All
I am able to connect to my home-built OpenSSL installation (from Dec-19 sources) on CentOS-7 without the TLS bind. I am now trying to use OpenTLS with OpenSSL, which is not currently working. From searching the internet I find this, Which indicates that maybe RH-based-unixes have unique issues with OpenTLS/OpenLdap: https://serverfault.com/questions/437546/centos-openldap-cert-trust-issues
My slapd.conf now holds (as differs from the default installed slapd.conf) ... snip... ############### TLS # added per http://www.openldap.org/faq/data/cache/185.html TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /usr/local/etc/openldap/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem TLSCipherSuite DES-CBC3-SHA ... snip...
And my ldap.conf holds: ... snip... ############### TLS ############### TLS # added per http://www.openldap.org/faq/data/cache/185.html TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt ### fails: ## TLS_CACERT /usr/local/etc/openldap/ cacert.pem
URI ldaps://localhost:636 ############### TLS ... snip...
.... Having added the 'cacert.pem' into the file " /etc/pki/tls/certs/ca-bundle.crt" I get farther in the authentication than using "/usr/local/etc/openldap/ cacert.pem":
[root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -Z -D "cn=Manager,dc=my-domain,dc=com" -d -1 ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect errno: 111 ldap_close_socket: 3 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization tls_write: want=289, written=289 0000: 16 03 01 01 1c 01 00 01 18 03 03 51 03 78 81 fc ...........Q.x.. 0010: 66 89 9c 91 10 b6 e9 3d f1 12 66 27 c7 f5 80 e4 f......=..f'.... 0020: fb f6 5f 9d f8 bb 37 3b 84 cb 17 00 00 ac c0 30 .._...7;.......0 0030: c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 .,.(.$.......... 0040: 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7 0050: 00 36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a .6.........2...* 0060: c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f .&.......=.5.../ 0070: c0 2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 .+.'.#.......... 0080: 00 9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1 0090: 00 30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 .0.........E.D.C 00a0: 00 42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c .B.1.-.).%...... 00b0: 00 3c 00 2f 00 96 00 41 c0 12 c0 08 00 16 00 13 .<./...A........ 00c0: 00 10 00 0d c0 0d c0 03 00 0a 00 07 c0 11 c0 07 ................ 00d0: c0 0c c0 02 00 05 00 04 00 ff 01 00 00 43 00 0b .............C.. 00e0: 00 04 03 00 01 02 00 0a 00 0a 00 08 00 17 00 19 ................ 00f0: 00 18 00 16 00 23 00 00 00 0d 00 20 00 1e 06 01 .....#..... .... 0100: 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 ................ 0110: 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 ................ 0120: 01 . TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=0
TLS: can't connect: . ldap_err2string ldap_start_tls: Can't contact LDAP server (-1) ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Additionally:
I am reading the FAQ http://www.openldap.org/faq/data/cache/185.html to generate the certs but am wondering if I am correctly understanding the instruction "Remember that the Common Name for this cert should be the fully qualified domain name of the server:" If I run my ldap server as: /usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -h 'ldaps://127.0.0.1:636 ldap://127.0.0.1:389' -d -1 Then would the 'common name' for use in the certificate be: cn=localhost:636
Any assistance is greatly appreciated. Thanks! Ken Dunne
Try to connect to ldaps://localhost:636 Cn must be localhost if that's configured in the certs, but... Are you sure that localhost should be the fqdn?
Il gio 2 gen 2020, 17:39 Dunne, Kenneth kenneth.dunne@siemens.com ha scritto:
All
I am able to connect to my home-built OpenSSL installation (from Dec-19 sources) on CentOS-7 without the TLS bind.
