I had to renew my openssl certificates and now my ldap tls negociation doesn't work anymore :
$ ldapsearch -ZZ -D uid=guillard,ou=staff,ou=people,dc=example,dc=fr -W uid=guillard -h ldap2.th3.example.fr ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20
Here are the server configuration relevant directives :
olcTLSCACertificateFile /etc/openldap/cacerts/CA.crt olcTLSCertificateFile /etc/openldap/cacerts/server.crt olcTLSCertificateKeyFile /etc/openldap/cacerts/server.key olcTLSCipherSuite HIGH
( see at the very end of this mail : these certificates are correct since I have successfully proceed to openssl connexion tests).
and here are logs collected on the server side when receiving ldapsearch request :
daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(7): daemon: epoll: listen=7 busy
slap_listener(ldap://ldap2.th3.example.fr:389)
daemon: listen=7, new connection on 15 daemon: added 15r (active) listener=(nil) conn=1003 fd=15 ACCEPT from IP=10.10.86.93:41013 (IP=10.1.92.25:389) daemon: activity on 2 descriptors daemon: activity on: 15r daemon: read active on 15 daemon: epoll: listen=7 active_threads=0 tvp=zero connection_get(15) connection_get(15): got connid=1003 connection_read(15): checking for input on id=1003 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_dump: buf=0x7f272017aa70 ptr=0x7f272017aa70 end=0x7f272017aa8d len=29 0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4 0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037 op tag 0x77, time 1325683329 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=1003 op=0 do_extended ber_scanf fmt ({m) ber: ber_dump: buf=0x7f272017aa70 ptr=0x7f272017aa73 end=0x7f272017aa8d len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037 do_extended: oid=1.3.6.1.4.1.1466.20037 conn=1003 op=0 STARTTLS send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 15 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ conn=1003 op=0 RESULT oid= err=0 text= daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 15r daemon: read active on 15 daemon: epoll: listen=7 active_threads=0 tvp=zero connection_get(15) connection_get(15): got connid=1003 connection_read(15): checking for input on id=1003 tls_read: want=3, got=3 0000: 80 3a 01 .:. tls_read: want=57, got=57 0000: 03 01 00 21 00 00 00 10 00 00 35 00 00 04 00 00 ...!......5..... 0010: 05 00 00 2f 00 00 0a 00 00 09 00 00 64 00 00 62 .../........d..b 0020: 00 00 03 00 00 06 00 00 ff 70 1e 75 15 46 04 b3 .........p.u.F.. 0030: 16 ed d1 87 1c 77 58 06 48 .....wX.H tls_write: want=2157, written=2157 0000: 16 03 01 08 68 02 00 00 4d 03 01 4f 04 52 81 3c ....h...M..O.R.< 0010: c6 b8 b6 8a d8 4a 75 83 a7 fc 09 13 2c c8 d4 d4 .....Ju.....,... 0020: ce e7 12 73 80 bc 42 f6 f2 05 de 20 6c db 35 d1 ...s..B.... l.5. 0030: e0 2b bb 93 a4 c2 8c 82 df 51 58 0a 93 e6 c9 ff .+.......QX..... 0040: 10 0d 92 08 6c 96 3e f8 92 aa d8 83 00 35 00 00 ....l.>......5.. 0050: 05 ff 01 00 01 00 0b 00 06 d3 00 06 d0 00 02 e3 ................ 0060: 30 82 02 df 30 82 01 c7 02 09 00 a6 1d 1f 28 63 0...0.........(c 0070: 5e 6a 57 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 ^jW0...*.H...... 0080: 05 00 30 81 87 31 0b 30 09 06 03 55 04 06 13 02 ..0..1.0...U.... 0090: 66 72 31 0f 30 0d 06 03 55 04 08 0c 06 66 72 61 fr1.0...U....fra 00a0: 6e 63 65 31 11 30 0f 06 03 55 04 07 0c 08 6d 6f nce1.0...U....mo 00b0: 6e 74 69 67 6e 79 31 0e 30 0c 06 03 55 04 0a 0c ntigny1.0...U... 00c0: 05 61 66 6e 69 63 31 0d 30 0b 06 03 55 04 0b 0c .example1.0...U... 00d0: 04 6c 64 61 70 31 0d 30 0b 06 03 55 04 03 0c 04 .ldap1.0...U.... 00e0: 6c 64 61 70 31 26 30 24 06 09 2a 86 48 86 f7 0d ldap1&0$..*.H... 00f0: 01 09 01 16 17 6f 6c 69 76 69 65 72 2e 67 75 69 .....olivier.gui 0100: 6c 6c 61 72 64 40 6e 69 63 2e 66 72 30 1e 17 0d llard@example.fr0... 0110: 31 31 31 32 32 39 31 35 33 39 35 38 5a 17 0d 32 111229153958Z..2 0120: 31 30 37 32 39 31 35 33 39 35 38 5a 30 81 a2 31 10729153958Z0..1 0130: 0b 30 09 06 03 55 04 06 13 02 66 72 31 0f 30 0d .0...U....fr1.0. 0140: 06 03 55 04 08 0c 06 66 72 61 6e 63 65 31 11 30 ..U....france1.0 0150: 0f 06 03 55 04 07 0c 08 6d 6f 6e 74 69 67 6e 79 ...U....myplace 0160: 31 0e 30 0c 06 03 55 04 0a 0c 05 61 66 6e 69 63 1.0...U....example 0170: 31 0d 30 0b 06 03 55 04 0b 0c 04 6c 64 61 70 31 1.0...U....ldap1 0180: 28 30 26 06 03 55 04 03 0c 1f 6c 64 61 70 32 2e (0&..U....ldap2. 0190: 64 61 74 61 62 61 73 65 2e 70 72 69 76 65 2e 74 t 01a0: 68 33 2e 6e 69 63 2e 66 72 31 26 30 24 06 09 2a h3.example.fr1&0$..