Hi Everyone,
I'm trying to set-up an new openldap service utilising TLS. At the moment, it all appears to work fine with out TLS, but unfortunately it always fails with it.
The service is running on neptune.mps.lan (with a CNAME for ldap), and my client desktop box is called blacktip. The server is Ubuntu 10.04 LTS server, and the desktop is also Ubuntu 10.04; both with latest updates.
I have created a Self signed CA and, after setting up the server keys, I have installed this onto the client. I then added the following line to the client /etc/ldap.conf: TLS_CACERT /etc/ssl/certs/slapd-ca-cert.pem
This is the command I am running to test the connection: root@blacktip:~# ldapsearch -d 16383 -x -h ldap.mps.lan -ZZ -b dc=mps,dc=lan ldap_create ldap_url_parse_ext(ldap://ldap.mps.lan) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.mps.lan:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.0.0.203:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x7f1965937630 ptr=0x7f1965937630 end=0x7f196593764f len=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ber_scanf fmt ({) ber: ber_dump: buf=0x7f1965937630 ptr=0x7f1965937635 end=0x7f196593764f len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 ber_flush2: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result ld 0x7f196592f3a0 msgid 1 wait4msg ld 0x7f196592f3a0 msgid 1 (infinite timeout) wait4msg continue ld 0x7f196592f3a0 msgid 1 all 1 ** ld 0x7f196592f3a0 Connections: * host: ldap.mps.lan port: 389 (default) refcnt: 2 status: Connected last used: Mon Aug 2 16:48:35 2010
** ld 0x7f196592f3a0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x7f196592f3a0 request count 1 (abandoned 0) ** ld 0x7f196592f3a0 Response Queue: Empty ld 0x7f196592f3a0 response count 0 ldap_chkResponseList ld 0x7f196592f3a0 msgid 1 all 1 ldap_chkResponseList returns ld 0x7f196592f3a0 NULL ldap_int_select read1msg: ld 0x7f196592f3a0 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 78 07 0a 0....x.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x7f1965938e50 ptr=0x7f1965938e50 end=0x7f1965938e5c len=12 0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........ read1msg: ld 0x7f196592f3a0 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x7f1965938e50 ptr=0x7f1965938e53 end=0x7f1965938e5c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ read1msg: ld 0x7f196592f3a0 0 new referrals read1msg: mark request completed, ld 0x7f196592f3a0 msgid 1 request done: ld 0x7f196592f3a0 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x7f1965938e50 ptr=0x7f1965938e53 end=0x7f1965938e5c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ ldap_parse_result ber_scanf fmt ({iAA) ber: ber_dump: buf=0x7f1965938e50 ptr=0x7f1965938e53 end=0x7f1965938e5c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ ber_scanf fmt (}) ber: ber_dump: buf=0x7f1965938e50 ptr=0x7f1965938e5c end=0x7f1965938e5c len=0
ldap_msgfree tls_write: want=93, written=93 0000: 16 03 02 00 58 01 00 00 54 03 02 4c 56 e8 d3 01 ....X...T..LV... 0010: 2e bb 5d b7 71 7e ec ab 4c e0 6a 32 63 85 76 88 ..].q~..L.j2c.v. 0020: b9 12 b3 fc e3 56 fe 2a db 9a 0d 00 00 24 00 33 .....V.*.....$.3 0030: 00 45 00 39 00 88 00 16 00 32 00 44 00 38 00 87 .E.9.....2.D.8.. 0040: 00 13 00 66 00 2f 00 41 00 35 00 84 00 0a 00 05 ...f./.A.5...... 0050: 00 04 01 00 00 07 00 09 00 03 02 00 01 ............. tls_read: want=5, got=0
TLS: can't connect: A TLS packet with unexpected length was received.. ldap_err2string ldap_start_tls: Connect error (-11) additional info: A TLS packet with unexpected length was received.
As you can see, the TLS connection fails to negotiate. I have extensively googled this error but have not yet found a cause nor a solution.
OpenLDAP server version: root@neptune:~# slapd -V @(#) $OpenLDAP: slapd 2.4.21 (Apr 26 2010 11:08:43) $ buildd@yellow:/build/buildd/openldap-2.4.21/debian/build/servers/slapd Gnutls Library Version: root@neptune:~# aptitude show libgnutls26 | grep ^Ver Version: 2.8.5-2
Many thanks in advance for any help/advice given.
Kind Regards,
Russell Knighton
--On Monday, August 02, 2010 5:00 PM +0100 Russell Knighton RussellK@motionpicturesolutions.com wrote:
Hi Everyone,
I'm trying to set-up an new openldap service utilising TLS. At the moment, it all appears to work fine with out TLS, but unfortunately it always fails with it.
I suggest using OpenSSL instead of GnuTLS. Or seeing if you can use a recent GnuTLS. In general, I advise avoiding GnuTLS.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Okay, interesting advice. Might I ask why?
I'm happy to follow your suggestion though. Can you recommend a specific guide I should follow?
Out of interest, what does this error actually mean? Is it something that has been seen before?
Many thanks,
Russell Knighton
On Mon, 2010-08-02 at 17:34 +0100, Quanah Gibson-Mount wrote:
--On Monday, August 02, 2010 5:00 PM +0100 Russell Knighton RussellK@motionpicturesolutions.com wrote:
Hi Everyone,
I'm trying to set-up an new openldap service utilising TLS. At the moment, it all appears to work fine with out TLS, but unfortunately
it
always fails with it.
I suggest using OpenSSL instead of GnuTLS. Or seeing if you can use a recent GnuTLS. In general, I advise avoiding GnuTLS.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
--On Monday, August 02, 2010 6:05 PM +0100 Russell Knighton RussellK@motionpicturesolutions.com wrote:
Okay, interesting advice. Might I ask why?
Because GnuTLS has been problematic from the get-go.
I'm happy to follow your suggestion though. Can you recommend a specific guide I should follow?
You'll need to rebuild OpenLDAP, use the ./configure script for guidelines.
Out of interest, what does this error actually mean? Is it something that has been seen before?
Many, many errors have been seen by folks using GnuTLS.
--Quanah
Many thanks,
Russell Knighton
On Mon, 2010-08-02 at 17:34 +0100, Quanah Gibson-Mount wrote:
--On Monday, August 02, 2010 5:00 PM +0100 Russell Knighton RussellK@motionpicturesolutions.com wrote:
Hi Everyone,
I'm trying to set-up an new openldap service utilising TLS. At the moment, it all appears to work fine with out TLS, but unfortunately
it
always fails with it.
I suggest using OpenSSL instead of GnuTLS. Or seeing if you can use a recent GnuTLS. In general, I advise avoiding GnuTLS.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
--
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org