I am now trying to use OpenTLS with OpenSSL, which is not currently working. From searching the internet I find this,
Which indicates that maybe RH-based-unixes have unique issues with OpenTLS/OpenLdap:
https://serverfault.com/questions/437546/centos-openldap-cert-trust-issues
My slapd.conf now holds (as differs from the default installed slapd.conf)
… snip…############### TLS
# added per http://www.openldap.org/faq/data/cache/185.html
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem
TLSCipherSuite DES-CBC3-SHA
… snip…And my ldap.conf holds:
… snip…############### TLS
############### TLS
# added per http://www.openldap.org/faq/data/cache/185.html
TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
### fails:
## TLS_CACERT /usr/local/etc/openldap/ cacert.pem
URI ldaps://localhost:636
############### TLS
… snip……. Having added the ‘cacert.pem’ into the file “ /etc/pki/tls/certs/ca-bundle.crt”
I get farther in the authentication than using “/usr/local/etc/openldap/ cacert.pem”:
[root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -Z -D "cn=Manager,dc=my-domain,dc=com" -d -1
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 3
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
tls_write: want=289, written=289
0000: 16 03 01 01 1c 01 00 01 18 03 03 51 03 78 81 fc ...........Q.x..
0010: 66 89 9c 91 10 b6 e9 3d f1 12 66 27 c7 f5 80 e4 f......=..f'....
0020: fb f6 5f 9d f8 bb 37 3b 84 cb 17 00 00 ac c0 30 .._...7;.......0
0030: c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 .,.(.$..........
0040: 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7
0050: 00 36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a .6.........2...*
0060: c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f .&.......=.5.../
0070: c0 2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 .+.'.#..........
0080: 00 9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1
0090: 00 30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 .0.........E.D.C
00a0: 00 42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c .B.1.-.).%......
00b0: 00 3c 00 2f 00 96 00 41 c0 12 c0 08 00 16 00 13 .<./...A........
00c0: 00 10 00 0d c0 0d c0 03 00 0a 00 07 c0 11 c0 07 ................
00d0: c0 0c c0 02 00 05 00 04 00 ff 01 00 00 43 00 0b .............C..
00e0: 00 04 03 00 01 02 00 0a 00 0a 00 08 00 17 00 19 ................
00f0: 00 18 00 16 00 23 00 00 00 0d 00 20 00 1e 06 01 .....#..... ....
0100: 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 ................
0110: 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 ................
0120: 01 .
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0
TLS: can't connect: .
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Additionally:
I am reading the FAQ http://www.openldap.org/faq/data/cache/185.html to generate the certs
but am wondering if I am correctly understanding the instruction “Remember that the Common Name for this cert should be the fully qualified domain name of the server:”
If I run my ldap server as:
/usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -h'ldaps://127.0.0.1:636 ldap://127.0.0.1:389' -d -1
Then would the ‘common name’ for use in the certificate be:
cn=localhost:636Any assistance is greatly appreciated.
Thanks!
Ken Dunne
I
On 1/2/20 8:36 AM, Dunne, Kenneth wrote:
All
I am able to connect to my home-built OpenSSL installation (from Dec-19 sources) on CentOS-7 without the TLS bind
[...]
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=0
Hey Ken, is port 636 open on the host-based firewall if it's running? any other firewalls blocking 636?
CP
Thanks for the suggestions everyone, I've corrected an issue with the generation of the self-signed CA , I was using the wrong 'cert' For OpenSSL this gets put into: /etc/pki/CA/cacert.pem
I have used the "Common Name" in the cert-generation as: server.my-domain.com I have it in /etc/hosts as: 127.0.0.1 server.my-domain.com I am using 'localhost' first in this investigation-stage, and will be used for our unit-tests The port 636 does not appear to be firewalled
I get a little farther now with these changes, 8 bytes are sent/received: see below TLS: can't connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure.