* 01b0: 86 48 86 f7 0d 01 09 01 16 17 4f 6c 69 76 69 65 .H........Olivie 01c0: 72 2e 47 75 69 6c 6c 61 72 64 40 6e 69 63 2e 66 r.Guillard@example.f 01d0: 72 30 5c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 r0\0...*.H...... 01e0: 05 00 03 4b 00 30 48 02 41 00 bf 72 68 cc 54 9d ...K.0H.A..rh.T. 01f0: 10 d3 8b c0 4a 1b 5c 90 d6 03 7a 41 5e 05 6f 8d ....J....zA^.o. 0200: cc 2d 61 31 7b 94 0f c2 f7 c1 51 8a 4f d5 59 89 .-a1{.....Q.O.Y. 0210: 51 79 87 3f fa c3 5f af 30 8c 87 f8 ca be bb 0b Qy.?.._.0....... 0220: 28 8c d5 4a 3a 73 b5 a9 e3 d9 02 03 01 00 01 30 (..J:s.........0 0230: 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 82 ...*.H.......... 0240: 01 01 00 c0 3c 2a 0a d4 af 13 24 b5 2a 2b e3 cd ....<*....$.*+.. 0250: 0f 57 f6 86 99 e1 ae ba d7 b2 87 4e 02 a6 d6 a3 .W.........N.... 0260: 7d 9f 7b 89 03 61 ac b6 40 9e 93 ca 8d 3a d4 95 }.{..a..@....:.. 0270: 7a 48 e2 9a 01 2f ed 3d 2b c3 96 41 c0 58 39 cf zH.../.=+..A.X9. 0280: 52 a2 db 08 78 85 c4 85 17 08 d8 11 62 60 8e d0 R...x.......b`.. 0290: b5 61 71 fe 83 d5 94 9d f2 42 1d b5 56 bd fa 67 .aq......B..V..g 02a0: db 8e bf 09 af ef e3 b0 c8 0a f1 38 8b bf 59 75 ...........8..Yu 02b0: 6a 21 01 c0 0b 8c cf 87 20 d2 2f d9 89 a0 37 11 j!...... ./...7. 02c0: a0 62 6a a1 32 4b ff e4 cf 30 4c 8f 8e ef d2 51 .bj.2K...0L....Q 02d0: ec cc d1 fc 21 43 58 5e 09 40 8b bf ca bb fc 4f ....!CX^.@.....O 02e0: d1 d4 e9 cf 80 8f b1 af 72 d0 ff c1 d7 52 f3 4b ........r....R.K 02f0: e3 85 69 ef e9 36 6e 4d 54 13 d2 bd 3b 93 ad ed ..i..6nMT...;... 0300: 6e 36 cc 4f e6 b9 c5 01 1e 86 c8 88 aa de a6 7b n6.O...........{ 0310: c1 99 9a 3f c5 69 9e af e0 94 6e ba 51 5b ec 2a ...?.i....n.Q[.* 0320: 2c aa 09 ff 4a 27 15 96 ad 9f b0 5c f0 c4 9c 34 ,...J'........4 0330: 53 32 03 1c d4 e2 dd b8 96 88 d2 5d b2 c6 e1 5e S2.........]...^ 0340: 32 ba 81 00 03 e7 30 82 03 e3 30 82 02 cb a0 03 2.....0...0..... 0350: 02 01 02 02 09 00 a1 67 1e 44 66 c6 f6 59 30 0d .......g.Df..Y0. 0360: 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 81 87 ..*.H........0.. 0370: 31 0b 30 09 06 03 55 04 06 13 02 66 72 31 0f 30 1.0...U....fr1.0 0380: 0d 06 03 55 04 08 0c 06 66 72 61 6e 63 65 31 11 ...U....france1. 0390: 30 0f 06 03 55 04 07 0c 08 6d 6f 6e 74 69 67 6e 0...U....montign 03a0: 79 31 0e 30 0c 06 03 55 04 0a 0c 05 61 66 6e 69 y1.0...U....afni 03b0: 63 31 0d 30 0b 06 03 55 04 0b 0c 04 6c 64 61 70 c1.0...U....ldap 03c0: 31 0d 30 0b 06 03 55 04 03 0c 04 6c 64 61 70 31 1.0...U....ldap1 03d0: 26 30 24 06 09 2a 86 48 86 f7 0d 01 09 01 16 17 &0$..*.H........ 03e0: 6f 6c 69 76 69 65 72 2e 67 75 69 6c 6c 61 72 64 olivier.guillard 03f0: 40 6e 69 63 2e 66 72 30 1e 17 0d 31 31 31 32 32 @example.fr0...11122 0400: 39 31 34 31 33 35 35 5a 17 0d 33 31 31 32 32 34 9141355Z..311224 0410: 31 34 31 33 35 35 5a 30 81 87 31 0b 30 09 06 03 141355Z0..1.0... 0420: 55 04 06 13 02 66 72 31 0f 30 0d 06 03 55 04 08 U....fr1.0...U.. 0430: 0c 06 66 72 61 6e 63 65 31 11 30 0f 06 03 55 04 ..france1.0...U. 0440: 07 0c 08 6d 6f 6e 74 69 67 6e 79 31 0e 30 0c 06 ...myplace1.0.. 0450: 03 55 04 0a 0c 05 61 66 6e 69 63 31 0d 30 0b 06 .U....example1.0.. 0460: 03 55 04 0b 0c 04 6c 64 61 70 31 0d 30 0b 06 03 .U....ldap1.0... 0470: 55 04 03 0c 04 6c 64 61 70 31 26 30 24 06 09 2a U....ldap1&0$..* 0480: 86 48 86 f7 0d 01 09 01 16 17 6f 6c 69 76 69 65 .H........olivie 0490: 72 2e 67 75 69 6c 6c 61 72 64 40 6e 69 63 2e 66 r.guillard@example.f 04a0: 72 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 r0.."0...*.H.... 04b0: 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 .........0...... 04c0: 01 00 c8 90 e1 61 d2 28 38 aa 35 a9 21 5b f7 2b .....a.(8.5.![.+ 04d0: f2 ed 04 5c 73 03 c5 f8 f9 97 5a 53 3b 39 bf aa ...\s.....ZS;9.. 04e0: 20 b8 45 c1 92 2e 27 ea bf b1 78 57 f9 41 a3 b3 .E...'...xW.A.. 04f0: 23 11 fc 8d 79 ea 21 a9 01 c0 ce 01 27 e6 0f a6 #...y.!.....'... 0500: 13 8d 12 5c 72 bf ba 60 41 71 76 94 99 da 43 f7 ...\r..`Aqv...C. 0510: e0 f9 b4 2f e7 25 7c 36 4f e9 4f dc 18 26 a9 7c .../.%|6O.O..&.| 0520: ad 98 2a 9c 91 16 76 41 31 1e 5d dd 81 2a b9 38 ..*...vA1.]..*.8 0530: ec 91 5c 91 11 03 fb 14 7d 59 d5 49 6d 32 42 c7 .......}Y.Im2B. 0540: 66 73 58 b0 fb 02 b4 a0 4d 3e e3 3c ab ff 8c 42 fsX.....M>.<...B 0550: 83 51 b5 51 b7 19 71 61 f8 39 5c b7 8d 1a 70 97 .Q.Q..qa.9...p. 0560: 69 5d e6 47 9e 7e ae ec 5c 7c be 73 7b d0 df df i].G.~..|.s{... 0570: a7 53 6d a8 d3 d3 f6 7e e6 2f 13 3e c5 80 e6 f2 .Sm....~./.>.... 0580: fe 2a cc d4 1e 4d 3d 6a bc b0 a9 fa a5 51 12 31 .