11:07 a.m.
Dear Tech list,
I'd like to use CRL's to regulate client connections to my slapd server.
So i've build working certs and keys with gnutls. The whole keysetup is tested and
working properly,
by invoking gnu-serv and gnu-cli i could succesfully create connections and drop clients
in my revocation list.
In order to use this in slapd/ldap utils i use this settings,
slapd.conf,
TLSCACertificateFile /etc/ldap/ssl/ca-cert.pem
TLSCertificateFile /etc/ldap/ssl/clients/lrc-ldap.crt
TLSCertificateKeyFile /etc/ldap/ssl/clients/lrc-ldap.key
TLSCRLFile /etc/ldap/ssl/crl.pem
TLSCipherSuite SECURE256:-VERS-SSL3.0
TLSVerifyClient hard
ldap.conf
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ldap/ssl/ca-cert.pem
TLS_CERT /etc/ldap/ssl/clients/lrc-ldapsearch.crt
TLS_KEY /etc/ldap/ssl/clients/lrc-ldapsearch.key
TLS_REQCERT hard
Slapd debug,
55353d59 slapd starting
55353d5b conn=1000 fd=16 ACCEPT from IP=10.50.2.12:50764 (IP=0.0.0.0:636)
TLS: can't accept: No certificate was found..
55353d5b conn=1000 fd=16 closed (TLS negotiation failure)
ldapsearch debug,
ldap_start_tls: Can't contact LDAP server (-1)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
0000: 30 05 02 01 02 42 00 0....B.
ldap_write: want=7 error=Broken pipe
ldap_free_connection: actually freed
As far as i can see and found info my client and servers TLS settings are configured
properly.
What i really don't get is that the client doesnt send his certs to the server.
Best regards,
E.therepa
12:39 p.m.
E.therepa wrote:
Dear Tech list,
I'd like to use CRL's to regulate client connections to my slapd server.
So i've build working certs and keys with gnutls. The whole keysetup is tested and
working properly,
by invoking gnu-serv and gnu-cli i could succesfully create connections and drop clients
in my revocation list.
In order to use this in slapd/ldap utils i use this settings,
slapd.conf,
TLSCACertificateFile /etc/ldap/ssl/ca-cert.pem
TLSCertificateFile /etc/ldap/ssl/clients/lrc-ldap.crt
TLSCertificateKeyFile /etc/ldap/ssl/clients/lrc-ldap.key
TLSCRLFile /etc/ldap/ssl/crl.pem
TLSCipherSuite SECURE256:-VERS-SSL3.0
TLSVerifyClient hard
ldap.conf
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ldap/ssl/ca-cert.pem
TLS_CERT /etc/ldap/ssl/clients/lrc-ldapsearch.crt
TLS_KEY /etc/ldap/ssl/clients/lrc-ldapsearch.key
cert and key are invalid in a .conf file. Read the ldap.conf(5) manpage
more carefully.
TLS_REQCERT hard
As far as i can see and found info my client and servers TLS settings
are configured properly.
What i really don't get is that the client doesnt send his certs to the server.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12:41 p.m.
On Mon, Apr 20, 2015 at 08:07:48PM +0200, E.therepa wrote:
ldap.conf
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ldap/ssl/ca-cert.pem
TLS_CERT /etc/ldap/ssl/clients/lrc-ldapsearch.crt
TLS_KEY /etc/ldap/ssl/clients/lrc-ldapsearch.key
TLS_REQCERT hard
<snip>
As far as i can see and found info my client and servers TLS settings
are configured properly.
What i really don't get is that the client doesnt send his certs to the server.
We made some progress on this in IRC: as noted in ldap.conf(5), the
TLS_KEY option is only valid in a user ldaprc, not the system-wide
ldap.conf, so it was being ignored.
12:46 p.m.
On 04/20/15 20:07 +0200, E.therepa wrote:
Dear Tech list,
I'd like to use CRL's to regulate client connections to my slapd server.
So i've build working certs and keys with gnutls. The whole keysetup is tested and
working properly,
by invoking gnu-serv and gnu-cli i could succesfully create connections and drop clients
in my revocation list.
In order to use this in slapd/ldap utils i use this settings,
slapd.conf,
TLSCACertificateFile /etc/ldap/ssl/ca-cert.pem
TLSCertificateFile /etc/ldap/ssl/clients/lrc-ldap.crt
TLSCertificateKeyFile /etc/ldap/ssl/clients/lrc-ldap.key
TLSCRLFile /etc/ldap/ssl/crl.pem
TLSCipherSuite SECURE256:-VERS-SSL3.0
TLSVerifyClient hard
ldap.conf
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ldap/ssl/ca-cert.pem
TLS_CERT /etc/ldap/ssl/clients/lrc-ldapsearch.crt
This is a user only option. See ldap.conf(5).
TLS_KEY /etc/ldap/ssl/clients/lrc-ldapsearch.key
TLS_REQCERT hard
Slapd debug,
55353d59 slapd starting
55353d5b conn=1000 fd=16 ACCEPT from IP=10.50.2.12:50764 (IP=0.0.0.0:636)
TLS: can't accept: No certificate was found..
55353d5b conn=1000 fd=16 closed (TLS negotiation failure)
ldapsearch debug,
ldap_start_tls: Can't contact LDAP server (-1)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
0000: 30 05 02 01 02 42 00 0....B.
ldap_write: want=7 error=Broken pipe
ldap_free_connection: actually freed
As far as i can see and found info my client and servers TLS settings are configured
properly.
What i really don't get is that the client doesnt send his certs to the server.
--
Dan White
4:18 p.m.
Alright, it's clear.