----------------------------------------------------ldap server /usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -h ldaps://server.my-domain.com:636 -d -1 . . 5e0f6aa1 daemon: activity on: 5e0f6aa1 daemon: epoll: listen=7 active_threads=0 tvp=NULL 5e0f6b65 daemon: activity on 1 descriptor 5e0f6b65 daemon: activity on: 5e0f6b65 slap_listener_activate(7): 5e0f6b65 daemon: epoll: listen=7 busy 5e0f6b65 >>> slap_listener(ldaps://server.my-domain.com:636) 5e0f6b65 daemon: accept() = 11 5e0f6b65 daemon: listen=7, new connection on 11 5e0f6b65 daemon: added 11r (active) listener=(nil) 5e0f6b65 conn=1001 fd=11 ACCEPT from IP=127.0.0.1:51880 (IP=127.0.0.1:636) 5e0f6b65 daemon: activity on 1 descriptor 5e0f6b65 daemon: activity on: 5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL 5e0f6b65 daemon: activity on 1 descriptor 5e0f6b65 daemon: activity on: 11r 5e0f6b65 daemon: read active on 11 5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL 5e0f6b65 connection_get(11) 5e0f6b65 connection_get(11): got connid=1001 5e0f6b65 connection_read(11): checking for input on id=1001 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 16 03 01 01 1c 01 00 01 18 03 03 ........... tls_read: want=278, got=278 0000: c7 eb 10 c3 5a af 18 e7 9b 3b ad 08 e6 cc b2 7d ....Z....;.....} 0010: ee a7 7d 0f c4 fe 01 49 8a 5b d3 94 c5 25 08 1d ..}....I.[...%.. 0020: 00 00 ac c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 ....0.,.(.$..... 0030: a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 ........k.j.i.h. 0040: 39 00 38 00 37 00 36 00 88 00 87 00 86 00 85 c0 9.8.7.6......... 0050: 32 c0 2e c0 2a c0 26 c0 0f c0 05 00 9d 00 3d 00 2...*.&.......=. 0060: 35 00 84 c0 2f c0 2b c0 27 c0 23 c0 13 c0 09 00 5.../.+.'.#..... 0070: a4 00 a2 00 a0 00 9e 00 67 00 40 00 3f 00 3e 00 ........g.@.?.>. 0080: 33 00 32 00 31 00 30 00 9a 00 99 00 98 00 97 00 3.2.1.0......... 0090: 45 00 44 00 43 00 42 c0 31 c0 2d c0 29 c0 25 c0 E.D.C.B.1.-.).%. 00a0: 0e c0 04 00 9c 00 3c 00 2f 00 96 00 41 c0 12 c0 ......<./...A... 00b0: 08 00 16 00 13 00 10 00 0d c0 0d c0 03 00 0a 00 ................ 00c0: 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 ff 01 ................ 00d0: 00 00 43 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 ..C............. 00e0: 08 00 17 00 19 00 18 00 16 00 23 00 00 00 0d 00 ..........#..... 00f0: 20 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 04 ............... 0100: 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 ................ 0110: 03 00 0f 00 01 01 ...... tls_write: want=7, written=7 0000: 15 03 03 00 02 02 28 ......( TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in error TLS trace: SSL_accept:error in error TLS: can't accept: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher. 5e0f6b65 connection_read(11): TLS accept failure error=-1 id=1001, closing 5e0f6b65 connection_closing: readying conn=1001 sd=11 for close 5e0f6b65 connection_close: conn=1001 sd=11 5e0f6b65 daemon: removing 11 5e0f6b65 conn=1001 fd=11 closed (TLS negotiation failure) 5e0f6b65 daemon: activity on 1 descriptor 5e0f6b65 daemon: activity on: 5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL ^C5e0f6e38 daemon: shutdown requested and initiated. 5e0f6e38 daemon: removing 7r 5e0f6e38 daemon: closing 7 5e0f6e38 slapd shutdown: waiting for 0 operations/tasks to finish 5e0f6e38 slapd shutdown: initiated 5e0f6e38 slapd destroy: freeing system resources. 5e0f6e38 slapd stopped.