*...M=j.....Q.1 0590: 0e 41 2d 7a 8a 52 de 66 bd 3b 0c ef fa 9b fe 82 .A-z.R.f.;...... 05a0: df ad 1c 7f d9 53 4b c0 db fe f3 e6 b9 3d ea 5d .....SK......=.] 05b0: 66 7f fb 14 41 b5 0a e7 70 11 4e 5d 80 69 04 bd f...A...p.N].i.. 05c0: 9e 97 02 03 01 00 01 a3 50 30 4e 30 1d 06 03 55 ........P0N0...U 05d0: 1d 0e 04 16 04 14 24 05 af 2a 63 a4 0b 0f ae a4 ......$..*c..... 05e0: e2 2c e9 13 40 5a 8b d7 a4 41 30 1f 06 03 55 1d .,..@Z...A0...U. 05f0: 23 04 18 30 16 80 14 24 05 af 2a 63 a4 0b 0f ae #..0...$..*c.... 0600: a4 e2 2c e9 13 40 5a 8b d7 a4 41 30 0c 06 03 55 ..,..@Z...A0...U 0610: 1d 13 04 05 30 03 01 01 ff 30 0d 06 09 2a 86 48 ....0....0...*.H 0620: 86 f7 0d 01 01 05 05 00 03 82 01 01 00 57 2d 0a .............W-. 0630: d5 88 d0 98 2b 9e f9 d7 bc e6 82 08 65 25 d9 65 ....+.......e%.e 0640: 84 98 e3 da a3 36 a1 6f 40 3b d0 d8 16 3d 48 06 .....6.o@;...=H. 0650: 6c ee 99 fd b6 4c f3 3b 10 50 bb 71 97 6e 4d e0 l....L.;.P.q.nM. 0660: 77 48 57 5b db d1 e6 ca c8 80 79 d0 f5 17 94 5d wHW[......y....] 0670: 11 93 07 74 8b 5c 4b b1 ad 45 1f 5a 2c d9 6e e8 ...t.\K..E.Z,.n. 0680: d4 7a e4 99 e7 ba 86 36 93 1d 4c 0e 9b 13 4d ef .z.....6..L...M. 0690: 25 72 7b ae b0 f1 95 c0 17 dc 4a c0 ed 04 b5 54 %r{.......J....T 06a0: 98 90 47 2f dc f0 1c 5a ca b0 2e 0d ee 58 14 e8 ..G/...Z.....X.. 06b0: 2c d0 cd a8 d9 2c ae 2f 65 81 89 70 af f9 d8 01 ,....,./e..p.... 06c0: 1b 14 ae 63 1d 90 af 3d 29 71 7d 74 4a e8 7a e5 ...c...=)q}tJ.z. 06d0: ed a0 fb 9b ce 1d 5a e2 82 7e c4 bc 97 88 e7 06 ......Z..~...... 06e0: 66 86 77 23 85 29 2c b1 28 72 8c af a5 51 96 b1 f.w#.),.(r...Q.. 06f0: d5 dc 51 62 bd 2d e6 8f 4c 22 24 4e e1 c6 a3 64 ..Qb.-..L"$N...d 0700: 40 fc e9 d8 6d b1 48 d8 80 10 3a 6a bc 35 06 d9 @...m.H...:j.5.. 0710: 4c e8 4c e6 66 82 9d fd a9 a2 9f 3e 13 37 c0 52 L.L.f......>.7.R 0720: 3f c3 15 e1 3e 9c 05 67 b2 11 0d 38 a4 0d 00 01 ?...>..g...8.... 0730: 38 02 01 02 01 33 00 8a 30 81 87 31 0b 30 09 06 8....3..0..1.0.. 0740: 03 55 04 06 13 02 66 72 31 0f 30 0d 06 03 55 04 .U....fr1.0...U. 0750: 08 0c 06 66 72 61 6e 63 65 31 11 30 0f 06 03 55 ...france1.0...U 0760: 04 07 0c 08 6d 6f 6e 74 69 67 6e 79 31 0e 30 0c ....myplace1.0. 0770: 06 03 55 04 0a 0c 05 61 66 6e 69 63 31 0d 30 0b ..U....example1.0. 0780: 06 03 55 04 0b 0c 04 6c 64 61 70 31 0d 30 0b 06 ..U....ldap1.0.. 0790: 03 55 04 03 0c 04 6c 64 61 70 31 26 30 24 06 09 .U....ldap1&0$.. 07a0: 2a 86 48 86 f7 0d 01 09 01 16 17 6f 6c 69 76 69 *.H........olivi 07b0: 65 72 2e 67 75 69 6c 6c 61 72 64 40 6e 69 63 2e er.guillard@example. 07c0: 66 72 00 a5 30 81 a2 31 0b 30 09 06 03 55 04 06 fr..0..1.0...U.. 07d0: 13 02 66 72 31 0f 30 0d 06 03 55 04 08 0c 06 66 ..fr1.0...U....f 07e0: 72 61 6e 63 65 31 11 30 0f 06 03 55 04 07 0c 08 rance1.0...U.... 07f0: 6d 6f 6e 74 69 67 6e 79 31 0e 30 0c 06 03 55 04 myplace1.0...U. 0800: 0a 0c 05 61 66 6e 69 63 31 0d 30 0b 06 03 55 04 ...example1.0...U. 0810: 0b 0c 04 6c 64 61 70 31 28 30 26 06 03 55 04 03 ...ldap1(0&..U.. 0820: 0c 1f 6c 64 61 70 32 2e 64 61 74 61 62 61 73 65 ..ldap2. 0830: 2e 70 72 69 76 65 2e 74 68 33 2e 6e 69 63 2e 66 .th3.example.fr 0840: 72 31 26 30 24 06 09 2a 86 48 86 f7 0d 01 09 01 1&0$..*.H....... 0850: 16 17 4f 6c 69 76 69 65 72 2e 47 75 69 6c 6c 61 .Olivier.Guilla 0860: 72 64 40 6e 69 63 2e 66 72 0e 00 00 00 rd@example.fr.... tls_read: want=5 error=Resource temporarily unavailable daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 15r daemon: read active on 15 daemon: epoll: listen=7 active_threads=0 tvp=zero connection_get(15) connection_get(15): got connid=1003 connection_read(15): checking for input on id=1003 tls_read: want=5, got=5 0000: 15 03 01 00 02 ..... tls_read: want=2, got=2 0000: 02 30 .0 TLS: error: accept - force handshake failure: errno 11 - moznss error -12195 TLS: can't accept: TLS error -12195:Unknown code ___P 93. connection_read(15): TLS accept failure error=-1 id=1003, closing connection_closing: readying conn=1003 sd=15 for close connection_close: conn=1003 sd=15 daemon: removing 15 conn=1003 fd=15 closed (TLS negotiation failure) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero ^Cdaemon: shutdown requested and initiated. daemon: closing 7 connection_closing: readying conn=1000 sd=13 for close connection_close: conn=1000 sd=13 daemon: removing 13 conn=1000 fd=13 closed (slapd shutdown)
As far as I can see it doesn't looks like
