Hi,
I have slapd 2.4.24 and everything works without TLS. but if I add a -Z option to the ldapsearch command I get this:
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1)
slapd.log shows something like this : connection_read(16): TLS accept failure error=-1 id=1006, closing
Output from openssl debug:
[root@ldaprov1 cacerts]# openssl s_client -connect hostname:389 -showcerts -state -CAfile cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 113 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
The configurations are as follow (same command as above but without the -Z option):
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0
I verified the ldap user can read all the TLS files and they are setup fine
[root@ldaprov1 cacerts]# openssl verify -purpose sslserver -CAfile cacert.pem ldaprov1.crt ldaprov1.crt: OK
Anyone can tell me what I am missing here?
Thanks, Daniel
On 08/09/2011 08:33 AM, Daniel Qian wrote:
Hi,
I have slapd 2.4.24 and everything works without TLS. but if I add a -Z option to the ldapsearch command I get this:
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1)
slapd.log shows something like this : connection_read(16): TLS accept failure error=-1 id=1006, closing
Output from openssl debug:
[root@ldaprov1 cacerts]# openssl s_client -connect hostname:389 -showcerts -state -CAfile cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 113 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
The configurations are as follow (same command as above but without the -Z option):
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0
I verified the ldap user can read all the TLS files and they are setup fine
[root@ldaprov1 cacerts]# openssl verify -purpose sslserver -CAfile cacert.pem ldaprov1.crt ldaprov1.crt: OK
Anyone can tell me what I am missing here?
No, but we're missing 1) platform 2) tls implementation (openssl, moznss, gnutls) 3) output of ldapsearch -x -d 1 -Z ...... rest of arguments .....
Thanks, Daniel
On 11-08-09 10:49 AM, Rich Megginson wrote:
On 08/09/2011 08:33 AM, Daniel Qian wrote:
Hi,
I have slapd 2.4.24 and everything works without TLS. but if I add a -Z option to the ldapsearch command I get this:
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1)
slapd.log shows something like this : connection_read(16): TLS accept failure error=-1 id=1006, closing
Output from openssl debug:
[root@ldaprov1 cacerts]# openssl s_client -connect hostname:389 -showcerts -state -CAfile cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 113 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
The configurations are as follow (same command as above but without the -Z option):
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0
I verified the ldap user can read all the TLS files and they are setup fine
[root@ldaprov1 cacerts]# openssl verify -purpose sslserver -CAfile cacert.pem ldaprov1.crt ldaprov1.crt: OK
Anyone can tell me what I am missing here?
No, but we're missing
- platform
- tls implementation (openssl, moznss, gnutls)
- output of ldapsearch -x -d 1 -Z ...... rest of arguments .....
Its Fedora 15
ldd /usr/sbin/slapd linux-vdso.so.1 => (0x00007fff76fff000) libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f0f29fcd000) libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000) libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f0f29a38000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f0f29801000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f0f295e6000) libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000) libsmime3.so => /usr/lib64/libsmime3.so (0x00007f0f29183000) libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000) libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f0f28c2b000) libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0f283cb000) libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f0f27bcc000) libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000)
the ldapsearch -d 1 option tells me a lot more: ..... ldap_msgfree TLS: file ldaprov1.crt does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file cacert.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file ldaprov1.key does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. .....
I tell slapd to look for specific files but how come it is still checking in a directory?
if I move all the files to a different directory like the following:
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key
slapd still checks the /etc/openldap/cacerts directory:
TLS: did not find any valid CA certificates in /etc/openldap/cacerts TLS: could not initialize moznss using security dir /etc/openldap/cacerts prefix - error -8174. TLS: could perform TLS system initialization. TLS: error: could not initialize moznss security context - error -5939:No more entries in the directory TLS: can't create ssl handle.
and also it seems to be using moznss by default?
Thanks, Daniel
On 08/09/2011 09:07 AM, Daniel Qian wrote:
On 11-08-09 10:49 AM, Rich Megginson wrote:
On 08/09/2011 08:33 AM, Daniel Qian wrote:
Hi,
I have slapd 2.4.24 and everything works without TLS. but if I add a -Z option to the ldapsearch command I get this:
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1)
slapd.log shows something like this : connection_read(16): TLS accept failure error=-1 id=1006, closing
Output from openssl debug:
[root@ldaprov1 cacerts]# openssl s_client -connect hostname:389 -showcerts -state -CAfile cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 113 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
The configurations are as follow (same command as above but without the -Z option):
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0
I verified the ldap user can read all the TLS files and they are setup fine
[root@ldaprov1 cacerts]# openssl verify -purpose sslserver -CAfile cacert.pem ldaprov1.crt ldaprov1.crt: OK
Anyone can tell me what I am missing here?
No, but we're missing
- platform
- tls implementation (openssl, moznss, gnutls)
- output of ldapsearch -x -d 1 -Z ...... rest of arguments .....
Its Fedora 15
ldd /usr/sbin/slapd linux-vdso.so.1 => (0x00007fff76fff000) libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f0f29fcd000) libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000) libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f0f29a38000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f0f29801000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f0f295e6000) libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000) libsmime3.so => /usr/lib64/libsmime3.so (0x00007f0f29183000) libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000) libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f0f28c2b000) libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0f283cb000) libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f0f27bcc000) libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000)
the ldapsearch -d 1 option tells me a lot more: ..... ldap_msgfree TLS: file ldaprov1.crt does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file cacert.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file ldaprov1.key does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. .....
I tell slapd to look for specific files but how come it is still checking in a directory?
I don't know. What does /etc/openldap/ldap.conf say? Do you have a ~/.ldaprc or ~/ldaprc for the user "ldap"?
if I move all the files to a different directory like the following:
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key
slapd still checks the /etc/openldap/cacerts directory:
TLS: did not find any valid CA certificates in /etc/openldap/cacerts TLS: could not initialize moznss using security dir /etc/openldap/cacerts prefix - error -8174. TLS: could perform TLS system initialization. TLS: error: could not initialize moznss security context - error -5939:No more entries in the directory TLS: can't create ssl handle.
and also it seems to be using moznss by default?
Right. Fedora 14 and later use moznss.
Thanks, Daniel
On 11-08-09 11:21 AM, Rich Megginson wrote:
On 08/09/2011 09:07 AM, Daniel Qian wrote:
On 11-08-09 10:49 AM, Rich Megginson wrote:
On 08/09/2011 08:33 AM, Daniel Qian wrote:
Hi,
I have slapd 2.4.24 and everything works without TLS. but if I add a -Z option to the ldapsearch command I get this:
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1)
slapd.log shows something like this : connection_read(16): TLS accept failure error=-1 id=1006, closing
Output from openssl debug:
[root@ldaprov1 cacerts]# openssl s_client -connect hostname:389 -showcerts -state -CAfile cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 113 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
The configurations are as follow (same command as above but without the -Z option):
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0
I verified the ldap user can read all the TLS files and they are setup fine
[root@ldaprov1 cacerts]# openssl verify -purpose sslserver -CAfile cacert.pem ldaprov1.crt ldaprov1.crt: OK
Anyone can tell me what I am missing here?
No, but we're missing
- platform
- tls implementation (openssl, moznss, gnutls)
- output of ldapsearch -x -d 1 -Z ...... rest of arguments .....
Its Fedora 15
ldd /usr/sbin/slapd linux-vdso.so.1 => (0x00007fff76fff000) libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f0f29fcd000) libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000) libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f0f29a38000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f0f29801000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f0f295e6000) libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000) libsmime3.so => /usr/lib64/libsmime3.so (0x00007f0f29183000) libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000) libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f0f28c2b000) libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0f283cb000) libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f0f27bcc000) libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000)
the ldapsearch -d 1 option tells me a lot more: ..... ldap_msgfree TLS: file ldaprov1.crt does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file cacert.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file ldaprov1.key does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. .....
I tell slapd to look for specific files but how come it is still checking in a directory?
I don't know. What does /etc/openldap/ldap.conf say? Do you have a ~/.ldaprc or ~/ldaprc for the user "ldap"?
So even for slapd the setting TLS_CACERTDIR in /etc/openldap/ldap.conf takes precedence over olcTLSCACertificateFile in cn=config? I set /etc/openldap/ldap.conf for client only and did not mean it for slapd.