---------------------------------------------------- client [root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts -H ldaps://server.my-domain.com:636 -d -1 ldap_url_parse_ext(ldaps://server.my-domain.com:636) ldap_create ldap_url_parse_ext(ldaps://server.my-domain.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP server.my-domain.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization tls_write: want=289, written=289 0000: 16 03 01 01 1c 01 00 01 18 03 03 8b 5c ad c3 76 ..............v 0010: a2 eb 75 4f df e3 f3 7b 5c 55 73 5e 2c 43 62 de ..uO...{\Us^,Cb. 0020: 98 5f 5d b8 3b c0 82 32 46 86 cd 00 00 ac c0 30 ._].;..2F......0 0030: c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 .,.(.$.......... 0040: 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7 0050: 00 36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a .6.........2...* 0060: c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f .&.......=.5.../ 0070: c0 2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 .+.'.#.......... 0080: 00 9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1 0090: 00 30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 .0.........E.D.C 00a0: 00 42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c .B.1.-.).%...... 00b0: 00 3c 00 2f 00 96 00 41 c0 12 c0 08 00 16 00 13 .<./...A........ 00c0: 00 10 00 0d c0 0d c0 03 00 0a 00 07 c0 11 c0 07 ................ 00d0: c0 0c c0 02 00 05 00 04 00 ff 01 00 00 43 00 0b .............C.. 00e0: 00 04 03 00 01 02 00 0a 00 0a 00 08 00 17 00 19 ................ 00f0: 00 18 00 16 00 23 00 00 00 0d 00 20 00 1e 06 01 .....#..... .... 0100: 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 ................ 0110: 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 ................ 0120: 01 . TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=7 0000: 15 03 03 00 02 02 28 ......( TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in SSLv2/v3 read server hello A TLS: can't connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
From: openldap-technical openldap-technical-bounces@openldap.org On Behalf Of Christopher Paul Sent: Thursday, January 2, 2020 6:17 PM To: openldap-technical@openldap.org Subject: Re: Issues with OpenLdap using OpenTLS
I On 1/2/20 8:36 AM, Dunne, Kenneth wrote: All
I am able to connect to my home-built OpenSSL installation (from Dec-19 sources) on CentOS-7 without the TLS bind [...]
TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=0
Hey Ken, is port 636 open on the host-based firewall if it's running? any other firewalls blocking 636?
CP
I've built and installed the openssl 1.1.1c thinking my issues are incompatibility between the version of openldap and original openssl v1.0.2f installed on my Centos 7 I get one step farther now, from the client's debug output, but still fail at "tls_post_process_client_hello:no shared cipher." Does anyone know why there is no shared cipher, when both server and client run on the same machine, and use the same libssl ?? Is there a config option I'm not aware of?
Server--------------------------------------------------------- 5e0fb9f5 daemon: activity on 1 descriptor 5e0fb9f5 daemon: activity on: 5e0fb9f5 slap_listener_activate(7): 5e0fb9f5 daemon: epoll: listen=7 busy 5e0fb9f5 >>> slap_listener(ldaps://server.my-domain.com:636) 5e0fb9f5 daemon: accept() = 11 5e0fb9f5 daemon: listen=7, new connection on 11 5e0fb9f5 daemon: added 11r (active) listener=(nil) 5e0fb9f5 conn=1000 fd=11 ACCEPT from IP=127.0.0.1:52044 (IP=127.0.0.1:636) 5e0fb9f5 daemon: activity on 1 descriptor 5e0fb9f5 daemon: activity on: 5e0fb9f5 daemon: epoll: listen=7 active_threads=0 tvp=NULL 5e0fb9f5 daemon: activity on 1 descriptor 5e0fb9f5 daemon: activity on: 11r 5e0fb9f5 daemon: read active on 11 5e0fb9f5 daemon: epoll: listen=7 active_threads=0 tvp=NULL 5e0fb9f5 connection_get(11) 5e0fb9f5 connection_get(11): got connid=1000 5e0fb9f5 connection_read(11): checking for input on id=1000 TLS trace: SSL_accept:before SSL initialization tls_read: want=5, got=5 0000: 16 03 01 01 20 .... tls_read: want=288, got=288 0000: 01 00 01 1c 03 03 c5 6e 9e 33 03 28 e6 22 df 0f .......n.3.(.".. 0010: ca 0d ca ec 17 54 b1 dd 8b 35 b0 55 ca d2 23 ca .....T...5.U..#. 0020: 07 f1 c2 69 3b ca 20 7d 07 1c 28 37 b5 b4 69 7b ...i;. }..(7..i{ 0030: 16 ad 62 dd 8e 97 6e 78 3a 9f c7 69 13 bd c7 fe ..b...nx:..i.... 0040: bb 0f 4a f4 92 78 21 00 3e 13 02 13 03 13 01 c0 ..J..x!.>....... 0050: 2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00 ,.0.........