The section in Debian's ldap.conf has the following content,
TLSCertificateKeyFile <filename>
Specifies the file that contains the slapd server private key that
matches the certificate stored in the TLSCertificateFile file. Currently, the private key
must not be
protected with a password, so it is of critical importance that it is
protected carefully.
When using Mozilla NSS, TLSCertificateKeyFile specifies the name of a file
that contains the password for the key for the certificate specified with
TLSCertificateFile.
The modutil command can be used to turn off password protection for
the cert/key database. For example, if TLSCACertificatePath specifes /etc/openldap/certdb
as the
location of the cert/key database, use modutil to change the password to the
empty string:
modutil -dbdir /etc/openldap/certdb -changepw 'NSS Certificate
DB'
You must have the old password, if any. Ignore the WARNING about the
running browser. Press 'Enter' for the new password.
Reading this info i would not expect it is not valid in ldap.conf since it is not pointed
out here.
Nevertheless i could have read further.
Howard Chu,
If you allow me to ask you something about gnutls directly, do you still stand behind the
statement you made here,
http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
i know it's out of date but you said 'the code is fundamentally broken'.
I'm not knowledged about the internals of gnutls but i am very cusious if you changed
your mind since then.
Best regards,
Etherape
On Mon, Apr 20, 2015 at 02:46:28PM -0500, Dan White wrote:
On 04/20/15 20:07 +0200, E.therepa wrote:
>Dear Tech list,
>
>I'd like to use CRL's to regulate client connections to my slapd server.
>So i've build working certs and keys with gnutls. The whole keysetup is tested
and working properly,
>by invoking gnu-serv and gnu-cli i could succesfully create connections and drop
clients in my revocation list.
>
>In order to use this in slapd/ldap utils i use this settings,
>
>slapd.conf,
>TLSCACertificateFile /etc/ldap/ssl/ca-cert.pem
>TLSCertificateFile /etc/ldap/ssl/clients/lrc-ldap.crt
>TLSCertificateKeyFile /etc/ldap/ssl/clients/lrc-ldap.key
>TLSCRLFile /etc/ldap/ssl/crl.pem
>TLSCipherSuite SECURE256:-VERS-SSL3.0
>TLSVerifyClient hard
>
>ldap.conf
># TLS certificates (needed for GnuTLS)
>TLS_CACERT /etc/ldap/ssl/ca-cert.pem
>TLS_CERT /etc/ldap/ssl/clients/lrc-ldapsearch.crt
This is a user only option. See ldap.conf(5).
>TLS_KEY /etc/ldap/ssl/clients/lrc-ldapsearch.key
>TLS_REQCERT hard
>
>Slapd debug,
>55353d59 slapd starting
>55353d5b conn=1000 fd=16 ACCEPT from IP=10.50.2.12:50764 (IP=0.0.0.0:636)
>TLS: can't accept: No certificate was found..
>55353d5b conn=1000 fd=16 closed (TLS negotiation failure)
>
>ldapsearch debug,
>ldap_start_tls: Can't contact LDAP server (-1)
>ldap_free_connection 1 1
>ldap_send_unbind
>ber_flush2: 7 bytes to sd 4
> 0000: 30 05 02 01 02 42 00 0....B.
>ldap_write: want=7 error=Broken pipe
>ldap_free_connection: actually freed
>
>
>As far as i can see and found info my client and servers TLS settings are configured
properly.
>What i really don't get is that the client doesnt send his certs to the server.
--
Dan White
8:26 a.m.
--On Tuesday, April 21, 2015 2:18 AM +0200 Enterprise Spirit
<ldaptech+Etherape(a)kernelbug.org> wrote:
Howard Chu,
If you allow me to ask you something about gnutls directly, do you still
stand behind the statement you made here,
http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
i know it's out of date but you said 'the code is fundamentally broken'.
I'm not knowledged about the internals of gnutls but i am very cusious if
you changed your mind since then.
It's funny you ask... There was a spirited debate with one of the GnuTLS
author's a while back about this, as they blogged that Howard was
incorrect. Howard pointed out on the blog
(<http://nmav.gnutls.org/2011/05/is-really-gnutls-considered-harmful.html>)
that he was in fact still correct, and gave examples. After which the
GnuTLS author deleted the entire conversation off of his blog, and locked
it down. That, to me, says worlds about how "safe" one can consider GnuTLS.
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
8:44 a.m.
--On Tuesday, April 21, 2015 9:26 AM -0700 Quanah Gibson-Mount
<quanah(a)zimbra.com> wrote:
--On Tuesday, April 21, 2015 2:18 AM +0200 Enterprise Spirit
<ldaptech+Etherape(a)kernelbug.org> wrote:
> Howard Chu,
> If you allow me to ask you something about gnutls directly, do you still
> stand behind the statement you made here,
> http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
>
> i know it's out of date but you said 'the code is fundamentally broken'.
> I'm not knowledged about the internals of gnutls but i am very cusious if
> you changed your mind since then.
It's funny you ask... There was a spirited debate with one of the GnuTLS
author's a while back about this, as they blogged that Howard was
incorrect. Howard pointed out on the blog
(<http://nmav.gnutls.org/2011/05/is-really-gnutls-considered-harmful.html
>) that he was in fact still correct, and gave examples. After which the
GnuTLS author deleted the entire conversation off of his blog, and locked
it down. That, to me, says worlds about how "safe" one can consider
GnuTLS.
Ah, apparently I misremembered the location, see:
<https://plus.google.com/+HowardChu/posts/RGBXrLTh7oG>
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
2959
days inactive
2960
days old
openldap-technical@openldap.org
6 comments
6 participants
participants (6)
-
Dan White -
E.therepa -
Enterprise Spirit
-
Howard Chu -
Quanah Gibson-Mount -
Ryan Tandy