Now after I removed it from /etc/openldap/ldap.conf, ldapsearch -d 1 is indicating the CA certificate not valid:
TLS: certificate [CA certificate details omitted here...] is not valid - error -8172:Unknown code ___f 20. error -8172:Unknown code ___f 20. tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS: error: connect - force handshake failure: errno 21 - moznss error -8172 TLS: can't connect: TLS error -8172:Unknown code ___f 20. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20
Does this mean all the certificates I created on the same server with openssl can not be used by modnss in slapd? I never delt with modnss before
Thanks, Daniel
On 08/09/2011 10:15 AM, Daniel Qian wrote:
On 11-08-09 11:21 AM, Rich Megginson wrote:
On 08/09/2011 09:07 AM, Daniel Qian wrote:
On 11-08-09 10:49 AM, Rich Megginson wrote:
On 08/09/2011 08:33 AM, Daniel Qian wrote:
Hi,
I have slapd 2.4.24 and everything works without TLS. but if I add a -Z option to the ldapsearch command I get this:
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1)
slapd.log shows something like this : connection_read(16): TLS accept failure error=-1 id=1006, closing
Output from openssl debug:
[root@ldaprov1 cacerts]# openssl s_client -connect hostname:389 -showcerts -state -CAfile cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 113 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
The configurations are as follow (same command as above but without the -Z option):
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0
I verified the ldap user can read all the TLS files and they are setup fine
[root@ldaprov1 cacerts]# openssl verify -purpose sslserver -CAfile cacert.pem ldaprov1.crt ldaprov1.crt: OK
Anyone can tell me what I am missing here?
No, but we're missing
- platform
- tls implementation (openssl, moznss, gnutls)
- output of ldapsearch -x -d 1 -Z ...... rest of arguments .....
Its Fedora 15
ldd /usr/sbin/slapd linux-vdso.so.1 => (0x00007fff76fff000) libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f0f29fcd000) libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000) libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f0f29a38000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f0f29801000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f0f295e6000) libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000) libsmime3.so => /usr/lib64/libsmime3.so (0x00007f0f29183000) libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000) libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f0f28c2b000) libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0f283cb000) libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f0f27bcc000) libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000)
the ldapsearch -d 1 option tells me a lot more: ..... ldap_msgfree TLS: file ldaprov1.crt does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file cacert.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file ldaprov1.key does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. .....
I tell slapd to look for specific files but how come it is still checking in a directory?
I don't know. What does /etc/openldap/ldap.conf say? Do you have a ~/.ldaprc or ~/ldaprc for the user "ldap"?
So even for slapd the setting TLS_CACERTDIR in /etc/openldap/ldap.conf takes precedence over olcTLSCACertificateFile in cn=config? I set /etc/openldap/ldap.conf for client only and did not mean it for slapd.
I don't know. Can someone confirm that this is how it works when using openssl or gnutls for crypto? That is, I don't think this problem is specific to moznss.
Now after I removed it from /etc/openldap/ldap.conf, ldapsearch -d 1 is indicating the CA certificate not valid:
TLS: certificate [CA certificate details omitted here...] is not valid
- error -8172:Unknown code ___f 20.
error -8172:Unknown code ___f 20. tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS: error: connect - force handshake failure: errno 21 - moznss error -8172 TLS: can't connect: TLS error -8172:Unknown code ___f 20. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20
Does this mean all the certificates I created on the same server with openssl can not be used by modnss in slapd? I never delt with modnss before
20 means SEC_ERROR_UNTRUSTED_ISSUER
Can you provide the entire log leading up to this point? you can paste it to fpaste.org if you don't want to spam the list with too much information.
Yes, openldap with moznss should work _exactly_ like openldap with openssl. If this is something that was working before this is a bug that needs to be fixed asap.
Thanks, Daniel
On 11-08-09 12:55 PM, Rich Megginson wrote:
On 08/09/2011 10:15 AM, Daniel Qian wrote:
On 11-08-09 11:21 AM, Rich Megginson wrote:
On 08/09/2011 09:07 AM, Daniel Qian wrote:
On 11-08-09 10:49 AM, Rich Megginson wrote:
On 08/09/2011 08:33 AM, Daniel Qian wrote:
Hi,
I have slapd 2.4.24 and everything works without TLS. but if I add a -Z option to the ldapsearch command I get this:
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1)
slapd.log shows something like this : connection_read(16): TLS accept failure error=-1 id=1006, closing
Output from openssl debug:
[root@ldaprov1 cacerts]# openssl s_client -connect hostname:389 -showcerts -state -CAfile cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 113 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
The configurations are as follow (same command as above but without the -Z option):
[root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0
I verified the ldap user can read all the TLS files and they are setup fine
[root@ldaprov1 cacerts]# openssl verify -purpose sslserver -CAfile cacert.pem ldaprov1.crt ldaprov1.crt: OK
Anyone can tell me what I am missing here?
No, but we're missing
- platform
- tls implementation (openssl, moznss, gnutls)
- output of ldapsearch -x -d 1 -Z ...... rest of arguments .....
Its Fedora 15
ldd /usr/sbin/slapd linux-vdso.so.1 => (0x00007fff76fff000) libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f0f29fcd000) libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000) libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f0f29a38000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f0f29801000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f0f295e6000) libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000) libsmime3.so => /usr/lib64/libsmime3.so (0x00007f0f29183000) libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000) libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f0f28c2b000) libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0f283cb000) libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f0f27bcc000) libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000)
the ldapsearch -d 1 option tells me a lot more: ..... ldap_msgfree TLS: file ldaprov1.crt does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file cacert.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file ldaprov1.key does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. .....
I tell slapd to look for specific files but how come it is still checking in a directory?
I don't know. What does /etc/openldap/ldap.conf say? Do you have a ~/.ldaprc or ~/ldaprc for the user "ldap"?
So even for slapd the setting TLS_CACERTDIR in /etc/openldap/ldap.conf takes precedence over olcTLSCACertificateFile in cn=config? I set /etc/openldap/ldap.conf for client only and did not mean it for slapd.
I don't know. Can someone confirm that this is how it works when using openssl or gnutls for crypto? That is, I don't think this problem is specific to moznss.
Now after I removed it from /etc/openldap/ldap.conf, ldapsearch -d 1 is indicating the CA certificate not valid:
TLS: certificate [CA certificate details omitted here...] is not valid - error -8172:Unknown code ___f 20. error -8172:Unknown code ___f 20. tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS: error: connect - force handshake failure: errno 21 - moznss error -8172 TLS: can't connect: TLS error -8172:Unknown code ___f 20. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20
Does this mean all the certificates I created on the same server with openssl can not be used by modnss in slapd? I never delt with modnss before
20 means SEC_ERROR_UNTRUSTED_ISSUER
Can you provide the entire log leading up to this point? you can paste it to fpaste.org if you don't want to spam the list with too much information.
Yes, openldap with moznss should work _exactly_ like openldap with openssl. If this is something that was working before this is a bug that needs to be fixed asap.
I ran the same ldapsearch command from a Centos box which has openssl and the error messages says this :
TLS certificate verification: Error, self signed certificate in certificate chain
which is not true. I have separate CA certificate and server certificate. The server certificate is signed by the CA certificate.
Seems the server certificate defined in olcTLSCertificateFile never gets recognized by the client.
Centos openssl output pasted - http://fpaste.org/7Hju/ Fedora moznss output pasted - http://fpaste.org/aE19/
Thanks for looking into the issue Daniel
On 08/09/2011 11:59 AM, Daniel Qian wrote:
On 11-08-09 12:55 PM, Rich Megginson wrote:
On 08/09/2011 10:15 AM, Daniel Qian wrote:
On 11-08-09 11:21 AM, Rich Megginson wrote:
On 08/09/2011 09:07 AM, Daniel Qian wrote:
On 11-08-09 10:49 AM, Rich Megginson wrote:
On 08/09/2011 08:33 AM, Daniel Qian wrote: > Hi, > > I have slapd 2.4.24 and everything works without TLS. but if I > add a -Z option to the ldapsearch command I get this: > > [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D > cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config > ldap_start_tls: Connect error (-11) > ldap_result: Can't contact LDAP server (-1) > > slapd.log shows something like this : connection_read(16): TLS > accept failure error=-1 id=1006, closing > > Output from openssl debug: > > [root@ldaprov1 cacerts]# openssl s_client -connect hostname:389 > -showcerts -state -CAfile cacert.pem > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl > handshake failure:s23_lib.c:177: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 113 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > --- > > The configurations are as follow (same command as above but > without the -Z option): > > [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D > cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config > dn: cn=config > objectClass: olcGlobal > cn: config > olcConfigFile: /etc/openldap/slapd.conf > olcConfigDir: /etc/openldap/slapd.d > olcAllows: bind_v2 > olcArgsFile: /var/run/openldap/slapd.args > olcAttributeOptions: lang- > olcAuthzPolicy: none > olcConcurrency: 0 > olcConnMaxPending: 100 > olcConnMaxPendingAuth: 1000 > olcGentleHUP: FALSE > olcIdleTimeout: 0 > olcIndexSubstrIfMaxLen: 4 > olcIndexSubstrIfMinLen: 2 > olcIndexSubstrAnyLen: 4 > olcIndexSubstrAnyStep: 2 > olcIndexIntLen: 4 > olcLocalSSF: 71 > olcLogLevel: 9 > olcPidFile: /var/run/openldap/slapd.pid > olcReadOnly: FALSE > olcReverseLookup: FALSE > olcSaslSecProps: noplain,noanonymous > olcSockbufMaxIncoming: 262143 > olcSockbufMaxIncomingAuth: 16777215 > olcThreads: 16 > olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem > olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt > olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key > olcTLSVerifyClient: never > olcToolThreads: 1 > olcWriteTimeout: 0 > > > I verified the ldap user can read all the TLS files and they are > setup fine > > [root@ldaprov1 cacerts]# openssl verify -purpose sslserver > -CAfile cacert.pem ldaprov1.crt > ldaprov1.crt: OK > > > Anyone can tell me what I am missing here? No, but we're missing
- platform
- tls implementation (openssl, moznss, gnutls)
- output of ldapsearch -x -d 1 -Z ...... rest of arguments .....