+./. 0060: 9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0 ..$.(.k.#.'.g... 0070: 14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00 ..9.....3.....=. 0080: 3c 00 35 00 2f 00 ff 01 00 00 95 00 0b 00 04 03 <.5./........... 0090: 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 ................ 00a0: 19 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00 ....#........... 00b0: 0d 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 ..0............. 00c0: 09 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 ................ 00d0: 01 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 ................ 00e0: 02 06 02 00 2b 00 09 08 03 04 03 03 03 02 03 01 ....+........... 00f0: 00 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 .-.....3.&.$... 0100: 84 ce 50 d7 96 90 49 13 4b dd b0 71 51 52 51 c6 ..P...I.K..qQRQ. 0110: 21 6e 87 46 7f 33 f6 b4 fd f8 03 84 a1 96 c7 77 !n.F.3.........w TLS trace: SSL_accept:before SSL initialization tls_write: want=7, written=7 0000: 15 03 03 00 02 02 28 ......( TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in error TLS: can't accept: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher. 5e0fb9f5 connection_read(11): TLS accept failure error=-1 id=1000, closing 5e0fb9f5 connection_closing: readying conn=1000 sd=11 for close 5e0fb9f5 connection_close: conn=1000 sd=11 5e0fb9f5 daemon: removing 11 5e0fb9f5 conn=1000 fd=11 closed (TLS negotiation failure) 5e0fb9f5 daemon: activity on 1 descriptor 5e0fb9f5 daemon: activity on: 5e0fb9f5 daemon: epoll: listen=7 active_threads=0 tvp=NULL
Client---------------------------------------------------------- [root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -x -ZZ -d -1 ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP server.my-domain.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization tls_write: want=293, written=293 0000: 16 03 01 01 20 01 00 01 1c 03 03 c5 6e 9e 33 03 .... .......n.3. 0010: 28 e6 22 df 0f ca 0d ca ec 17 54 b1 dd 8b 35 b0 (.".......T...5. 0020: 55 ca d2 23 ca 07 f1 c2 69 3b ca 20 7d 07 1c 28 U..#....i;. }..( 0030: 37 b5 b4 69 7b 16 ad 62 dd 8e 97 6e 78 3a 9f c7 7..i{..b...nx:.. 0040: 69 13 bd c7 fe bb 0f 4a f4 92 78 21 00 3e 13 02 i......J..x!.>.. 0050: 13 03 13 01 c0 2c c0 30 00 9f cc a9 cc a8 cc aa .....,.0........ 0060: c0 2b c0 2f 00 9e c0 24 c0 28 00 6b c0 23 c0 27 .+./...$.(.k.#.' 0070: 00 67 c0 0a c0 14 00 39 c0 09 c0 13 00 33 00 9d .g.....9.....3.. 0080: 00 9c 00 3d 00 3c 00 35 00 2f 00 ff 01 00 00 95 ...=.<.5./...... 0090: 00 0b 00 04 03 00 01 02 00 0a 00 0c 00 0a 00 1d ................ 00a0: 00 17 00 1e 00 19 00 18 00 23 00 00 00 16 00 00 .........#...... 00b0: 00 17 00 00 00 0d 00 30 00 2e 04 03 05 03 06 03 .......0........ 00c0: 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 ................ 00d0: 04 01 05 01 06 01 03 03 02 03 03 01 02 01 03 02 ................ 00e0: 02 02 04 02 05 02 06 02 00 2b 00 09 08 03 04 03 .........+...... 00f0: 03 03 02 03 01 00 2d 00 02 01 01 00 33 00 26 00 ......-.....3.&. 0100: 24 00 1d 00 20 84 ce 50 d7 96 90 49 13 4b dd b0 $... ..P...I.K.. 0110: 71 51 52 51 c6 21 6e 87 46 7f 33 f6 b4 fd f8 03 qQRQ.!n.F.3..... 0120: 84 a1 96 c7 77 ....w TLS trace: SSL_connect:SSLv3/TLS write client hello tls_read: want=5, got=5 0000: 15 03 03 00 02 ..... tls_read: want=2, got=2 0000: 02 28 .( TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in error TLS: can't connect: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure. ldap_err2string ldap_start_tls: Can't contact LDAP server (-1) additional info: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
thanks in advance for considering my problem ! Ken
From: openldap-technical openldap-technical-bounces@openldap.org On Behalf Of [ext] Dunne, Kenneth Sent: Friday, January 3, 2020 10:41 AM To: openldap-technical@openldap.org Subject: RE: Issues with OpenLdap using OpenTLS
Thanks for the suggestions everyone, I've corrected an issue with the generation of the self-signed CA , I was using the wrong 'cert' For OpenSSL this gets put into: /etc/pki/CA/cacert.pem
I have used the "Common Name" in the cert-generation as: server.my-domain.com I have it in /etc/hosts as: 127.0.0.1 server.my-domain.com I am using 'localhost' first in this investigation-stage, and will be used for our unit-tests The port 636 does not appear to be firewalled
I get a little farther now with these changes, 8 bytes are sent/received: see below TLS: can't connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure.
