee wrote:
On Sun, Oct 12, 2008 at 02:56:38PM +0200, Dieter Kluenter wrote: [...]
Did you sign the server cerficates with this ca-cert? And how did you create the CA and the server certificates? I personally use the CA.pl tools from openssl, this is by no means the best way to do, but the simplest. If you follow this path, you may have to edit openssl.cnf to meet your requirements. Then you just do ./CA.pl -newca, which creates es self signed CA ./CA.pl -newreq, this creates a host or user certficate request ./CA.pl -sign, wwhich signs the request openssl rsa -in newreq.pem -out foo-key.pem, this removes password from the requested certificate and creates a key file. mv newcert.pem foo-cert.pem ./CA.pl -verify foo-cert.pem
The CA-Cert and ldap01-Certs created with openssl. When verifying it with openssl all seems to be ok: # openssl s_client -connect ldap01.kleinfeld.ch:636 -CAfile /var/ldap/ca.pem -showcerts ...
New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: E276B6ABD9349FDFD7EA22CCB491D3E9FE423BA1D45B0C18D4019422EF1FF607 Session-ID-ctx: Master-Key: 758F1B898907CDA46E70E37D306517C60E21864E4119846C05597DA19572B1FDF9A4E6D1299848A2E769CA002DA76D93 Key-Arg : None Start Time: 1223891247 Timeout : 300 (sec) Verify return code: 0 (ok)
Slapd - Debug Output: connection_get(11): got connid=9 connection_read(11): checking for input on id=9 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=9
When connecting with ldapsearch (openldap) the conenction established and continues after TLS client error:
connection_read(11): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=0 connection_read(11): checking for input on id=0 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=0 connection_get(11): got connid=0 connection_read(11): checking for input on id=0
(To renember slapd.conf - TLSVerifyClient never)
When doing the same search with ldapsearch (SUNWlldap package), it seems to be forced for tls client verification. connection_get(11): got connid=3 connection_read(11): checking for input on id=3 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=3 connection_read(11): checking for input on id=3 TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053 connection_read(11): TLS accept failure error=-1 id=3, closing connection_closing: readying conn=3 sd=11 for close connection_close: conn=3 sd=11
I will try it later today with a new-ca, but i think the problems must be at ldapclient (SUNWlldap) or inside cerutil.
Use the debug flag on ldapsearch as well. It's obvious from the slapd logs that the problem is in the client, so you won't get any more help from the slapd debug output.
On Mon, Oct 13, 2008 at 12:16:55PM +0200, John Gee wrote:
I will try it later today with a new-ca, but i think the problems must be at ldapclient (SUNWlldap) or inside cerutil.
I recreated the complete CA and Server-Certs. recreated nss-db on client site, and it works now. i dont know why, but it works ;)
TLS/SSL connection_get(11): got connid=13 connection_read(11): checking for input on id=13 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=13 connection_read(11): checking for input on id=13 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=13 connection_get(11): got connid=13 connection_read(11): checking for input on id=13
and here is the part thats didnt work before: ber_get_next ber_get_next: tag 0x30 len 61 contents: ber_get_next conn=13 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: >>> dnPrettyNormal: <cn=proxyAgent,ou=profile,o=kleinfeld,c=ch>
Thanks for your help Dieter
Regards John
openldap-technical@openldap.org
-
Dieter Kluenter -
Dieter Klünter
-
Howard Chu -
John Gee