Its Fedora 15
ldd /usr/sbin/slapd linux-vdso.so.1 => (0x00007fff76fff000) libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f0f29fcd000) libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000) libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f0f29a38000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f0f29801000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f0f295e6000) libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000) libsmime3.so => /usr/lib64/libsmime3.so (0x00007f0f29183000) libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000) libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f0f28c2b000) libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0f283cb000) libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f0f27bcc000) libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000)
the ldapsearch -d 1 option tells me a lot more: ..... ldap_msgfree TLS: file ldaprov1.crt does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file cacert.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file ldaprov1.key does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. .....
I tell slapd to look for specific files but how come it is still checking in a directory?
I don't know. What does /etc/openldap/ldap.conf say? Do you have a ~/.ldaprc or ~/ldaprc for the user "ldap"?
So even for slapd the setting TLS_CACERTDIR in /etc/openldap/ldap.conf takes precedence over olcTLSCACertificateFile in cn=config? I set /etc/openldap/ldap.conf for client only and did not mean it for slapd.
I don't know. Can someone confirm that this is how it works when using openssl or gnutls for crypto? That is, I don't think this problem is specific to moznss.
Now after I removed it from /etc/openldap/ldap.conf, ldapsearch -d 1 is indicating the CA certificate not valid:
TLS: certificate [CA certificate details omitted here...] is not valid - error -8172:Unknown code ___f 20. error -8172:Unknown code ___f 20. tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS: error: connect - force handshake failure: errno 21 - moznss error -8172 TLS: can't connect: TLS error -8172:Unknown code ___f 20. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20
Does this mean all the certificates I created on the same server with openssl can not be used by modnss in slapd? I never delt with modnss before
20 means SEC_ERROR_UNTRUSTED_ISSUER
Can you provide the entire log leading up to this point? you can paste it to fpaste.org if you don't want to spam the list with too much information.
Yes, openldap with moznss should work _exactly_ like openldap with openssl. If this is something that was working before this is a bug that needs to be fixed asap.
I ran the same ldapsearch command from a Centos box which has openssl and the error messages says this :
TLS certificate verification: Error, self signed certificate in certificate chain
which is not true. I have separate CA certificate and server certificate. The server certificate is signed by the CA certificate.
openssl seems to be complaining about the CA certificate: # TLS certificate verification: depth: 1, err: 19, subject: /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com, issuer: /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com # TLS certificate verification: Error, self signed certificate in certificate chain
Note that the subject: is the same as the issuer: - that is, it is a self signed certificate (self issued).
But I'm not sure if this is the real problem. # TLS trace: SSL3 alert write:fatal:unknown CA
Do you have the CA cert on the client machine?
Seems the server certificate defined in olcTLSCertificateFile never gets recognized by the client.
Centos openssl output pasted - http://fpaste.org/7Hju/ Fedora moznss output pasted - http://fpaste.org/aE19/
If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and then specify olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key
in your slapd config, does it work?
Thanks for looking into the issue Daniel
On 11-08-09 2:12 PM, Rich Megginson wrote:
On 08/09/2011 11:59 AM, Daniel Qian wrote:
On 11-08-09 12:55 PM, Rich Megginson wrote:
On 08/09/2011 10:15 AM, Daniel Qian wrote:
On 11-08-09 11:21 AM, Rich Megginson wrote:
On 08/09/2011 09:07 AM, Daniel Qian wrote:
On 11-08-09 10:49 AM, Rich Megginson wrote: > On 08/09/2011 08:33 AM, Daniel Qian wrote: >> Hi, >> >> I have slapd 2.4.24 and everything works without TLS. but if I >> add a -Z option to the ldapsearch command I get this: >> >> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D >> cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config >> ldap_start_tls: Connect error (-11) >> ldap_result: Can't contact LDAP server (-1) >> >> slapd.log shows something like this : connection_read(16): TLS >> accept failure error=-1 id=1006, closing >> >> Output from openssl debug: >> >> [root@ldaprov1 cacerts]# openssl s_client -connect hostname:389 >> -showcerts -state -CAfile cacert.pem >> CONNECTED(00000003) >> SSL_connect:before/connect initialization >> SSL_connect:SSLv2/v3 write client hello A >> 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl >> handshake failure:s23_lib.c:177: >> --- >> no peer certificate available >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 0 bytes and written 113 bytes >> --- >> New, (NONE), Cipher is (NONE) >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> --- >> >> The configurations are as follow (same command as above but >> without the -Z option): >> >> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D >> cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config >> dn: cn=config >> objectClass: olcGlobal >> cn: config >> olcConfigFile: /etc/openldap/slapd.conf >> olcConfigDir: /etc/openldap/slapd.d >> olcAllows: bind_v2 >> olcArgsFile: /var/run/openldap/slapd.args >> olcAttributeOptions: lang- >> olcAuthzPolicy: none >> olcConcurrency: 0 >> olcConnMaxPending: 100 >> olcConnMaxPendingAuth: 1000 >> olcGentleHUP: FALSE >> olcIdleTimeout: 0 >> olcIndexSubstrIfMaxLen: 4 >> olcIndexSubstrIfMinLen: 2 >> olcIndexSubstrAnyLen: 4 >> olcIndexSubstrAnyStep: 2 >> olcIndexIntLen: 4 >> olcLocalSSF: 71 >> olcLogLevel: 9 >> olcPidFile: /var/run/openldap/slapd.pid >> olcReadOnly: FALSE >> olcReverseLookup: FALSE >> olcSaslSecProps: noplain,noanonymous >> olcSockbufMaxIncoming: 262143 >> olcSockbufMaxIncomingAuth: 16777215 >> olcThreads: 16 >> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key >> olcTLSVerifyClient: never >> olcToolThreads: 1 >> olcWriteTimeout: 0 >> >> >> I verified the ldap user can read all the TLS files and they >> are setup fine >> >> [root@ldaprov1 cacerts]# openssl verify -purpose sslserver >> -CAfile cacert.pem ldaprov1.crt >> ldaprov1.crt: OK >> >> >> Anyone can tell me what I am missing here? > No, but we're missing > 1) platform > 2) tls implementation (openssl, moznss, gnutls) > 3) output of ldapsearch -x -d 1 -Z ...... rest of arguments ..... >
Its Fedora 15
ldd /usr/sbin/slapd linux-vdso.so.1 => (0x00007fff76fff000) libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f0f29fcd000) libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000) libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f0f29a38000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f0f29801000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f0f295e6000) libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000) libsmime3.so => /usr/lib64/libsmime3.so (0x00007f0f29183000) libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000) libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f0f28c2b000) libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0f283cb000) libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f0f27bcc000) libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000)
the ldapsearch -d 1 option tells me a lot more: ..... ldap_msgfree TLS: file ldaprov1.crt does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. TLS: file cacert.pem does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name
- skipping.
TLS: file ldaprov1.key does not end in [.0] - does not appear to be a CA certificate directory file with a properly hashed file name - skipping. .....
I tell slapd to look for specific files but how come it is still checking in a directory?
I don't know. What does /etc/openldap/ldap.conf say? Do you have a ~/.ldaprc or ~/ldaprc for the user "ldap"?
So even for slapd the setting TLS_CACERTDIR in /etc/openldap/ldap.conf takes precedence over olcTLSCACertificateFile in cn=config? I set /etc/openldap/ldap.conf for client only and did not mean it for slapd.
I don't know. Can someone confirm that this is how it works when using openssl or gnutls for crypto? That is, I don't think this problem is specific to moznss.