----------------------------------------------------ldap server /usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -h ldaps://server.my-domain.com:636 -d -1 . . 5e0f6aa1 daemon: activity on: 5e0f6aa1 daemon: epoll: listen=7 active_threads=0 tvp=NULL 5e0f6b65 daemon: activity on 1 descriptor 5e0f6b65 daemon: activity on: 5e0f6b65 slap_listener_activate(7): 5e0f6b65 daemon: epoll: listen=7 busy 5e0f6b65 >>> slap_listener(ldaps://server.my-domain.com:636) 5e0f6b65 daemon: accept() = 11 5e0f6b65 daemon: listen=7, new connection on 11 5e0f6b65 daemon: added 11r (active) listener=(nil) 5e0f6b65 conn=1001 fd=11 ACCEPT from IP=127.0.0.1:51880 (IP=127.0.0.1:636) 5e0f6b65 daemon: activity on 1 descriptor 5e0f6b65 daemon: activity on: 5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL 5e0f6b65 daemon: activity on 1 descriptor 5e0f6b65 daemon: activity on: 11r 5e0f6b65 daemon: read active on 11 5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL 5e0f6b65 connection_get(11) 5e0f6b65 connection_get(11): got connid=1001 5e0f6b65 connection_read(11): checking for input on id=1001 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 16 03 01 01 1c 01 00 01 18 03 03 ........... tls_read: want=278, got=278 0000: c7 eb 10 c3 5a af 18 e7 9b 3b ad 08 e6 cc b2 7d ....Z....;.....} 0010: ee a7 7d 0f c4 fe 01 49 8a 5b d3 94 c5 25 08 1d ..}....I.[...%.. 0020: 00 00 ac c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 ....0.,.(.$..... 0030: a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 ........k.j.i.h. 0040: 39 00 38 00 37 00 36 00 88 00 87 00 86 00 85 c0 9.8.7.6......... 0050: 32 c0 2e c0 2a c0 26 c0 0f c0 05 00 9d 00 3d 00 2...*.&.......=. 0060: 35 00 84 c0 2f c0 2b c0 27 c0 23 c0 13 c0 09 00 5.../.+.'.#..... 0070: a4 00 a2 00 a0 00 9e 00 67 00 40 00 3f 00 3e 00 ........g.@mailto:........g.@.?.>. 0080: 33 00 32 00 31 00 30 00 9a 00 99 00 98 00 97 00 3.2.1.0......... 0090: 45 00 44 00 43 00 42 c0 31 c0 2d c0 29 c0 25 c0 E.D.C.B.1.-.).%. 00a0: 0e c0 04 00 9c 00 3c 00 2f 00 96 00 41 c0 12 c0 ......<./...A... 00b0: 08 00 16 00 13 00 10 00 0d c0 0d c0 03 00 0a 00 ................ 00c0: 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 ff 01 ................ 00d0: 00 00 43 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 ..C............. 00e0: 08 00 17 00 19 00 18 00 16 00 23 00 00 00 0d 00 ..........#..... 00f0: 20 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 04 ............... 0100: 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 ................ 0110: 03 00 0f 00 01 01 ...... tls_write: want=7, written=7 0000: 15 03 03 00 02 02 28 ......( TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in error TLS trace: SSL_accept:error in error TLS: can't accept: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher. 5e0f6b65 connection_read(11): TLS accept failure error=-1 id=1001, closing 5e0f6b65 connection_closing: readying conn=1001 sd=11 for close 5e0f6b65 connection_close: conn=1001 sd=11 5e0f6b65 daemon: removing 11 5e0f6b65 conn=1001 fd=11 closed (TLS negotiation failure) 5e0f6b65 daemon: activity on 1 descriptor 5e0f6b65 daemon: activity on: 5e0f6b65 daemon: epoll: listen=7 active_threads=0 tvp=NULL ^C5e0f6e38 daemon: shutdown requested and initiated. 5e0f6e38 daemon: removing 7r 5e0f6e38 daemon: closing 7 5e0f6e38 slapd shutdown: waiting for 0 operations/tasks to finish 5e0f6e38 slapd shutdown: initiated 5e0f6e38 slapd destroy: freeing system resources. 5e0f6e38 slapd stopped.
