(I mistakenly posted this at openldap-its earlier. apologies if anyone saw it there)
Hello,
We have a LDAP server running with TLS enabled and verified we can connect to it from openssl s_client. This works:
$ openssl s_client -connect ldap.foo.com:636 -cert client_tls_cert.pem -key client_tls_key.pem -state -nbio -CAfile ca_chain.pem -showcerts
But ldapsearch throws an error:
$ ldapsearch -d 1 -x -H ldaps://ldap.foo.com:636 ... -ZZ
TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
We followed the instructions given at https://www.openldap.org/doc/admin24/tls.html#Client%20Configuration. We edited /etc/openldap/ldap.conf like so:
TLS_REQCERT demand TLS_CACERT ca_chain.pem TLS_CACERTDIR /path/to/ca/cert TLS_CERT client_tls_cert.pem TLS_KEY client_tls_key.pem
The ca_chain.pem file is placed under /path/to/ca/cert. We are running ldapsearch on a Mac. Can anyone help us?
Sid
PS: we do see following on server:
TLS trace: SSL_accept:before SSL initialization TLS trace: SSL_accept:before SSL initialization TLS trace: SSL_accept:SSLv3/TLS read client hello TLS trace: SSL_accept:SSLv3/TLS write server hello TLS trace: SSL_accept:SSLv3/TLS write certificate TLS trace: SSL_accept:SSLv3/TLS write key exchange TLS trace: SSL_accept:SSLv3/TLS write certificate request TLS trace: SSL_accept:SSLv3/TLS write server done
--On Saturday, October 3, 2020 12:36 AM +0000 Siddharth Jain siddjain@live.com wrote:
But ldapsearch throws an error:
$ ldapsearch -d 1 -x -H ldaps://ldap.foo.com:636 ... -ZZ
This is not valid.
Either you:
(a) use ldap:// with -ZZ (startTLS)
OR
(b) use ldaps://
Both will result in a TLS secured connection if successful
But you absolutely CANNOT combine startTLS + ldaps://
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote:
--On Saturday, October 3, 2020 12:36 AM +0000 Siddharth Jain siddjain@live.com wrote:
But ldapsearch throws an error:
$ ldapsearch -d 1 -x -H ldaps://ldap.foo.com:636 ... -ZZ
This is not valid.
Either you:
(a) use ldap:// with -ZZ (startTLS)
OR
(b) use ldaps://
Both will result in a TLS secured connection if successful
But you absolutely CANNOT combine startTLS + ldaps://
Also, TLS_CERT/TLS_KEY are user-only directives. Re-read the ldap.conf(5) manpage.
is it necessary to specify both TLS_CACERT and TLS_CACERTDIR ?
or can the full path to ca cert be specified in TLS_CACERT? what does this mean? 16.2.2.1. TLS_CACERT <filename>
This is equivalent to the server's TLSCACertificateFile option. As noted in the TLS Configurationhttps://www.openldap.org/doc/admin24/tls.html#TLS%20Configuration section, a client typically may need to know about more CAs than a server, but otherwise the same considerations apply.
16.2.2.2. TLS_CACERTDIR <path>
This is equivalent to the server's TLSCACertificatePath option. The specified directory must be managed with the OpenSSL c_rehash utility as well. If using Mozilla NSS, <path> may contain a cert/key database.
________________________________ From: Howard Chu hyc@symas.com Sent: Friday, October 2, 2020 10:27 PM To: Siddharth Jain siddjain@live.com; openldap-technical@openldap.org openldap-technical@openldap.org Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
Quanah Gibson-Mount wrote:
--On Saturday, October 3, 2020 12:36 AM +0000 Siddharth Jain siddjain@live.com wrote:
But ldapsearch throws an error:
$ ldapsearch -d 1 -x -H ldaps://ldap.foo.com:636 ... -ZZ
This is not valid.
Either you:
(a) use ldap:// with -ZZ (startTLS)
OR
(b) use ldaps://
Both will result in a TLS secured connection if successful
But you absolutely CANNOT combine startTLS + ldaps://
Also, TLS_CERT/TLS_KEY are user-only directives. Re-read the ldap.conf(5) manpage.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
--On Monday, October 5, 2020 1:58 AM +0000 Siddharth Jain siddjain@live.com wrote:
is it necessary to specify both
TLS_CACERT and
TLS_CACERTDIR ?
You use one or the other. The TLS_CACERT only takes a specific file. The TLS_CACERTDIR allows the usage of a directory of multiple CA files.
16.2.2.1. TLS_CACERT <filename>
This is equivalent to the server's TLSCACertificateFile option. As noted in the TLS Configuration section, a client typically may need to know about more CAs than a server, but otherwise the same considerations apply.