Now after I removed it from /etc/openldap/ldap.conf, ldapsearch -d 1 is indicating the CA certificate not valid:
TLS: certificate [CA certificate details omitted here...] is not valid - error -8172:Unknown code ___f 20. error -8172:Unknown code ___f 20. tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS: error: connect - force handshake failure: errno 21 - moznss error -8172 TLS: can't connect: TLS error -8172:Unknown code ___f 20. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20
Does this mean all the certificates I created on the same server with openssl can not be used by modnss in slapd? I never delt with modnss before
20 means SEC_ERROR_UNTRUSTED_ISSUER
Can you provide the entire log leading up to this point? you can paste it to fpaste.org if you don't want to spam the list with too much information.
Yes, openldap with moznss should work _exactly_ like openldap with openssl. If this is something that was working before this is a bug that needs to be fixed asap.
I ran the same ldapsearch command from a Centos box which has openssl and the error messages says this :
TLS certificate verification: Error, self signed certificate in certificate chain
which is not true. I have separate CA certificate and server certificate. The server certificate is signed by the CA certificate.
openssl seems to be complaining about the CA certificate: # TLS certificate verification: depth: 1, err: 19, subject: /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com, issuer: /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com # TLS certificate verification: Error, self signed certificate in certificate chain
Note that the subject: is the same as the issuer: - that is, it is a self signed certificate (self issued).
But I'm not sure if this is the real problem.
That certificate it is complaining about is actually the ROOT CA. But I have another server certificate specified by "olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt" in cn=config and its subject and issuer are shown below:
certs]# openssl x509 -noout -issuer -subject -in /etc/ssl/certs/ldaprov1.crt issuer= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com subject= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=ldaprov1.prod/emailAddress=sysadmin@theepicmediagroup.com
Its that the client can't seem to get it for some reasons.
# TLS trace: SSL3 alert write:fatal:unknown CA
Do you have the CA cert on the client machine?
I put the same CA cert on the client machine, both in /etc/ldap.conf(/etc/nss_ldap.conf on Fedora now) and /etc/openldap/ldap.conf
Seems the server certificate defined in olcTLSCertificateFile never gets recognized by the client.
Centos openssl output pasted - http://fpaste.org/7Hju/ Fedora moznss output pasted - http://fpaste.org/aE19/
If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and then specify olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key
That is what I have been doing, or trying to do the whole time. Note the last three lines from the current configuration as shown below from the Centos client:
.prod:/etc/openldap/cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wtesting123 -H ldap://ldaprov1.prod cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key
On 08/09/2011 12:43 PM, Daniel Qian wrote:
On 11-08-09 2:12 PM, Rich Megginson wrote:
On 08/09/2011 11:59 AM, Daniel Qian wrote:
On 11-08-09 12:55 PM, Rich Megginson wrote:
On 08/09/2011 10:15 AM, Daniel Qian wrote:
On 11-08-09 11:21 AM, Rich Megginson wrote:
On 08/09/2011 09:07 AM, Daniel Qian wrote: > On 11-08-09 10:49 AM, Rich Megginson wrote: >> On 08/09/2011 08:33 AM, Daniel Qian wrote: >>> Hi, >>> >>> I have slapd 2.4.24 and everything works without TLS. but if I >>> add a -Z option to the ldapsearch command I get this: >>> >>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D >>> cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod cn=config >>> ldap_start_tls: Connect error (-11) >>> ldap_result: Can't contact LDAP server (-1) >>> >>> slapd.log shows something like this : connection_read(16): TLS >>> accept failure error=-1 id=1006, closing >>> >>> Output from openssl debug: >>> >>> [root@ldaprov1 cacerts]# openssl s_client -connect >>> hostname:389 -showcerts -state -CAfile cacert.pem >>> CONNECTED(00000003) >>> SSL_connect:before/connect initialization >>> SSL_connect:SSLv2/v3 write client hello A >>> 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl >>> handshake failure:s23_lib.c:177: >>> --- >>> no peer certificate available >>> --- >>> No client certificate CA names sent >>> --- >>> SSL handshake has read 0 bytes and written 113 bytes >>> --- >>> New, (NONE), Cipher is (NONE) >>> Secure Renegotiation IS NOT supported >>> Compression: NONE >>> Expansion: NONE >>> --- >>> >>> The configurations are as follow (same command as above but >>> without the -Z option): >>> >>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D >>> cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config >>> dn: cn=config >>> objectClass: olcGlobal >>> cn: config >>> olcConfigFile: /etc/openldap/slapd.conf >>> olcConfigDir: /etc/openldap/slapd.d >>> olcAllows: bind_v2 >>> olcArgsFile: /var/run/openldap/slapd.args >>> olcAttributeOptions: lang- >>> olcAuthzPolicy: none >>> olcConcurrency: 0 >>> olcConnMaxPending: 100 >>> olcConnMaxPendingAuth: 1000 >>> olcGentleHUP: FALSE >>> olcIdleTimeout: 0 >>> olcIndexSubstrIfMaxLen: 4 >>> olcIndexSubstrIfMinLen: 2 >>> olcIndexSubstrAnyLen: 4 >>> olcIndexSubstrAnyStep: 2 >>> olcIndexIntLen: 4 >>> olcLocalSSF: 71 >>> olcLogLevel: 9 >>> olcPidFile: /var/run/openldap/slapd.pid >>> olcReadOnly: FALSE >>> olcReverseLookup: FALSE >>> olcSaslSecProps: noplain,noanonymous >>> olcSockbufMaxIncoming: 262143 >>> olcSockbufMaxIncomingAuth: 16777215 >>> olcThreads: 16 >>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >>> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key >>> olcTLSVerifyClient: never >>> olcToolThreads: 1 >>> olcWriteTimeout: 0 >>> >>> >>> I verified the ldap user can read all the TLS files and they >>> are setup fine >>> >>> [root@ldaprov1 cacerts]# openssl verify -purpose sslserver >>> -CAfile cacert.pem ldaprov1.crt >>> ldaprov1.crt: OK >>> >>> >>> Anyone can tell me what I am missing here? >> No, but we're missing >> 1) platform >> 2) tls implementation (openssl, moznss, gnutls) >> 3) output of ldapsearch -x -d 1 -Z ...... rest of arguments ..... >> > > Its Fedora 15 > > ldd /usr/sbin/slapd > linux-vdso.so.1 => (0x00007fff76fff000) > libltdl.so.7 => /usr/lib64/libltdl.so.7 > (0x00007f0f29fcd000) > libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000) > libsasl2.so.2 => /usr/lib64/libsasl2.so.2 > (0x00007f0f29a38000) > libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f0f29801000) > libresolv.so.2 => /lib64/libresolv.so.2 > (0x00007f0f295e6000) > libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000) > libsmime3.so => /usr/lib64/libsmime3.so > (0x00007f0f29183000) > libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000) > libnssutil3.so => /usr/lib64/libnssutil3.so > (0x00007f0f28c2b000) > libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) > libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) > libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) > libpthread.so.0 => /lib64/libpthread.so.0 > (0x00007f0f283cb000) > libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) > libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) > libfreebl3.so => /lib64/libfreebl3.so (0x00007f0f27bcc000) > libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) > /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000) > > > the ldapsearch -d 1 option tells me a lot more: > ..... > ldap_msgfree > TLS: file ldaprov1.crt does not end in [.0] - does not appear to > be a CA certificate directory file with a properly hashed file > name - skipping. > TLS: file cacert.pem does not end in [.0] - does not appear to > be a CA certificate directory file with a properly hashed file > name - skipping. > TLS: file ldaprov1.key does not end in [.0] - does not appear to > be a CA certificate directory file with a properly hashed file > name - skipping. > ..... > > I tell slapd to look for specific files but how come it is still > checking in a directory? I don't know. What does /etc/openldap/ldap.conf say? Do you have a ~/.ldaprc or ~/ldaprc for the user "ldap"?
So even for slapd the setting TLS_CACERTDIR in /etc/openldap/ldap.conf takes precedence over olcTLSCACertificateFile in cn=config? I set /etc/openldap/ldap.conf for client only and did not mean it for slapd.
I don't know. Can someone confirm that this is how it works when using openssl or gnutls for crypto? That is, I don't think this problem is specific to moznss.
Now after I removed it from /etc/openldap/ldap.conf, ldapsearch -d 1 is indicating the CA certificate not valid:
TLS: certificate [CA certificate details omitted here...] is not valid - error -8172:Unknown code ___f 20. error -8172:Unknown code ___f 20. tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS: error: connect - force handshake failure: errno 21 - moznss error -8172 TLS: can't connect: TLS error -8172:Unknown code ___f 20. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20
Does this mean all the certificates I created on the same server with openssl can not be used by modnss in slapd? I never delt with modnss before
20 means SEC_ERROR_UNTRUSTED_ISSUER
Can you provide the entire log leading up to this point? you can paste it to fpaste.org if you don't want to spam the list with too much information.
Yes, openldap with moznss should work _exactly_ like openldap with openssl. If this is something that was working before this is a bug that needs to be fixed asap.