---------------------------------------------------- client [root@kdunne-dev openldap]# /usr/local/bin/ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts -H ldaps://server.my-domain.com:636 -d -1 ldap_url_parse_ext(ldaps://server.my-domain.com:636) ldap_create ldap_url_parse_ext(ldaps://server.my-domain.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP server.my-domain.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization tls_write: want=289, written=289 0000: 16 03 01 01 1c 01 00 01 18 03 03 8b 5c ad c3 76 ..............v 0010: a2 eb 75 4f df e3 f3 7b 5c 55 73 5e 2c 43 62 de ..uO...{\Us^,Cb. 0020: 98 5f 5d b8 3b c0 82 32 46 86 cd 00 00 ac c0 30 ._].;..2F......0 0030: c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 .,.(.$.......... 0040: 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7 0050: 00 36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a .6.........2...* 0060: c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f .&.......=.5.../ 0070: c0 2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 .+.'.#.......... 0080: 00 9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1mailto:...g.@.?.%3e.3.2.1 0090: 00 30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 .0.........E.D.C 00a0: 00 42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c .B.1.-.).%...... 00b0: 00 3c 00 2f 00 96 00 41 c0 12 c0 08 00 16 00 13 .<./...A........ 00c0: 00 10 00 0d c0 0d c0 03 00 0a 00 07 c0 11 c0 07 ................ 00d0: c0 0c c0 02 00 05 00 04 00 ff 01 00 00 43 00 0b .............C.. 00e0: 00 04 03 00 01 02 00 0a 00 0a 00 08 00 17 00 19 ................ 00f0: 00 18 00 16 00 23 00 00 00 0d 00 20 00 1e 06 01 .....#..... .... 0100: 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 ................ 0110: 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 ................ 0120: 01 . TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=7 0000: 15 03 03 00 02 02 28 ......( TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in SSLv2/v3 read server hello A TLS: can't connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
From: openldap-technical <openldap-technical-bounces@openldap.orgmailto:openldap-technical-bounces@openldap.org> On Behalf Of Christopher Paul Sent: Thursday, January 2, 2020 6:17 PM To: openldap-technical@openldap.orgmailto:openldap-technical@openldap.org Subject: Re: Issues with OpenLdap using OpenTLS
I On 1/2/20 8:36 AM, Dunne, Kenneth wrote: All
I am able to connect to my home-built OpenSSL installation (from Dec-19 sources) on CentOS-7 without the TLS bind [...] TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=0
Hey Ken, is port 636 open on the host-based firewall if it's running? any other firewalls blocking 636?
CP
--On Friday, January 3, 2020 10:10 PM +0000 "Dunne, Kenneth" kenneth.dunne@siemens.com wrote:
I've built and installed the openssl 1.1.1c thinking my issues are incompatibility between the version of openldap and original openssl v1.0.2f installed on my Centos 7
Rather than using ldapsearch as the client, I would suggest you use the openssl s_client command first.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Christopher Paul -
Dunne, Kenneth -
Giuseppe De Marco -
Quanah Gibson-Mount