HI!
(cross-posted since OpenLDAP and OpenDJ are involved)
I have some SSL client cert authc problems with a OpenLDAP 2.4.23 LDAP client (dynamically linked to OpenSSL 0.9.8e on RHEL 5.6) and OpenDJ 2.4.5 running under control of Java 1.6.0_31. I cross-checked all the cert and trust stuff several times. It seems to be correct. Unfortunately we're stuck with 2.4.23 in this setup because of OpenLDAP's ITS#6997.
(I manually obfuscated parameters and log lines herein.)
At first glance OpenLDAP's ldapwhoami seems to work correctly with the first OpenDJ replica:
$ LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=client.key ldapwhoami -H ldaps://master1.example.com -Y EXTERNAL SASL/EXTERNAL authentication started SASL username: cn=ldapclient,o=example,c=DE SASL SSF: 0 dn:cn=ldapclient,ou=Users,cn=example
But in OpenDJ's access-log file there's written:
[18/May/2012:16:52:00 +0200] CONNECT conn=15 from=x.x.x.x:33358 to=x.x.x.x:63677 protocol=LDAPS [18/May/2012:16:52:00 +0200] BIND REQ conn=15 op=0 msgID=1 type=SASL mechanism=EXTERNAL dn="" [18/May/2012:16:52:00 +0200] BIND RES conn=15 op=0 msgID=1 result=0 authDN="cn=ldapclient,o=example,c=DE" etime=0 [18/May/2012:16:52:00 +0200] EXTENDED REQ conn=15 op=1 msgID=2 name="Who Am I?" oid="1.3.6.1.4.1.4203.1.11.3" [18/May/2012:16:52:00 +0200] EXTENDED RES conn=15 op=1 msgID=2 result=0 additionalInfo="authzID="dn:cn=ldapclient,ou=Users,cn=example"" etime=1 [18/May/2012:16:52:00 +0200] DISCONNECT conn=15 reason="Protocol Error" msg="The client sent a request to the Directory Server that could not be properly decoded as an LDAP message: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?"
The attempt to do the same on another OpenDJ replica fails completely (no differences in TLS configuration - checked cn=config for potential differences with diff):
$ LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=client.key ldapwhoami -H ldaps://consumer1.example.com -Y EXTERNAL ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
In OpenDJ's access-log file there's written:
[18/May/2012:16:52:38 +0200] CONNECT conn=6 from=x.x.x.x:61841 to=x.x.x.x:63677 protocol=LDAPS [18/May/2012:16:52:38 +0200] DISCONNECT conn=6 reason="Protocol Error" msg="The client sent a request to the Directory Server that could not be properly decoded as an LDAP message: javax.net.ssl.SSLHandshakeException: General SSLEngine problem" [18/May/2012:16:53:06 +0200] CONNECT conn=7 from=x.x.x.x:61842 to=x.x.x.x:63677 protocol=LDAPS [18/May/2012:16:53:07 +0200] DISCONNECT conn=7 reason="Protocol Error" msg="The client sent a request to the Directory Server that could not be properly decoded as an LDAP message: javax.net.ssl.SSLHandshakeException: General SSLEngine problem"
Any clue what's going on here?
Ciao, Michael.
On 05/18/12 18:56 +0200, Michael Ströder wrote:
HI!
(cross-posted since OpenLDAP and OpenDJ are involved)
I have some SSL client cert authc problems with a OpenLDAP 2.4.23 LDAP client (dynamically linked to OpenSSL 0.9.8e on RHEL 5.6) and OpenDJ 2.4.5 running under control of Java 1.6.0_31. I cross-checked all the cert and trust stuff several times. It seems to be correct. Unfortunately we're stuck with 2.4.23 in this setup because of OpenLDAP's ITS#6997.
(I manually obfuscated parameters and log lines herein.)
At first glance OpenLDAP's ldapwhoami seems to work correctly with the first OpenDJ replica:
$ LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=client.key ldapwhoami -H ldaps://master1.example.com -Y EXTERNAL SASL/EXTERNAL authentication started SASL username: cn=ldapclient,o=example,c=DE SASL SSF: 0 dn:cn=ldapclient,ou=Users,cn=example
add a '-d -1' to your ldap client commands for debug output.
If your request for EXTERNAL authentication succeeded, then everything appears to be successful from the perspective of your client. Perhaps the error (on the server here) is a disagreement with how the connection should be torn down.
Does it make a difference which SSL library you compile your client utilities against?
But in OpenDJ's access-log file there's written:
[18/May/2012:16:52:00 +0200] CONNECT conn=15 from=x.x.x.x:33358 to=x.x.x.x:63677 protocol=LDAPS [18/May/2012:16:52:00 +0200] BIND REQ conn=15 op=0 msgID=1 type=SASL mechanism=EXTERNAL dn="" [18/May/2012:16:52:00 +0200] BIND RES conn=15 op=0 msgID=1 result=0 authDN="cn=ldapclient,o=example,c=DE" etime=0 [18/May/2012:16:52:00 +0200] EXTENDED REQ conn=15 op=1 msgID=2 name="Who Am I?" oid="1.3.6.1.4.1.4203.1.11.3" [18/May/2012:16:52:00 +0200] EXTENDED RES conn=15 op=1 msgID=2 result=0 additionalInfo="authzID="dn:cn=ldapclient,ou=Users,cn=example"" etime=1 [18/May/2012:16:52:00 +0200] DISCONNECT conn=15 reason="Protocol Error" msg="The client sent a request to the Directory Server that could not be properly decoded as an LDAP message: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?"
The attempt to do the same on another OpenDJ replica fails completely (no differences in TLS configuration - checked cn=config for potential differences with diff):
$ LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=client.key ldapwhoami -H ldaps://consumer1.example.com -Y EXTERNAL ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
In OpenDJ's access-log file there's written:
[18/May/2012:16:52:38 +0200] CONNECT conn=6 from=x.x.x.x:61841 to=x.x.x.x:63677 protocol=LDAPS [18/May/2012:16:52:38 +0200] DISCONNECT conn=6 reason="Protocol Error" msg="The client sent a request to the Directory Server that could not be properly decoded as an LDAP message: javax.net.ssl.SSLHandshakeException: General SSLEngine problem" [18/May/2012:16:53:06 +0200] CONNECT conn=7 from=x.x.x.x:61842 to=x.x.x.x:63677 protocol=LDAPS [18/May/2012:16:53:07 +0200] DISCONNECT conn=7 reason="Protocol Error" msg="The client sent a request to the Directory Server that could not be properly decoded as an LDAP message: javax.net.ssl.SSLHandshakeException: General SSLEngine problem"
Dan White wrote:
On 05/18/12 18:56 +0200, Michael Ströder wrote: add a '-d -1' to your ldap client commands for debug output.
Nothing meaningful to see at the client with debug output. Just a TLS connect failed.
Does it make a difference which SSL library you compile your client utilities against?
Hmm, not sure. Problems is I have to get it to work with this particular OpenLDAP binary on RHEL 5.
Ciao, Michael.
On 18/5/2012 7:56 μμ, Michael Ströder wrote:
Any clue what's going on here?
Can't really help, but it *may* be useful to see:
http://ludopoitou.wordpress.com/2011/06/29/opendj-troubleshooting-ldap-ssl-c...
Good luck, Nick
openldap-technical@openldap.org