I ran the same ldapsearch command from a Centos box which has openssl and the error messages says this :
TLS certificate verification: Error, self signed certificate in certificate chain
which is not true. I have separate CA certificate and server certificate. The server certificate is signed by the CA certificate.
openssl seems to be complaining about the CA certificate: # TLS certificate verification: depth: 1, err: 19, subject: /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com, issuer: /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com # TLS certificate verification: Error, self signed certificate in certificate chain
Note that the subject: is the same as the issuer: - that is, it is a self signed certificate (self issued).
But I'm not sure if this is the real problem.
That certificate it is complaining about is actually the ROOT CA. But I have another server certificate specified by "olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt" in cn=config and its subject and issuer are shown below:
certs]# openssl x509 -noout -issuer -subject -in /etc/ssl/certs/ldaprov1.crt issuer= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com subject= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=ldaprov1.prod/emailAddress=sysadmin@theepicmediagroup.com
Its that the client can't seem to get it for some reasons.
# TLS trace: SSL3 alert write:fatal:unknown CA
Do you have the CA cert on the client machine?
I put the same CA cert on the client machine, both in /etc/ldap.conf(/etc/nss_ldap.conf on Fedora now) and /etc/openldap/ldap.conf
Seems the server certificate defined in olcTLSCertificateFile never gets recognized by the client.
Centos openssl output pasted - http://fpaste.org/7Hju/ Fedora moznss output pasted - http://fpaste.org/aE19/
If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and then specify olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key
That is what I have been doing, or trying to do the whole time. Note the last three lines from the current configuration as shown below from the Centos client:
.prod:/etc/openldap/cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wtesting123 -H ldap://ldaprov1.prod cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key
try starting slapd with -d 1
On 11-08-09 2:45 PM, Rich Megginson wrote:
On 08/09/2011 12:43 PM, Daniel Qian wrote:
On 11-08-09 2:12 PM, Rich Megginson wrote:
On 08/09/2011 11:59 AM, Daniel Qian wrote:
On 11-08-09 12:55 PM, Rich Megginson wrote:
On 08/09/2011 10:15 AM, Daniel Qian wrote:
On 11-08-09 11:21 AM, Rich Megginson wrote: > On 08/09/2011 09:07 AM, Daniel Qian wrote: >> On 11-08-09 10:49 AM, Rich Megginson wrote: >>> On 08/09/2011 08:33 AM, Daniel Qian wrote: >>>> Hi, >>>> >>>> I have slapd 2.4.24 and everything works without TLS. but if >>>> I add a -Z option to the ldapsearch command I get this: >>>> >>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D >>>> cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod >>>> cn=config >>>> ldap_start_tls: Connect error (-11) >>>> ldap_result: Can't contact LDAP server (-1) >>>> >>>> slapd.log shows something like this : connection_read(16): >>>> TLS accept failure error=-1 id=1006, closing >>>> >>>> Output from openssl debug: >>>> >>>> [root@ldaprov1 cacerts]# openssl s_client -connect >>>> hostname:389 -showcerts -state -CAfile cacert.pem >>>> CONNECTED(00000003) >>>> SSL_connect:before/connect initialization >>>> SSL_connect:SSLv2/v3 write client hello A >>>> 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl >>>> handshake failure:s23_lib.c:177: >>>> --- >>>> no peer certificate available >>>> --- >>>> No client certificate CA names sent >>>> --- >>>> SSL handshake has read 0 bytes and written 113 bytes >>>> --- >>>> New, (NONE), Cipher is (NONE) >>>> Secure Renegotiation IS NOT supported >>>> Compression: NONE >>>> Expansion: NONE >>>> --- >>>> >>>> The configurations are as follow (same command as above but >>>> without the -Z option): >>>> >>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D >>>> cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config >>>> dn: cn=config >>>> objectClass: olcGlobal >>>> cn: config >>>> olcConfigFile: /etc/openldap/slapd.conf >>>> olcConfigDir: /etc/openldap/slapd.d >>>> olcAllows: bind_v2 >>>> olcArgsFile: /var/run/openldap/slapd.args >>>> olcAttributeOptions: lang- >>>> olcAuthzPolicy: none >>>> olcConcurrency: 0 >>>> olcConnMaxPending: 100 >>>> olcConnMaxPendingAuth: 1000 >>>> olcGentleHUP: FALSE >>>> olcIdleTimeout: 0 >>>> olcIndexSubstrIfMaxLen: 4 >>>> olcIndexSubstrIfMinLen: 2 >>>> olcIndexSubstrAnyLen: 4 >>>> olcIndexSubstrAnyStep: 2 >>>> olcIndexIntLen: 4 >>>> olcLocalSSF: 71 >>>> olcLogLevel: 9 >>>> olcPidFile: /var/run/openldap/slapd.pid >>>> olcReadOnly: FALSE >>>> olcReverseLookup: FALSE >>>> olcSaslSecProps: noplain,noanonymous >>>> olcSockbufMaxIncoming: 262143 >>>> olcSockbufMaxIncomingAuth: 16777215 >>>> olcThreads: 16 >>>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >>>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >>>> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key >>>> olcTLSVerifyClient: never >>>> olcToolThreads: 1 >>>> olcWriteTimeout: 0 >>>> >>>> >>>> I verified the ldap user can read all the TLS files and they >>>> are setup fine >>>> >>>> [root@ldaprov1 cacerts]# openssl verify -purpose sslserver >>>> -CAfile cacert.pem ldaprov1.crt >>>> ldaprov1.crt: OK >>>> >>>> >>>> Anyone can tell me what I am missing here? >>> No, but we're missing >>> 1) platform >>> 2) tls implementation (openssl, moznss, gnutls) >>> 3) output of ldapsearch -x -d 1 -Z ...... rest of arguments ..... >>> >> >> Its Fedora 15 >> >> ldd /usr/sbin/slapd >> linux-vdso.so.1 => (0x00007fff76fff000) >> libltdl.so.7 => /usr/lib64/libltdl.so.7 >> (0x00007f0f29fcd000) >> libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000) >> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 >> (0x00007f0f29a38000) >> libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f0f29801000) >> libresolv.so.2 => /lib64/libresolv.so.2 >> (0x00007f0f295e6000) >> libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000) >> libsmime3.so => /usr/lib64/libsmime3.so >> (0x00007f0f29183000) >> libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000) >> libnssutil3.so => /usr/lib64/libnssutil3.so >> (0x00007f0f28c2b000) >> libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) >> libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) >> libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) >> libpthread.so.0 => /lib64/libpthread.so.0 >> (0x00007f0f283cb000) >> libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) >> libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) >> libfreebl3.so => /lib64/libfreebl3.so (0x00007f0f27bcc000) >> libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) >> /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000) >> >> >> the ldapsearch -d 1 option tells me a lot more: >> ..... >> ldap_msgfree >> TLS: file ldaprov1.crt does not end in [.0] - does not appear >> to be a CA certificate directory file with a properly hashed >> file name - skipping. >> TLS: file cacert.pem does not end in [.0] - does not appear to >> be a CA certificate directory file with a properly hashed file >> name - skipping. >> TLS: file ldaprov1.key does not end in [.0] - does not appear >> to be a CA certificate directory file with a properly hashed >> file name - skipping. >> ..... >> >> I tell slapd to look for specific files but how come it is >> still checking in a directory? > I don't know. What does /etc/openldap/ldap.conf say? Do you > have a ~/.ldaprc or ~/ldaprc for the user "ldap"?
So even for slapd the setting TLS_CACERTDIR in /etc/openldap/ldap.conf takes precedence over olcTLSCACertificateFile in cn=config? I set /etc/openldap/ldap.conf for client only and did not mean it for slapd.
I don't know. Can someone confirm that this is how it works when using openssl or gnutls for crypto? That is, I don't think this problem is specific to moznss.
Now after I removed it from /etc/openldap/ldap.conf, ldapsearch -d 1 is indicating the CA certificate not valid:
TLS: certificate [CA certificate details omitted here...] is not valid - error -8172:Unknown code ___f 20. error -8172:Unknown code ___f 20. tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS: error: connect - force handshake failure: errno 21 - moznss error -8172 TLS: can't connect: TLS error -8172:Unknown code ___f 20. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Unknown code ___f 20
Does this mean all the certificates I created on the same server with openssl can not be used by modnss in slapd? I never delt with modnss before
20 means SEC_ERROR_UNTRUSTED_ISSUER
Can you provide the entire log leading up to this point? you can paste it to fpaste.org if you don't want to spam the list with too much information.
Yes, openldap with moznss should work _exactly_ like openldap with openssl. If this is something that was working before this is a bug that needs to be fixed asap.