[root@ldap2 cacerts]# openssl s_server -accept 5555 -key /etc/openldap/cacerts/server.key -cert /etc/openldap/cacerts/server.crt -state Using default temp DH parameters ACCEPT SSL_accept:before/accept initialization SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_accept:SSLv3 write certificate A SSL_accept:SSLv3 write key exchange A SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data SSL_accept:SSLv3 read client key exchange A SSL_accept:SSLv3 read finished A SSL_accept:SSLv3 write session ticket A SSL_accept:SSLv3 write change cipher spec A SSL_accept:SSLv3 write finished A SSL_accept:SSLv3 flush data -----BEGIN SSL SESSION PARAMETERS----- MFoCAQECAgMBBAIAOQQABDB88nXC0TcyHgrQcZ+51a/16Nw874VzV1cEEkOMwfSy VCIJ8jOiylXmk2gHkAK7y6OhBgIETwRP56IEAgIBLKQGBAQBAAAAqwMEAQE= -----END SSL SESSION PARAMETERS----- Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AES256-SHA:CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 CIPHER is DHE-RSA-AES256-SHA Secure Renegotiation IS supported ERROR shutting down SSL CONNECTION CLOSED ACCEPT
[guillard@fouine ~]$ openssl s_client -CAfile /etc/openldap/cacerts/CA.crt -connect ldap2.th3.example.fr:5555 CONNECTED(00000003) depth=1 C = fr, ST = france, L = myplace, O = example, OU = ldap, CN = ldap, emailAddress = olivier.guillard@example.fr verify return:1 depth=0 C = fr, ST = france, L = myplace, O = example, OU = ldap, CN = ldap2.th3.example.fr, emailAddress = Olivier.Guillard@example.fr verify return:1 --- Certificate chain 0 s:/C=fr/ST=france/L=myplace/O=example/OU=ldap/CN=ldap2.th3.example.fr/emailAddress=Olivier.Guillard@example.fr i:/C=fr/ST=france/L=myplace/O=example/OU=ldap/CN=ldap/emailAddress=olivier.guillard@example.fr --- Server certificate -----BEGIN CERTIFICATE----- MIIC3zCCAccCCQCmHR8oY15qVzANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UEBhMC ZnIxDzANBgNVBAgMBmZyYW5jZTERMA8GA1UEBwwIbW9udGlnbnkxDjAMBgNVBAoM BWFmbmljMQ0wCwYDVQQLDARsZGFwMQ0wCwYDVQQDDARsZGFwMSYwJAYJKoZIhvcN AQkBFhdvbG24KJJD7GJVBIYTIVHTFJCGFDHGFXGRFCYTDFYTDjkxNTM5NThaFw0y MTA3MjkxNTM5NThaMIGiMQswCQYDVQQGEwJmcjEPMA0GA1UECAwGZnJhbmNlMREw DwYDVQQHDAhtb250aWdueTEOMAwGA1UECgwFYWZuaWMxDTALBgNVBAsMBGxkYXAx KDAmBgNVBAMMH2xkYXAyLmRhdGFiYXNlLnByaXZlLnRoMy5uaWMuZnIxJjAkBgkq hkiG9w0BCQEWFNBIHGJ4UTFHGXCYTDCYXDYCYTFCUGCUTTFUYFUJKoZIhvcNAQEB BQADSwAwSAJBAL9yaMxUnRDTi8BKG1yQ1gN6QV4Fb43MLWExe5QPwvfBUYpP1VmJ UXmHP/rDX68wjIf4yr67CyiM1Uo6c7Wp49kCAwEAATANBgkqhkiG9w0BAQUFAAOC AQEAwDwqCtSvEyS1KivjzQ9X9oaZ4a6617KHTgKm1qN9n3uJA2GstkCek8qNOtSV ekjimgEv7T0rw5ZBwFg5z1Ki2wh4hcSFFwjYEWJgjtC1YXH+g9WUnfJCHbVWvfpn 246NBVJHJHVJVJJKVJHVJHVJKHVJHVJHVJHVJHVJHVJHVJHVJHVJHVJHVJHV79JR 7MzR/CFDWF4JQIu/yrv8T9HU6c+Aj7GvctD/wddS80vjhWnv6TZuTVQT0r07k63t bjbMT+a5xQEehsiIqt6me8GZmj/FaZ6v4JRuulFb7Cosqgn/SicVlq2fsFzwxJw0 UzIDHNTi3biWiNJdssbhXjK6gQ== -----END CERTIFICATE----- subject=/C=fr/ST=france/L=myplace/O=example/OU=ldap/CN=ldap2.th3.example.fr/emailAddress=Olivier.Guillard@example.fr issuer=/C=fr/ST=france/L=myplace/O=example/OU=ldap/CN=ldap/emailAddress=olivier.guillard@example.fr --- No client certificate CA names sent --- SSL handshake has read 1265 bytes and written 247 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 512 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: DBCDE5CD6EB4D7FF8C38DD1557CA90EDBEDDCB27600CFA4D1FD9D58388A11EBE Session-ID-ctx: Master-Key: 7CF275C2D137321E0AD0719FB9D5AFF5E8DC3CEF857357570412438CC1F4B2542209F233A2CA55E69368079002BBCBA3 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - c2 bb 20 23 85 0a cf b0-bc b2 6d cd 4b d2 32 0e .. #......m.K.2. 0010 - 6f 51 29 7f 3a 44 c3 95-76 c2 c6 23 e5 8d 98 3c oQ).:D..v..#...< 0020 - 7a b9 eb 6b 8e d1 c5 c4-57 74 26 34 4c db ec fe z..k....Wt&4L... 0030 - a9 3b 77 12 fb 74 67 fb-57 f1 8f 2a 71 d3 a6 ae .;w..tg.W..*q... 0040 - 17 48 9e bf 7d 94 1f c3-d4 02 6e 7f 27 07 f4 d6 .H..}.....n.'... 0050 - 98 6f 24 6c f9 63 b7 4c-cd ce d8 85 e5 be 3e fd .o$l.c.L......>. 0060 - 65 a2 1b 36 cc 26 76 3b-d3 f6 cf e1 f9 a7 c3 c2 e..6.&v;........ 0070 - 2f fe 8f 3c 7c d1 0f 58-43 be d7 a5 64 69 04 91 /..<|..XC...di.. 0080 - cb 68 08 82 fe 8d 9d 4e-1b 0f 96 27 59 5e d8 76 .h.....N...'Y^.v 0090 - be 44 01 6d 53 2e 9e 67-22 07 35 d1 6f a4 80 e1 .D.mS..g".5.o...
Compression: 1 (zlib compression) Start Time: 1325682663 Timeout : 300 (sec) Verify return code: 0 (ok) --- ^C
On 01/04/2012 07:32 AM, Olivier wrote:
I had to renew my openssl certificates and now my ldap tls negociation doesn't work anymore :
Please describe the exact steps you used to "renew" your certificates, update files, etc. Did you use the exact same CA? Is this a self-signed CA + ssl server cert?