16.2.2.2. TLS_CACERTDIR <path>
This is equivalent to the server's TLSCACertificatePath option. The specified directory must be managed with the OpenSSL c_rehash utility as well. If using Mozilla NSS, <path> may contain a cert/key database.
The ldap.conf file uses one set of configuration parameter names, the slapd configuration uses a different set of configuration parameter names.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
not able to get it to work. Things we have tried:
* removed the -ZZ option. * set TLS_CACERT to complete path and remove TLS_CACERTDIR from ldap.conf * also set above as environment variable * also tried some permutations like CACAERT equals just the filename whereas CACERTDIR equals directory containing the file
but result is the same.
ldap_url_parse_ext(ldaps://ldap.foo.com:636) ldap_create ldap_url_parse_ext(ldaps://ldap.foo.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.foo.com:636 ldap_new_socket: 5 ldap_prepare_socket: 5 ldap_connect_to_host: Trying 10.67.242.198:636 ldap_pvt_connect: fd: 5 tm: -1 async: 0 tlsst_thr_init() tlsst_init() tlsst_ctx_new() = 0x7fb530006f60 tlsst_ctx_init(0x7fb530006f60) tlsst_ciphers_get((null), TLS_CIPHER_SUITE) tlsst_session_new(0x7fb530006f60) tlsst_ciphers_set(76, TLS_CIPHER_SUITE) tlsst_ctx_ref(0x7fb530006f60) tlsst_session_new(0x7fb530006f60) = 0x7fb530008ef0 tlsst_sb_setup(0x7fb530008ef0) tlsst_ctx_ref(0x7fb530006f60) tlsst_session_connect(0x7fb530008ef0) tlsst_session_handshake() tlsst_socket_write(0x7fb530008548, 145) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 93) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 778) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 147) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 270) tlsst_socket_read(0x7fb530804800, 5) tlsst_socket_read(0x7fb530804805, 4) TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
and openssl s_client does work. ________________________________ From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, October 5, 2020 10:24 AM To: Siddharth Jain siddjain@live.com; openldap-technical@openldap.org openldap-technical@openldap.org Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
--On Monday, October 5, 2020 1:58 AM +0000 Siddharth Jain siddjain@live.com wrote:
is it necessary to specify both
TLS_CACERT and
TLS_CACERTDIR ?
You use one or the other. The TLS_CACERT only takes a specific file. The TLS_CACERTDIR allows the usage of a directory of multiple CA files.
16.2.2.1. TLS_CACERT <filename>
This is equivalent to the server's TLSCACertificateFile option. As noted in the TLS Configuration section, a client typically may need to know about more CAs than a server, but otherwise the same considerations apply.
16.2.2.2. TLS_CACERTDIR <path>
This is equivalent to the server's TLSCACertificatePath option. The specified directory must be managed with the OpenSSL c_rehash utility as well. If using Mozilla NSS, <path> may contain a cert/key database.
The ldap.conf file uses one set of configuration parameter names, the slapd configuration uses a different set of configuration parameter names.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Monday, October 5, 2020 6:48 PM +0000 Siddharth Jain siddjain@live.com wrote:
TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
This message comes from Apple's TLS library. This would indicate that you're using a hacked version of OpenLDAP. We cannot offer support for a hacked version of OpenLDAP. You will need to ask Apple for help on how to correctly configure TLS within their environment.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
we have made some progress. On Linux machine we don't get that error but get another error instead. TLS certificate verification: Error, self signed certificate in certificate chain
It looks like it complains about a self-signed certificate but that certificate is that of the root CA and by definition that will be self-signed.