I ran the same ldapsearch command from a Centos box which has openssl and the error messages says this :
TLS certificate verification: Error, self signed certificate in certificate chain
which is not true. I have separate CA certificate and server certificate. The server certificate is signed by the CA certificate.
openssl seems to be complaining about the CA certificate: # TLS certificate verification: depth: 1, err: 19, subject: /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com, issuer: /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com # TLS certificate verification: Error, self signed certificate in certificate chain
Note that the subject: is the same as the issuer: - that is, it is a self signed certificate (self issued).
But I'm not sure if this is the real problem.
That certificate it is complaining about is actually the ROOT CA. But I have another server certificate specified by "olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt" in cn=config and its subject and issuer are shown below:
certs]# openssl x509 -noout -issuer -subject -in /etc/ssl/certs/ldaprov1.crt issuer= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com subject= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=ldaprov1.prod/emailAddress=sysadmin@theepicmediagroup.com
Its that the client can't seem to get it for some reasons.
# TLS trace: SSL3 alert write:fatal:unknown CA
Do you have the CA cert on the client machine?
I put the same CA cert on the client machine, both in /etc/ldap.conf(/etc/nss_ldap.conf on Fedora now) and /etc/openldap/ldap.conf
Seems the server certificate defined in olcTLSCertificateFile never gets recognized by the client.
Centos openssl output pasted - http://fpaste.org/7Hju/ Fedora moznss output pasted - http://fpaste.org/aE19/
If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and then specify olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key
That is what I have been doing, or trying to do the whole time. Note the last three lines from the current configuration as shown below from the Centos client:
.prod:/etc/openldap/cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wtesting123 -H ldap://ldaprov1.prod cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key
try starting slapd with -d 1
got the following from the log:
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: slap_listener_activate(7): Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 busy Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: >>> slap_listener(ldap:///) Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: listen=7, new connection on 14 Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: 14r Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: read active on 14 Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: added 14r (active) listener=(nil) Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14) Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14): got connid=1003 Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): checking for input on id=1003 Aug 9 19:27:27 ldaprov2 slapd[28972]: op tag 0x77, time 1312932447 Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 do_extended Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 9 19:27:27 ldaprov2 slapd[28972]: do_extended: oid=1.3.6.1.4.1.1466.20037 Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 STARTTLS Aug 9 19:27:27 ldaprov2 slapd[28972]: send_ldap_extended: err=0 oid= len=0 Aug 9 19:27:27 ldaprov2 slapd[28972]: send_ldap_response: msgid=1 tag=120 err=0 Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 RESULT oid= err=0 text= Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 fd=14 ACCEPT from IP=10.10.2.44:54439 (IP=0.0.0.0:389) Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: 14r Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: read active on 14 Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14) Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14): got connid=1003 Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): checking for input on id=1003 Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: 14r Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: read active on 14 Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14) Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14): got connid=1003 Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): checking for input on id=1003 Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): TLS accept failure error=-1 id=1003, closing Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_closing: readying conn=1003 sd=14 for close Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_close: conn=1003 sd=14 Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: removing 14 Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 fd=14 closed (TLS negotiation failure)
On 08/09/2011 01:31 PM, Daniel Qian wrote:
On 11-08-09 2:45 PM, Rich Megginson wrote:
On 08/09/2011 12:43 PM, Daniel Qian wrote:
On 11-08-09 2:12 PM, Rich Megginson wrote:
On 08/09/2011 11:59 AM, Daniel Qian wrote:
On 11-08-09 12:55 PM, Rich Megginson wrote:
On 08/09/2011 10:15 AM, Daniel Qian wrote: > On 11-08-09 11:21 AM, Rich Megginson wrote: >> On 08/09/2011 09:07 AM, Daniel Qian wrote: >>> On 11-08-09 10:49 AM, Rich Megginson wrote: >>>> On 08/09/2011 08:33 AM, Daniel Qian wrote: >>>>> Hi, >>>>> >>>>> I have slapd 2.4.24 and everything works without TLS. but if >>>>> I add a -Z option to the ldapsearch command I get this: >>>>> >>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D >>>>> cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod >>>>> cn=config >>>>> ldap_start_tls: Connect error (-11) >>>>> ldap_result: Can't contact LDAP server (-1) >>>>> >>>>> slapd.log shows something like this : connection_read(16): >>>>> TLS accept failure error=-1 id=1006, closing >>>>> >>>>> Output from openssl debug: >>>>> >>>>> [root@ldaprov1 cacerts]# openssl s_client -connect >>>>> hostname:389 -showcerts -state -CAfile cacert.pem >>>>> CONNECTED(00000003) >>>>> SSL_connect:before/connect initialization >>>>> SSL_connect:SSLv2/v3 write client hello A >>>>> 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl >>>>> handshake failure:s23_lib.c:177: >>>>> --- >>>>> no peer certificate available >>>>> --- >>>>> No client certificate CA names sent >>>>> --- >>>>> SSL handshake has read 0 bytes and written 113 bytes >>>>> --- >>>>> New, (NONE), Cipher is (NONE) >>>>> Secure Renegotiation IS NOT supported >>>>> Compression: NONE >>>>> Expansion: NONE >>>>> --- >>>>> >>>>> The configurations are as follow (same command as above but >>>>> without the -Z option): >>>>> >>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config -D >>>>> cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config >>>>> dn: cn=config >>>>> objectClass: olcGlobal >>>>> cn: config >>>>> olcConfigFile: /etc/openldap/slapd.conf >>>>> olcConfigDir: /etc/openldap/slapd.d >>>>> olcAllows: bind_v2 >>>>> olcArgsFile: /var/run/openldap/slapd.args >>>>> olcAttributeOptions: lang- >>>>> olcAuthzPolicy: none >>>>> olcConcurrency: 0 >>>>> olcConnMaxPending: 100 >>>>> olcConnMaxPendingAuth: 1000 >>>>> olcGentleHUP: FALSE >>>>> olcIdleTimeout: 0 >>>>> olcIndexSubstrIfMaxLen: 4 >>>>> olcIndexSubstrIfMinLen: 2 >>>>> olcIndexSubstrAnyLen: 4 >>>>> olcIndexSubstrAnyStep: 2 >>>>> olcIndexIntLen: 4 >>>>> olcLocalSSF: 71 >>>>> olcLogLevel: 9 >>>>> olcPidFile: /var/run/openldap/slapd.pid >>>>> olcReadOnly: FALSE >>>>> olcReverseLookup: FALSE >>>>> olcSaslSecProps: noplain,noanonymous >>>>> olcSockbufMaxIncoming: 262143 >>>>> olcSockbufMaxIncomingAuth: 16777215 >>>>> olcThreads: 16 >>>>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >>>>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >>>>> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key >>>>> olcTLSVerifyClient: never >>>>> olcToolThreads: 1 >>>>> olcWriteTimeout: 0 >>>>> >>>>> >>>>> I verified the ldap user can read all the TLS files and they >>>>> are setup fine >>>>> >>>>> [root@ldaprov1 cacerts]# openssl verify -purpose sslserver >>>>> -CAfile cacert.pem ldaprov1.crt >>>>> ldaprov1.crt: OK >>>>> >>>>> >>>>> Anyone can tell me what I am missing here? >>>> No, but we're missing >>>> 1) platform >>>> 2) tls implementation (openssl, moznss, gnutls) >>>> 3) output of ldapsearch -x -d 1 -Z ...... rest of arguments >>>> ..... >>>> >>> >>> Its Fedora 15 >>> >>> ldd /usr/sbin/slapd >>> linux-vdso.so.1 => (0x00007fff76fff000) >>> libltdl.so.7 => /usr/lib64/libltdl.so.7 >>> (0x00007f0f29fcd000) >>> libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000) >>> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 >>> (0x00007f0f29a38000) >>> libcrypt.so.1 => /lib64/libcrypt.so.1 >>> (0x00007f0f29801000) >>> libresolv.so.2 => /lib64/libresolv.so.2 >>> (0x00007f0f295e6000) >>> libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000) >>> libsmime3.so => /usr/lib64/libsmime3.so >>> (0x00007f0f29183000) >>> libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000) >>> libnssutil3.so => /usr/lib64/libnssutil3.so >>> (0x00007f0f28c2b000) >>> libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) >>> libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) >>> libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) >>> libpthread.so.0 => /lib64/libpthread.so.0 >>> (0x00007f0f283cb000) >>> libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) >>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) >>> libfreebl3.so => /lib64/libfreebl3.so >>> (0x00007f0f27bcc000) >>> libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) >>> /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000) >>> >>> >>> the ldapsearch -d 1 option tells me a lot more: >>> ..... >>> ldap_msgfree >>> TLS: file ldaprov1.crt does not end in [.0] - does not appear >>> to be a CA certificate directory file with a properly hashed >>> file name - skipping. >>> TLS: file cacert.pem does not end in [.0] - does not appear to >>> be a CA certificate directory file with a properly hashed file >>> name - skipping. >>> TLS: file ldaprov1.key does not end in [.0] - does not appear >>> to be a CA certificate directory file with a properly hashed >>> file name - skipping. >>> ..... >>> >>> I tell slapd to look for specific files but how come it is >>> still checking in a directory? >> I don't know. What does /etc/openldap/ldap.conf say? Do you >> have a ~/.ldaprc or ~/ldaprc for the user "ldap"? > > So even for slapd the setting TLS_CACERTDIR in > /etc/openldap/ldap.conf takes precedence over > olcTLSCACertificateFile in cn=config? I set > /etc/openldap/ldap.conf for client only and did not mean it for > slapd. I don't know. Can someone confirm that this is how it works when using openssl or gnutls for crypto? That is, I don't think this problem is specific to moznss. > > Now after I removed it from /etc/openldap/ldap.conf, ldapsearch > -d 1 is indicating the CA certificate not valid: > > TLS: certificate [CA certificate details omitted here...] is not > valid - error -8172:Unknown code ___f 20. > error -8172:Unknown code ___f 20. > tls_write: want=7, written=7 > 0000: 15 03 01 00 02 02 30 ......0 > TLS: error: connect - force handshake failure: errno 21 - moznss > error -8172 > TLS: can't connect: TLS error -8172:Unknown code ___f 20. > ldap_err2string > ldap_start_tls: Connect error (-11) > additional info: TLS error -8172:Unknown code ___f 20 > > Does this mean all the certificates I created on the same server > with openssl can not be used by modnss in slapd? I never delt > with modnss before 20 means SEC_ERROR_UNTRUSTED_ISSUER
Can you provide the entire log leading up to this point? you can paste it to fpaste.org if you don't want to spam the list with too much information.