$ ldapsearch -ZZ -D uid=guillard,ou=staff,ou=people,dc=example,dc=fr -W uid=guillard -h ldap2.th3.example.fr ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20
Here are the server configuration relevant directives :
olcTLSCACertificateFile /etc/openldap/cacerts/CA.crt olcTLSCertificateFile /etc/openldap/cacerts/server.crt olcTLSCertificateKeyFile /etc/openldap/cacerts/server.key olcTLSCipherSuite HIGH
( see at the very end of this mail : these certificates are correct since I have successfully proceed to openssl connexion tests).
and here are logs collected on the server side when receiving ldapsearch request :
daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(7): daemon: epoll: listen=7 busy
slap_listener(ldap://ldap2.th3.example.fr:389)
daemon: listen=7, new connection on 15 daemon: added 15r (active) listener=(nil) conn=1003 fd=15 ACCEPT from IP=10.10.86.93:41013 (IP=10.1.92.25:389) daemon: activity on 2 descriptors daemon: activity on: 15r daemon: read active on 15 daemon: epoll: listen=7 active_threads=0 tvp=zero connection_get(15) connection_get(15): got connid=1003 connection_read(15): checking for input on id=1003 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_dump: buf=0x7f272017aa70 ptr=0x7f272017aa70 end=0x7f272017aa8d len=29 0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4 0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037 op tag 0x77, time 1325683329 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=1003 op=0 do_extended ber_scanf fmt ({m) ber: ber_dump: buf=0x7f272017aa70 ptr=0x7f272017aa73 end=0x7f272017aa8d len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037 do_extended: oid=1.3.6.1.4.1.1466.20037 conn=1003 op=0 STARTTLS send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 15 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ conn=1003 op=0 RESULT oid= err=0 text= daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 15r daemon: read active on 15 daemon: epoll: listen=7 active_threads=0 tvp=zero connection_get(15) connection_get(15): got connid=1003 connection_read(15): checking for input on id=1003 tls_read: want=3, got=3 0000: 80 3a 01 .:. tls_read: want=57, got=57 0000: 03 01 00 21 00 00 00 10 00 00 35 00 00 04 00 00 ...!......5..... 0010: 05 00 00 2f 00 00 0a 00 00 09 00 00 64 00 00 62 .../........d..b 0020: 00 00 03 00 00 06 00 00 ff 70 1e 75 15 46 04 b3 .........p.u.F.. 0030: 16 ed d1 87 1c 77 58 06 48 .....wX.H tls_write: want=2157, written=2157 0000: 16 03 01 08 68 02 00 00 4d 03 01 4f 04 52 81 3c ....h...M..O.R.< 0010: c6 b8 b6 8a d8 4a 75 83 a7 fc 09 13 2c c8 d4 d4 .....Ju.....,... 0020: ce e7 12 73 80 bc 42 f6 f2 05 de 20 6c db 35 d1 ...s..B.... l.5. 0030: e0 2b bb 93 a4 c2 8c 82 df 51 58 0a 93 e6 c9 ff .+.......QX..... 0040: 10 0d 92 08 6c 96 3e f8 92 aa d8 83 00 35 00 00 ....l.>......5.. 0050: 05 ff 01 00 01 00 0b 00 06 d3 00 06 d0 00 02 e3 ................ 0060: 30 82 02 df 30 82 01 c7 02 09 00 a6 1d 1f 28 63 0...0.........(c 0070: 5e 6a 57 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 ^jW0...*.H...... 0080: 05 00 30 81 87 31 0b 30 09 06 03 55 04 06 13 02 ..0..1.0...U.... 0090: 66 72 31 0f 30 0d 06 03 55 04 08 0c 06 66 72 61 fr1.0...U....fra 00a0: 6e 63 65 31 11 30 0f 06 03 55 04 07 0c 08 6d 6f nce1.0...U....mo 00b0: 6e 74 69 67 6e 79 31 0e 30 0c 06 03 55 04 0a 0c ntigny1.0...U... 00c0: 05 61 66 6e 69 63 31 0d 30 0b 06 03 55 04 0b 0c .example1.0...U... 00d0: 04 6c 64 61 70 31 0d 30 0b 06 03 55 04 03 0c 04 .ldap1.0...U.... 00e0: 6c 64 61 70 31 26 30 24 06 09 2a 86 48 86 f7 0d ldap1&0$..*.H... 00f0: 01 09 01 16 17 6f 6c 69 76 69 65 72 2e 67 75 69 .....olivier.gui 0100: 6c 6c 61 72 64 40 6e 69 63 2e 66 72 30 1e 17 0d llard@example.fr0... 0110: 31 31 31 32 32 39 31 35 33 39 35 38 5a 17 0d 32 111229153958Z..2 0120: 31 30 37 32 39 31 35 33 39 35 38 5a 30 81 a2 31 10729153958Z0..1 0130: 0b 30 09 06 03 55 04 06 13 02 66 72 31 0f 30 0d .0...U....fr1.0. 0140: 06 03 55 04 08 0c 06 66 72 61 6e 63 65 31 11 30 ..U....france1.0 0150: 0f 06 03 55 04 07 0c 08 6d 6f 6e 74 69 67 6e 79 ...U....myplace 0160: 31 0e 30 0c 06 03 55 04 0a 0c 05 61 66 6e 69 63 1.0...U....example 0170: 31 0d 30 0b 06 03 55 04 0b 0c 04 6c 64 61 70 31 1.0...U....ldap1 0180: 28 30 26 06 03 55 04 03 0c 1f 6c 64 61 70 32 2e (0&..U....ldap2. 0190: 64 61 74 61 62 61 73 65 2e 70 72 69 76 65 2e 74 t 01a0: 68 33 2e 6e 69 63 2e 66 72 31 26 30 24 06 09 2a h3.example.fr1&0$..* 01b0: 86 48 86 f7 0d 01 09 01 16 17 4f 6c 69 76 69 65 .H........Olivie 01c0: 72 2e 47 75 69 6c 6c 61 72 64 40 6e 69 63 2e 66 r.Guillard@example.f 01d0: 72 30 5c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 r0\0...