Hi,

has anyone ever managed to set-up an TLS connection between an OpenLDAP client and an IBM LDAP Server (more specifically, ITDS 6.1, linux platform)?

I can submit queries in the standard way, but using TLS seems to be a bit of a problem.

I have the server certificate specified as TLS_CACERT in my client config since it's self-signed.

The query result goes like this:

------ klausk@klausk:~/sandbox/Kerberos_work$ ldapsearch -D cn=root -W -H ldap://fqdn -s sub -x -ZZ -d 9 objectclass=* ldap_url_parse_ext(ldap://fqdn) ldap_create ldap_url_parse_ext(ldap://fqdn:389/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fqdn:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 2.2.2.222:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x8059240 msgid 1 wait4msg ld 0x8059240 msgid 1 (infinite timeout) wait4msg continue ld 0x8059240 msgid 1 all 1 ** ld 0x8059240 Connections: * host: fqdn port: 389 (default) refcnt: 2 status: Connected last used: Thu Aug 28 13:43:57 2008

** ld 0x8059240 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x8059240 request count 1 (abandoned 0) ** ld 0x8059240 Response Queue: Empty ld 0x8059240 response count 0 ldap_chkResponseList ld 0x8059240 msgid 1 all 1 ldap_chkResponseList returns ld 0x8059240 NULL ldap_int_select read1msg: ld 0x8059240 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 38 contents: read1msg: ld 0x8059240 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x8059240 0 new referrals read1msg: mark request completed, ld 0x8059240 msgid 1 request done: ld 0x8059240 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (a) ber: ber_scanf fmt (O) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: can't connect: Decryption has failed.. ldap_err2string ldap_start_tls: Connect error (-11) klausk@klausk:~/sandbox/Kerberos_work$ ------

Note: the server is configured to accept TLS in the standard port (389), after a START_TLS extended LDAP operation. It works fine using the IBM Client.

After sniffing the packets I could see that the OpenLDAP Client sends a "Client Hello" message advertising TLS 1.1 support (0x0302), whereas the IBM Client asks for TLS 1.0 (0x0301).

In both cases the server replies with a TLS 1.0 "Server Hello" message, with the certificate and TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite. The following client messages are TLS 1.0, indicating that the OpenLDAP correctly fell back the version.

But with the OpenLDAP Client, after Change Cipher Spec and Encrypted Handshake, the server sends an "Encrypted Alert" message and the connection is dropped, with the output above.

I'm using a certificate generated using GSKIT in the server box, and exported the .PEM key, which OpenSSL appears to recognize fine.

Is there anything more I can do to debug this error? I'm particularly interested in further debugging the TLS connection. Maybe there is an environment variable that will enable debugging output from OpenSSL?

Any pointers are helpful.

Thanks,

-Klaus K.