Yes, openldap with moznss should work _exactly_ like openldap with openssl. If this is something that was working before this is a bug that needs to be fixed asap.
I ran the same ldapsearch command from a Centos box which has openssl and the error messages says this :
TLS certificate verification: Error, self signed certificate in certificate chain
which is not true. I have separate CA certificate and server certificate. The server certificate is signed by the CA certificate.
openssl seems to be complaining about the CA certificate: # TLS certificate verification: depth: 1, err: 19, subject: /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com, issuer: /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com # TLS certificate verification: Error, self signed certificate in certificate chain
Note that the subject: is the same as the issuer: - that is, it is a self signed certificate (self issued).
But I'm not sure if this is the real problem.
That certificate it is complaining about is actually the ROOT CA. But I have another server certificate specified by "olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt" in cn=config and its subject and issuer are shown below:
certs]# openssl x509 -noout -issuer -subject -in /etc/ssl/certs/ldaprov1.crt issuer= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com subject= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=ldaprov1.prod/emailAddress=sysadmin@theepicmediagroup.com
Its that the client can't seem to get it for some reasons.
# TLS trace: SSL3 alert write:fatal:unknown CA
Do you have the CA cert on the client machine?
I put the same CA cert on the client machine, both in /etc/ldap.conf(/etc/nss_ldap.conf on Fedora now) and /etc/openldap/ldap.conf
Seems the server certificate defined in olcTLSCertificateFile never gets recognized by the client.
Centos openssl output pasted - http://fpaste.org/7Hju/ Fedora moznss output pasted - http://fpaste.org/aE19/
If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and then specify olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key
That is what I have been doing, or trying to do the whole time. Note the last three lines from the current configuration as shown below from the Centos client:
.prod:/etc/openldap/cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wtesting123 -H ldap://ldaprov1.prod cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key
try starting slapd with -d 1
got the following from the log:
With -d 1 there should be a lot more output than this?
Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: slap_listener_activate(7): Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 busy Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: >>> slap_listener(ldap:///) Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: listen=7, new connection on 14 Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: 14r Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: read active on 14 Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: added 14r (active) listener=(nil) Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14) Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14): got connid=1003 Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): checking for input on id=1003 Aug 9 19:27:27 ldaprov2 slapd[28972]: op tag 0x77, time 1312932447 Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 do_extended Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 9 19:27:27 ldaprov2 slapd[28972]: do_extended: oid=1.3.6.1.4.1.1466.20037 Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 STARTTLS Aug 9 19:27:27 ldaprov2 slapd[28972]: send_ldap_extended: err=0 oid= len=0 Aug 9 19:27:27 ldaprov2 slapd[28972]: send_ldap_response: msgid=1 tag=120 err=0 Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 op=0 RESULT oid= err=0 text= Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 fd=14 ACCEPT from IP=10.10.2.44:54439 (IP=0.0.0.0:389) Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: 14r Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: read active on 14 Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14) Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14): got connid=1003 Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): checking for input on id=1003 Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: 14r Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: read active on 14 Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14) Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_get(14): got connid=1003 Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): checking for input on id=1003 Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_read(14): TLS accept failure error=-1 id=1003, closing Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_closing: readying conn=1003 sd=14 for close Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on 1 descriptor Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: activity on: Aug 9 19:27:27 ldaprov2 slapd[28972]: Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=7 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=8 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=9 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: epoll: listen=10 active_threads=0 tvp=zero Aug 9 19:27:27 ldaprov2 slapd[28972]: connection_close: conn=1003 sd=14 Aug 9 19:27:27 ldaprov2 slapd[28972]: daemon: removing 14 Aug 9 19:27:27 ldaprov2 slapd[28972]: conn=1003 fd=14 closed (TLS negotiation failure)
On 11-08-09 3:32 PM, Rich Megginson wrote:
On 08/09/2011 01:31 PM, Daniel Qian wrote:
On 11-08-09 2:45 PM, Rich Megginson wrote:
On 08/09/2011 12:43 PM, Daniel Qian wrote:
On 11-08-09 2:12 PM, Rich Megginson wrote:
On 08/09/2011 11:59 AM, Daniel Qian wrote:
On 11-08-09 12:55 PM, Rich Megginson wrote: > On 08/09/2011 10:15 AM, Daniel Qian wrote: >> On 11-08-09 11:21 AM, Rich Megginson wrote: >>> On 08/09/2011 09:07 AM, Daniel Qian wrote: >>>> On 11-08-09 10:49 AM, Rich Megginson wrote: >>>>> On 08/09/2011 08:33 AM, Daniel Qian wrote: >>>>>> Hi, >>>>>> >>>>>> I have slapd 2.4.24 and everything works without TLS. but >>>>>> if I add a -Z option to the ldapsearch command I get this: >>>>>> >>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config >>>>>> -D cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod >>>>>> cn=config >>>>>> ldap_start_tls: Connect error (-11) >>>>>> ldap_result: Can't contact LDAP server (-1) >>>>>> >>>>>> slapd.log shows something like this : connection_read(16): >>>>>> TLS accept failure error=-1 id=1006, closing >>>>>> >>>>>> Output from openssl debug: >>>>>> >>>>>> [root@ldaprov1 cacerts]# openssl s_client -connect >>>>>> hostname:389 -showcerts -state -CAfile cacert.pem >>>>>> CONNECTED(00000003) >>>>>> SSL_connect:before/connect initialization >>>>>> SSL_connect:SSLv2/v3 write client hello A >>>>>> 140225133647680:error:140790E5:SSL routines:SSL23_WRITE:ssl >>>>>> handshake failure:s23_lib.c:177: >>>>>> --- >>>>>> no peer certificate available >>>>>> --- >>>>>> No client certificate CA names sent >>>>>> --- >>>>>> SSL handshake has read 0 bytes and written 113 bytes >>>>>> --- >>>>>> New, (NONE), Cipher is (NONE) >>>>>> Secure Renegotiation IS NOT supported >>>>>> Compression: NONE >>>>>> Expansion: NONE >>>>>> --- >>>>>> >>>>>> The configurations are as follow (same command as above but >>>>>> without the -Z option): >>>>>> >>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config >>>>>> -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config >>>>>> dn: cn=config >>>>>> objectClass: olcGlobal >>>>>> cn: config >>>>>> olcConfigFile: /etc/openldap/slapd.conf >>>>>> olcConfigDir: /etc/openldap/slapd.d >>>>>> olcAllows: bind_v2 >>>>>> olcArgsFile: /var/run/openldap/slapd.args >>>>>> olcAttributeOptions: lang- >>>>>> olcAuthzPolicy: none >>>>>> olcConcurrency: 0 >>>>>> olcConnMaxPending: 100 >>>>>> olcConnMaxPendingAuth: 1000 >>>>>> olcGentleHUP: FALSE >>>>>> olcIdleTimeout: 0 >>>>>> olcIndexSubstrIfMaxLen: 4 >>>>>> olcIndexSubstrIfMinLen: 2 >>>>>> olcIndexSubstrAnyLen: 4 >>>>>> olcIndexSubstrAnyStep: 2 >>>>>> olcIndexIntLen: 4 >>>>>> olcLocalSSF: 71 >>>>>> olcLogLevel: 9 >>>>>> olcPidFile: /var/run/openldap/slapd.pid >>>>>> olcReadOnly: FALSE >>>>>> olcReverseLookup: FALSE >>>>>> olcSaslSecProps: noplain,noanonymous >>>>>> olcSockbufMaxIncoming: 262143 >>>>>> olcSockbufMaxIncomingAuth: 16777215 >>>>>> olcThreads: 