*.H...... 01e0: 05 00 03 4b 00 30 48 02 41 00 bf 72 68 cc 54 9d ...K.0H.A..rh.T. 01f0: 10 d3 8b c0 4a 1b 5c 90 d6 03 7a 41 5e 05 6f 8d ....J....zA^.o. 0200: cc 2d 61 31 7b 94 0f c2 f7 c1 51 8a 4f d5 59 89 .-a1{.....Q.O.Y. 0210: 51 79 87 3f fa c3 5f af 30 8c 87 f8 ca be bb 0b Qy.?.._.0....... 0220: 28 8c d5 4a 3a 73 b5 a9 e3 d9 02 03 01 00 01 30 (..J:s.........0 0230: 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 82 ...*.H.......... 0240: 01 01 00 c0 3c 2a 0a d4 af 13 24 b5 2a 2b e3 cd ....<*....$.*+.. 0250: 0f 57 f6 86 99 e1 ae ba d7 b2 87 4e 02 a6 d6 a3 .W.........N.... 0260: 7d 9f 7b 89 03 61 ac b6 40 9e 93 ca 8d 3a d4 95 }.{..a..@....:.. 0270: 7a 48 e2 9a 01 2f ed 3d 2b c3 96 41 c0 58 39 cf zH.../.=+..A.X9. 0280: 52 a2 db 08 78 85 c4 85 17 08 d8 11 62 60 8e d0 R...x.......b`.. 0290: b5 61 71 fe 83 d5 94 9d f2 42 1d b5 56 bd fa 67 .aq......B..V..g 02a0: db 8e bf 09 af ef e3 b0 c8 0a f1 38 8b bf 59 75 ...........8..Yu 02b0: 6a 21 01 c0 0b 8c cf 87 20 d2 2f d9 89 a0 37 11 j!...... ./...7. 02c0: a0 62 6a a1 32 4b ff e4 cf 30 4c 8f 8e ef d2 51 .bj.2K...0L....Q 02d0: ec cc d1 fc 21 43 58 5e 09 40 8b bf ca bb fc 4f ....!CX^.@.....O 02e0: d1 d4 e9 cf 80 8f b1 af 72 d0 ff c1 d7 52 f3 4b ........r....R.K 02f0: e3 85 69 ef e9 36 6e 4d 54 13 d2 bd 3b 93 ad ed ..i..6nMT...;... 0300: 6e 36 cc 4f e6 b9 c5 01 1e 86 c8 88 aa de a6 7b n6.O...........{ 0310: c1 99 9a 3f c5 69 9e af e0 94 6e ba 51 5b ec 2a ...?.i....n.Q[.* 0320: 2c aa 09 ff 4a 27 15 96 ad 9f b0 5c f0 c4 9c 34 ,...J'........4 0330: 53 32 03 1c d4 e2 dd b8 96 88 d2 5d b2 c6 e1 5e S2.........]...^ 0340: 32 ba 81 00 03 e7 30 82 03 e3 30 82 02 cb a0 03 2.....0...0..... 0350: 02 01 02 02 09 00 a1 67 1e 44 66 c6 f6 59 30 0d .......g.Df..Y0. 0360: 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 81 87 ..*.H........0.. 0370: 31 0b 30 09 06 03 55 04 06 13 02 66 72 31 0f 30 1.0...U....fr1.0 0380: 0d 06 03 55 04 08 0c 06 66 72 61 6e 63 65 31 11 ...U....france1. 0390: 30 0f 06 03 55 04 07 0c 08 6d 6f 6e 74 69 67 6e 0...U....montign 03a0: 79 31 0e 30 0c 06 03 55 04 0a 0c 05 61 66 6e 69 y1.0...U....afni 03b0: 63 31 0d 30 0b 06 03 55 04 0b 0c 04 6c 64 61 70 c1.0...U....ldap 03c0: 31 0d 30 0b 06 03 55 04 03 0c 04 6c 64 61 70 31 1.0...U....ldap1 03d0: 26 30 24 06 09 2a 86 48 86 f7 0d 01 09 01 16 17&0$..*.H........ 03e0: 6f 6c 69 76 69 65 72 2e 67 75 69 6c 6c 61 72 64 olivier.guillard 03f0: 40 6e 69 63 2e 66 72 30 1e 17 0d 31 31 31 32 32 @example.fr0...11122 0400: 39 31 34 31 33 35 35 5a 17 0d 33 31 31 32 32 34 9141355Z..311224 0410: 31 34 31 33 35 35 5a 30 81 87 31 0b 30 09 06 03 141355Z0..1.0... 0420: 55 04 06 13 02 66 72 31 0f 30 0d 06 03 55 04 08 U....fr1.0...U.. 0430: 0c 06 66 72 61 6e 63 65 31 11 30 0f 06 03 55 04 ..france1.0...U. 0440: 07 0c 08 6d 6f 6e 74 69 67 6e 79 31 0e 30 0c 06 ...myplace1.0.. 0450: 03 55 04 0a 0c 05 61 66 6e 69 63 31 0d 30 0b 06 .U....example1.0.. 0460: 03 55 04 0b 0c 04 6c 64 61 70 31 0d 30 0b 06 03 .U....ldap1.0... 0470: 55 04 03 0c 04 6c 64 61 70 31 26 30 24 06 09 2a U....ldap1&0$..* 0480: 86 48 86 f7 0d 01 09 01 16 17 6f 6c 69 76 69 65 .H........olivie 0490: 72 2e 67 75 69 6c 6c 61 72 64 40 6e 69 63 2e 66 r.guillard@example.f 04a0: 72 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 r0.."0...*.H.... 04b0: 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 .........0...... 04c0: 01 00 c8 90 e1 61 d2 28 38 aa 35 a9 21 5b f7 2b .....a.(8.5.![.+ 04d0: f2 ed 04 5c 73 03 c5 f8 f9 97 5a 53 3b 39 bf aa ...\s.....ZS;9.. 04e0: 20 b8 45 c1 92 2e 27 ea bf b1 78 57 f9 41 a3 b3 .E...'...xW.A.. 04f0: 23 11 fc 8d 79 ea 21 a9 01 c0 ce 01 27 e6 0f a6 #...y.!.....'... 0500: 13 8d 12 5c 72 bf ba 60 41 71 76 94 99 da 43 f7 ...\r..`Aqv...C. 0510: e0 f9 b4 2f e7 25 7c 36 4f e9 4f dc 18 26 a9 7c .../.%|6O.O..&.| 0520: ad 98 2a 9c 91 16 76 41 31 1e 5d dd 81 2a b9 38 ..*...vA1.]..*.8 0530: ec 91 5c 91 11 03 fb 14 7d 59 d5 49 6d 32 42 c7 .......}Y.Im2B. 0540: 66 73 58 b0 fb 02 b4 a0 4d 3e e3 3c ab ff 8c 42 fsX.....M>.<...B 0550: 83 51 b5 51 b7 19 71 61 f8 39 5c b7 8d 1a 70 97 .Q.Q..qa.9...p. 0560: 69 5d e6 47 9e 7e ae ec 5c 7c be 73 7b d0 df df i].G.~..|.s{... 0570: a7 53 6d a8 d3 d3 f6 7e e6 2f 13 3e c5 80 e6 f2 .Sm....~./.>.... 0580: fe 2a cc d4 1e 4d 3d 6a bc b0 a9 fa a5 51 12 31 .*...M=j.....Q.1 0590: 0e 41 2d 7a 8a 52 de 66 bd 3b 0c ef fa 9b fe 82 .A-z.R.f.;...... 05a0: df ad 1c 7f d9 53 4b c0 db fe f3 e6 b9 3d ea 5d .....SK......=.] 05b0: 66 7f fb 14 41 b5 0a e7 70 11 4e 5d 80 69 04 bd f...A...p.N].i.. 05c0: 9e 97 02 03 01 00 01 a3 50 30 4e 30 1d 06 03 55 ........P0N0...U 05d0: 1d 0e 04 16 04 14 24 05 af 2a 63 a4 0b 0f ae a4 ......$..*c..... 05e0: e2 2c e9 13 40 5a 8b d7 a4 41 30 1f 06 03 55 1d .,..@Z...A0...U. 05f0: 23 04 18 30 16 80 14 24 05 af 2a 63 a4 0b 0f ae #..0...$..*c.... 0600: a4 e2 2c e9 13 40 5a 8b d7 a4 41 30 0c 06 03 55 ..,..