ldap_url_parse_ext(ldaps://ldap.foo.com:636) ldap_create ldap_url_parse_ext(ldaps://ldap.foo.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.foo.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.67.242.198:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLSMC: MozNSS compatibility interception begins. tlsmc_intercept_initialization: INFO: entry options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs' tlsmc_intercept_initialization: INFO: certfile = `/home/client/client_tls_cert.pem' tlsmc_intercept_initialization: INFO: keyfile = `/home/client/client_tls_key.pem' tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'. tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``. tlsmc_open_nssdb: INFO: initialized MozNSS context. tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-certs--25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F9391B99227E99F66E15B6'. tlsmc_convert: INFO: using the existing PEM dir. tlsmc_intercept_initialization: INFO: altered options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap-tlsmc-certs--25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F9391B99227E99F66E15B6/cacerts' tlsmc_intercept_initialization: INFO: certfile = `/tmp/openldap-tlsmc-certs--25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F9391B99227E99F66E15B6/cert.pem' tlsmc_intercept_initialization: INFO: keyfile = `/tmp/openldap-tlsmc-certs--25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F9391B99227E99F66E15B6/key.pem' tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /C=US/ST=CA/L=San Francisco/O=foo/OU=HR/CN=Mickey Mouse, issuer: /C=US/ST=CA/L=San Francisco/O=foo/OU=HR/CN=Mickey Mouse TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in error TLS trace: SSL_connect:error in error TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
________________________________ From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, October 5, 2020 11:10 AM To: Siddharth Jain siddjain@live.com; openldap-technical@openldap.org openldap-technical@openldap.org Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
--On Monday, October 5, 2020 6:48 PM +0000 Siddharth Jain siddjain@live.com wrote:
TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
This message comes from Apple's TLS library. This would indicate that you're using a hacked version of OpenLDAP. We cannot offer support for a hacked version of OpenLDAP. You will need to ask Apple for help on how to correctly configure TLS within their environment.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Siddharth Jain siddjain@live.com schrieb am 05.10.2020 um 21:02 in
Nachricht MWHPR08MB24009B17ED73C713BBA2180CB50C0@MWHPR08MB2400.namprd08.prod.outlook.com
we have made some progress. On Linux machine we don't get that error but get
another error instead. TLS certificate verification: Error, self signed certificate in certificate
chain
It looks like it complains about a self‑signed certificate but that certificate is that of the root CA and by definition that will be
self‑signed.
Right, but it could be that you have to explicitly trust such certificates. In recent SLES there exists a "trust anchor ..." command to add CA certificates to the system. The "Mickey Mouse" CA most likely isn't standard...
ldap_url_parse_ext(ldaps://ldap.foo.com:636) ldap_create ldap_url_parse_ext(ldaps://ldap.foo.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.foo.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.67.242.198:636 ldap_pvt_connect: fd: 3 tm: ‑1 async: 0 attempting to connect: connect success TLSMC: MozNSS compatibility interception begins. tlsmc_intercept_initialization: INFO: entry options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs' tlsmc_intercept_initialization: INFO: certfile = `/home/client/client_tls_cert.pem' tlsmc_intercept_initialization: INFO: keyfile = `/home/client/client_tls_key.pem' tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'. tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``. tlsmc_open_nssdb: INFO: initialized MozNSS context. tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap‑tlsmc‑certs‑‑25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F93 91B99227E99F66E15B6'. tlsmc_convert: INFO: using the existing PEM dir. tlsmc_intercept_initialization: INFO: altered options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap‑tlsmc‑certs‑‑25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F93 91B99227E99F66E15B6/cacerts' tlsmc_intercept_initialization: INFO: certfile = `/tmp/openldap‑tlsmc‑certs‑‑25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F93 91B99227E99F66E15B6/cert.pem' tlsmc_intercept_initialization: INFO: keyfile = `/tmp/openldap‑tlsmc‑certs‑‑25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F93 91B99227E99F66E15B6/key.pem' tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /C=US/ST=CA/L=San
Francisco/O=foo/OU=HR/CN=Mickey Mouse, issuer: /C=US/ST=CA/L=San Francisco/O=foo/OU=HR/CN=Mickey Mouse TLS certificate verification: Error, self signed certificate in certificate
chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in error TLS trace: SSL_connect:error in error TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed
certificate in certificate chain). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (‑1)
From: Quanah Gibson‑Mount quanah@symas.com Sent: Monday, October 5, 2020 11:10 AM To: Siddharth Jain siddjain@live.com; openldap‑technical@openldap.org <openldap‑technical@openldap.org> Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
‑‑On Monday, October 5, 2020 6:48 PM +0000 Siddharth Jain siddjain@live.com wrote:
TLS: during handshake: peer cert is valid, or was ignored if verification disabled (‑9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
This message comes from Apple's TLS library. This would indicate that you're using a hacked version of OpenLDAP. We cannot offer support for a hacked version of OpenLDAP. You will need to ask Apple for help on how to correctly configure TLS within their environment.
Regards, Quanah
‑‑
Quanah Gibson‑Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 10/5/20 8:10 PM, Quanah Gibson-Mount wrote:
--On Monday, October 5, 2020 6:48 PM +0000 Siddharth Jain siddjain@live.com wrote:
TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
This message comes from Apple's TLS library. This would indicate that you're using a hacked version of OpenLDAP. We cannot offer support for a hacked version of OpenLDAP. You will need to ask Apple for help on how to correctly configure TLS within their environment.
To add to that:
AFAIK the patched libldap in MacOS simply uses the system-wide trust store and nothing else.
Furthermore using ldap_set_option() to set trusted CA certs file or directory leads to errors. This results in weird work-arounds like this:
https://gitlab.com/ae-dir/python-ldap0/-/blob/master/ldap0/ldapobject.py#L25...
Ciao, Michael.
openldap-technical@openldap.org