@Z...A0...U 0610: 1d 13 04 05 30 03 01 01 ff 30 0d 06 09 2a 86 48 ....0....0...*.H 0620: 86 f7 0d 01 01 05 05 00 03 82 01 01 00 57 2d 0a .............W-. 0630: d5 88 d0 98 2b 9e f9 d7 bc e6 82 08 65 25 d9 65 ....+.......e%.e 0640: 84 98 e3 da a3 36 a1 6f 40 3b d0 d8 16 3d 48 06 .....6.o@;...=H. 0650: 6c ee 99 fd b6 4c f3 3b 10 50 bb 71 97 6e 4d e0 l....L.;.P.q.nM. 0660: 77 48 57 5b db d1 e6 ca c8 80 79 d0 f5 17 94 5d wHW[......y....] 0670: 11 93 07 74 8b 5c 4b b1 ad 45 1f 5a 2c d9 6e e8 ...t.\K..E.Z,.n. 0680: d4 7a e4 99 e7 ba 86 36 93 1d 4c 0e 9b 13 4d ef .z.....6..L...M. 0690: 25 72 7b ae b0 f1 95 c0 17 dc 4a c0 ed 04 b5 54 %r{.......J....T 06a0: 98 90 47 2f dc f0 1c 5a ca b0 2e 0d ee 58 14 e8 ..G/...Z.....X.. 06b0: 2c d0 cd a8 d9 2c ae 2f 65 81 89 70 af f9 d8 01 ,....,./e..p.... 06c0: 1b 14 ae 63 1d 90 af 3d 29 71 7d 74 4a e8 7a e5 ...c...=)q}tJ.z. 06d0: ed a0 fb 9b ce 1d 5a e2 82 7e c4 bc 97 88 e7 06 ......Z..~...... 06e0: 66 86 77 23 85 29 2c b1 28 72 8c af a5 51 96 b1 f.w#.),.(r...Q.. 06f0: d5 dc 51 62 bd 2d e6 8f 4c 22 24 4e e1 c6 a3 64 ..Qb.-..L"$N...d 0700: 40 fc e9 d8 6d b1 48 d8 80 10 3a 6a bc 35 06 d9 @...m.H...:j.5.. 0710: 4c e8 4c e6 66 82 9d fd a9 a2 9f 3e 13 37 c0 52 L.L.f......>.7.R 0720: 3f c3 15 e1 3e 9c 05 67 b2 11 0d 38 a4 0d 00 01 ?...>..g...8.... 0730: 38 02 01 02 01 33 00 8a 30 81 87 31 0b 30 09 06 8....3..0..1.0.. 0740: 03 55 04 06 13 02 66 72 31 0f 30 0d 06 03 55 04 .U....fr1.0...U. 0750: 08 0c 06 66 72 61 6e 63 65 31 11 30 0f 06 03 55 ...france1.0...U 0760: 04 07 0c 08 6d 6f 6e 74 69 67 6e 79 31 0e 30 0c ....myplace1.0. 0770: 06 03 55 04 0a 0c 05 61 66 6e 69 63 31 0d 30 0b ..U....example1.0. 0780: 06 03 55 04 0b 0c 04 6c 64 61 70 31 0d 30 0b 06 ..U....ldap1.0.. 0790: 03 55 04 03 0c 04 6c 64 61 70 31 26 30 24 06 09 .U....ldap1&0$.. 07a0: 2a 86 48 86 f7 0d 01 09 01 16 17 6f 6c 69 76 69 *.H........olivi 07b0: 65 72 2e 67 75 69 6c 6c 61 72 64 40 6e 69 63 2e er.guillard@example. 07c0: 66 72 00 a5 30 81 a2 31 0b 30 09 06 03 55 04 06 fr..0..1.0...U.. 07d0: 13 02 66 72 31 0f 30 0d 06 03 55 04 08 0c 06 66 ..fr1.0...U....f 07e0: 72 61 6e 63 65 31 11 30 0f 06 03 55 04 07 0c 08 rance1.0...U.... 07f0: 6d 6f 6e 74 69 67 6e 79 31 0e 30 0c 06 03 55 04 myplace1.0...U. 0800: 0a 0c 05 61 66 6e 69 63 31 0d 30 0b 06 03 55 04 ...example1.0...U. 0810: 0b 0c 04 6c 64 61 70 31 28 30 26 06 03 55 04 03 ...ldap1(0&..U.. 0820: 0c 1f 6c 64 61 70 32 2e 64 61 74 61 62 61 73 65 ..ldap2. 0830: 2e 70 72 69 76 65 2e 74 68 33 2e 6e 69 63 2e 66 .th3.example.fr 0840: 72 31 26 30 24 06 09 2a 86 48 86 f7 0d 01 09 01 1&0$..*.H....... 0850: 16 17 4f 6c 69 76 69 65 72 2e 47 75 69 6c 6c 61 .Olivier.Guilla 0860: 72 64 40 6e 69 63 2e 66 72 0e 00 00 00 rd@example.fr.... tls_read: want=5 error=Resource temporarily unavailable daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 15r daemon: read active on 15 daemon: epoll: listen=7 active_threads=0 tvp=zero connection_get(15) connection_get(15): got connid=1003 connection_read(15): checking for input on id=1003 tls_read: want=5, got=5 0000: 15 03 01 00 02 ..... tls_read: want=2, got=2 0000: 02 30 .0 TLS: error: accept - force handshake failure: errno 11 - moznss error -12195 TLS: can't accept: TLS error -12195:Unknown code ___P 93. connection_read(15): TLS accept failure error=-1 id=1003, closing connection_closing: readying conn=1003 sd=15 for close connection_close: conn=1003 sd=15 daemon: removing 15 conn=1003 fd=15 closed (TLS negotiation failure) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero ^Cdaemon: shutdown requested and initiated. daemon: closing 7 connection_closing: readying conn=1000 sd=13 for close connection_close: conn=1000 sd=13 daemon: removing 13 conn=1000 fd=13 closed (slapd shutdown)
As far as I can see it doesn't looks like
[root@ldap2 cacerts]# openssl s_server -accept 5555 -key /etc/openldap/cacerts/server.key -cert /etc/openldap/cacerts/server.crt -state Using default temp DH parameters ACCEPT SSL_accept:before/accept initialization SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_accept:SSLv3 write certificate A SSL_accept:SSLv3 write key exchange A SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data SSL_accept:SSLv3 read client key exchange A SSL_accept:SSLv3 read finished A SSL_accept:SSLv3 write session ticket A SSL_accept:SSLv3 write change cipher spec A SSL_accept:SSLv3 write finished A SSL_accept:SSLv3 flush data -----BEGIN SSL SESSION PARAMETERS----- MFoCAQECAgMBBAIAOQQABDB88nXC0TcyHgrQcZ+51a/16Nw874VzV1cEEkOMwfSy VCIJ8jOiylXmk2gHkAK7y6OhBgIETwRP56IEAgIBLKQGBAQBAAAAqwMEAQE= -----END SSL SESSION PARAMETERS----- Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AES256-SHA:CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 CIPHER is DHE-RSA-AES256-SHA Secure Renegotiation IS supported ERROR shutting down SSL CONNECTION CLOSED ACCEPT
[guillard@fouine ~]$ openssl s_client -CAfile /etc/openldap/cacerts/CA.crt -connect ldap2.th3.example.fr:5555 CONNECTED(00000003) depth=1 C = fr, ST = france, L = myplace, O = example, OU = ldap, CN = ldap, emailAddress = olivier.guillard@example.fr verify return:1 depth=0 C = fr, ST = france, L = myplace, O = example, OU = ldap, CN = ldap2.th3.example.fr, emailAddress = Olivier.Guillard@example.fr verify return:1
Certificate chain 0 s:/C=fr/ST=france/L=myplace/O=example/OU=ldap/CN=ldap2.th3.example.fr/emailAddress=Olivier.Guillard@example.fr i:/C=fr/ST=france/L=myplace/O=example/OU=ldap/CN=ldap/emailAddress=olivier.guillard@example.fr
Server certificate -----BEGIN CERTIFICATE----- MIIC3zCCAccCCQCmHR8oY15qVzANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UEBhMC ZnIxDzANBgNVBAgMBmZyYW5jZTERMA8GA1UEBwwIbW9udGlnbnkxDjAMBgNVBAoM BWFmbmljMQ0wCwYDVQQLDARsZGFwMQ0wCwYDVQQDDARsZGFwMSYwJAYJKoZIhvcN AQkBFhdvbG24KJJD7GJVBIYTIVHTFJCGFDHGFXGRFCYTDFYTDjkxNTM5NThaFw0y MTA3MjkxNTM5NThaMIGiMQswCQYDVQQGEwJmcjEPMA0GA1UECAwGZnJhbmNlMREw DwYDVQQHDAhtb250aWdueTEOMAwGA1UECgwFYWZuaWMxDTALBgNVBAsMBGxkYXAx KDAmBgNVBAMMH2xkYXAyLmRhdGFiYXNlLnByaXZlLnRoMy5uaWMuZnIxJjAkBgkq hkiG9w0BCQEWFNBIHGJ4UTFHGXCYTDCYXDYCYTFCUGCUTTFUYFUJKoZIhvcNAQEB BQADSwAwSAJBAL9yaMxUnRDTi8BKG1yQ1gN6QV4Fb43MLWExe5QPwvfBUYpP1VmJ UXmHP/rDX68wjIf4yr67CyiM1Uo6c7Wp49kCAwEAATANBgkqhkiG9w0BAQUFAAOC AQEAwDwqCtSvEyS1KivjzQ9X9oaZ4a6617KHTgKm1qN9n3uJA2GstkCek8qNOtSV ekjimgEv7T0rw5ZBwFg5z1Ki2wh4hcSFFwjYEWJgjtC1YXH+g9WUnfJCHbVWvfpn 246NBVJHJHVJVJJKVJHVJHVJKHVJHVJHVJHVJHVJHVJHVJHVJHVJHVJHVJHV79JR 7MzR/CFDWF4JQIu/yrv8T9HU6c+Aj7GvctD/wddS80vjhWnv6TZuTVQT0r07k63t bjbMT+a5xQEehsiIqt6me8GZmj/FaZ6v4JRuulFb7Cosqgn/SicVlq2fsFzwxJw0 UzIDHNTi3biWiNJdssbhXjK6gQ== -----END CERTIFICATE----- subject=/C=fr/ST=france/L=myplace/O=example/OU=ldap/CN=ldap2.th3.example.fr/emailAddress=Olivier.Guillard@example.fr issuer=/C=fr/ST=france/L=myplace/O=example/OU=ldap/CN=ldap/emailAddress=olivier.guillard@example.fr
No client certificate CA names sent
SSL handshake has read 1265 bytes and written 247 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 512 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: DBCDE5CD6EB4D7FF8C38DD1557CA90EDBEDDCB27600CFA4D1FD9D58388A11EBE Session-ID-ctx: Master-Key: 7CF275C2D137321E0AD0719FB9D5AFF5E8DC3CEF857357570412438CC1F4B2542209F233A2CA55E69368079002BBCBA3 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - c2 bb 20 23 85 0a cf b0-bc b2 6d cd 4b d2 32 0e .. #......m.K.2. 0010 - 6f 51 29 7f 3a 44 c3 95-76 c2 c6 23 e5 8d 98 3c oQ).:D..v..#...< 0020 - 7a b9 eb 6b 8e d1 c5 c4-57 74 26 34 4c db ec fe z..k....Wt&4L... 0030 - a9 3b 77 12 fb 74 67 fb-57 f1 8f 2a 71 d3 a6 ae .;w..tg.W..*q... 0040 - 17 48 9e bf 7d 94 1f c3-d4 02 6e 7f 27 07 f4 d6 .H..}.....n.'... 0050 - 98 6f 24 6c f9 63 b7 4c-cd ce d8 85 e5 be 3e fd .o$l.c.L......>. 0060 - 65 a2 1b 36 cc 26 76 3b-d3 f6 cf e1 f9 a7 c3 c2 e..6.&v;........ 0070 - 2f fe 8f 3c 7c d1 0f 58-43 be d7 a5 64 69 04 91 /..<|..XC...di.. 0080 - cb 68 08 82 fe 8d 9d 4e-1b 0f 96 27 59 5e d8 76 .h.....N...'Y^.v 0090 - be 44 01 6d 53 2e 9e 67-22 07 35 d1 6f a4 80 e1 .D.mS..g".5.o...
Compression: 1 (zlib compression) Start Time: 1325682663 Timeout : 300 (sec) Verify return code: 0 (ok)
^C
Hi Oliver.
OpenLDAP with NSS. What version? Is that Fedora?
----- Original Message -----
$ ldapsearch -ZZ -D uid=guillard,ou=staff,ou=people,dc=example,dc=fr -W uid=guillard -h ldap2.th3.example.fr ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20
SEC_ERROR_UNTRUSTED_ISSUER (Peer's certificate issuer has been marked as not trusted by the user.)
olcTLSCACertificateFile /etc/openldap/cacerts/CA.crt olcTLSCertificateFile /etc/openldap/cacerts/server.crt olcTLSCertificateKeyFile /etc/openldap/cacerts/server.key olcTLSCipherSuite HIGH
TLS: error: accept - force handshake failure: errno 11 - moznss error -12195 TLS: can't accept: TLS error -12195:Unknown code ___P 93.
SSL_ERROR_UNKNOWN_CA_ALERT (Peer does not recognize and trust the CA that issued yourcertificate.
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
"openssl x509 -in yourcert.pem -text" gives me:
unable to load certificate 139832255481664:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150: 139832255481664:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1306: 139832255481664:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509_VAL 139832255481664:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=validity, Type=X509_CINF 139832255481664:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=cert_info, Type=X509 139832255481664:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
openldap-technical@openldap.org