16 >>>>>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >>>>>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >>>>>> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key >>>>>> olcTLSVerifyClient: never >>>>>> olcToolThreads: 1 >>>>>> olcWriteTimeout: 0 >>>>>> >>>>>> >>>>>> I verified the ldap user can read all the TLS files and >>>>>> they are setup fine >>>>>> >>>>>> [root@ldaprov1 cacerts]# openssl verify -purpose sslserver >>>>>> -CAfile cacert.pem ldaprov1.crt >>>>>> ldaprov1.crt: OK >>>>>> >>>>>> >>>>>> Anyone can tell me what I am missing here? >>>>> No, but we're missing >>>>> 1) platform >>>>> 2) tls implementation (openssl, moznss, gnutls) >>>>> 3) output of ldapsearch -x -d 1 -Z ...... rest of arguments >>>>> ..... >>>>> >>>> >>>> Its Fedora 15 >>>> >>>> ldd /usr/sbin/slapd >>>> linux-vdso.so.1 => (0x00007fff76fff000) >>>> libltdl.so.7 => /usr/lib64/libltdl.so.7 >>>> (0x00007f0f29fcd000) >>>> libdb-4.8.so => /lib64/libdb-4.8.so (0x00007f0f29c53000) >>>> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 >>>> (0x00007f0f29a38000) >>>> libcrypt.so.1 => /lib64/libcrypt.so.1 >>>> (0x00007f0f29801000) >>>> libresolv.so.2 => /lib64/libresolv.so.2 >>>> (0x00007f0f295e6000) >>>> libssl3.so => /usr/lib64/libssl3.so (0x00007f0f293b0000) >>>> libsmime3.so => /usr/lib64/libsmime3.so >>>> (0x00007f0f29183000) >>>> libnss3.so => /usr/lib64/libnss3.so (0x00007f0f28e4b000) >>>> libnssutil3.so => /usr/lib64/libnssutil3.so >>>> (0x00007f0f28c2b000) >>>> libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) >>>> libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) >>>> libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) >>>> libpthread.so.0 => /lib64/libpthread.so.0 >>>> (0x00007f0f283cb000) >>>> libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) >>>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) >>>> libfreebl3.so => /lib64/libfreebl3.so >>>> (0x00007f0f27bcc000) >>>> libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) >>>> /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000) >>>> >>>> >>>> the ldapsearch -d 1 option tells me a lot more: >>>> ..... >>>> ldap_msgfree >>>> TLS: file ldaprov1.crt does not end in [.0] - does not appear >>>> to be a CA certificate directory file with a properly hashed >>>> file name - skipping. >>>> TLS: file cacert.pem does not end in [.0] - does not appear >>>> to be a CA certificate directory file with a properly hashed >>>> file name - skipping. >>>> TLS: file ldaprov1.key does not end in [.0] - does not appear >>>> to be a CA certificate directory file with a properly hashed >>>> file name - skipping. >>>> ..... >>>> >>>> I tell slapd to look for specific files but how come it is >>>> still checking in a directory? >>> I don't know. What does /etc/openldap/ldap.conf say? Do you >>> have a ~/.ldaprc or ~/ldaprc for the user "ldap"? >> >> So even for slapd the setting TLS_CACERTDIR in >> /etc/openldap/ldap.conf takes precedence over >> olcTLSCACertificateFile in cn=config? I set >> /etc/openldap/ldap.conf for client only and did not mean it for >> slapd. > I don't know. Can someone confirm that this is how it works > when using openssl or gnutls for crypto? That is, I don't think > this problem is specific to moznss. >> >> Now after I removed it from /etc/openldap/ldap.conf, ldapsearch >> -d 1 is indicating the CA certificate not valid: >> >> TLS: certificate [CA certificate details omitted here...] is >> not valid - error -8172:Unknown code ___f 20. >> error -8172:Unknown code ___f 20. >> tls_write: want=7, written=7 >> 0000: 15 03 01 00 02 02 30 >> ......0 >> TLS: error: connect - force handshake failure: errno 21 - >> moznss error -8172 >> TLS: can't connect: TLS error -8172:Unknown code ___f 20. >> ldap_err2string >> ldap_start_tls: Connect error (-11) >> additional info: TLS error -8172:Unknown code ___f 20 >> >> Does this mean all the certificates I created on the same >> server with openssl can not be used by modnss in slapd? I never >> delt with modnss before > 20 means SEC_ERROR_UNTRUSTED_ISSUER > > Can you provide the entire log leading up to this point? you > can paste it to fpaste.org if you don't want to spam the list > with too much information. > > Yes, openldap with moznss should work _exactly_ like openldap > with openssl. If this is something that was working before this > is a bug that needs to be fixed asap.
I ran the same ldapsearch command from a Centos box which has openssl and the error messages says this :
TLS certificate verification: Error, self signed certificate in certificate chain
which is not true. I have separate CA certificate and server certificate. The server certificate is signed by the CA certificate.
openssl seems to be complaining about the CA certificate: # TLS certificate verification: depth: 1, err: 19, subject: /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com, issuer: /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com # TLS certificate verification: Error, self signed certificate in certificate chain
Note that the subject: is the same as the issuer: - that is, it is a self signed certificate (self issued).
But I'm not sure if this is the real problem.
That certificate it is complaining about is actually the ROOT CA. But I have another server certificate specified by "olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt" in cn=config and its subject and issuer are shown below:
certs]# openssl x509 -noout -issuer -subject -in /etc/ssl/certs/ldaprov1.crt issuer= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com subject= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=ldaprov1.prod/emailAddress=sysadmin@theepicmediagroup.com
Its that the client can't seem to get it for some reasons.
# TLS trace: SSL3 alert write:fatal:unknown CA
Do you have the CA cert on the client machine?
I put the same CA cert on the client machine, both in /etc/ldap.conf(/etc/nss_ldap.conf on Fedora now) and /etc/openldap/ldap.conf
Seems the server certificate defined in olcTLSCertificateFile never gets recognized by the client.
Centos openssl output pasted - http://fpaste.org/7Hju/ Fedora moznss output pasted - http://fpaste.org/aE19/
If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and then specify olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key
That is what I have been doing, or trying to do the whole time. Note the last three lines from the current configuration as shown below from the Centos client:
.prod:/etc/openldap/cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wtesting123 -H ldap://ldaprov1.prod cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key
try starting slapd with -d 1
got the following from the log:
With -d 1 there should be a lot more output than this?
You mean those produced when it starts up?
On 08/09/2011 01:36 PM, Daniel Qian wrote:
On 11-08-09 3:32 PM, Rich Megginson wrote:
On 08/09/2011 01:31 PM, Daniel Qian wrote:
On 11-08-09 2:45 PM, Rich Megginson wrote:
On 08/09/2011 12:43 PM, Daniel Qian wrote:
On 11-08-09 2:12 PM, Rich Megginson wrote:
On 08/09/2011 11:59 AM, Daniel Qian wrote: > On 11-08-09 12:55 PM, Rich Megginson wrote: >> On 08/09/2011 10:15 AM, Daniel Qian wrote: >>> On 11-08-09 11:21 AM, Rich Megginson wrote: >>>> On 08/09/2011 09:07 AM, Daniel Qian wrote: >>>>> On 11-08-09 10:49 AM, Rich Megginson wrote: >>>>>> On 08/09/2011 08:33 AM, Daniel Qian wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I have slapd 2.4.24 and everything works without TLS. but >>>>>>> if I add a -Z option to the ldapsearch command I get this: >>>>>>> >>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config >>>>>>> -D cn=admin,cn=config -wxxxxxxx -Z -H ldap://ldaprov1.prod >>>>>>> cn=config >>>>>>> ldap_start_tls: Connect error (-11) >>>>>>> ldap_result: Can't contact LDAP server (-1) >>>>>>> >>>>>>> slapd.log shows something like this : connection_read(16): >>>>>>> TLS accept failure error=-1 id=1006, closing >>>>>>> >>>>>>> Output from openssl debug: >>>>>>> >>>>>>> [root@ldaprov1 cacerts]# openssl s_client -connect >>>>>>> hostname:389 -showcerts -state -CAfile cacert.pem >>>>>>> CONNECTED(00000003) >>>>>>> SSL_connect:before/connect initialization >>>>>>> SSL_connect:SSLv2/v3 write client hello A >>>>>>> 140225133647680:error:140790E5:SSL >>>>>>> routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: >>>>>>> --- >>>>>>> no peer certificate available >>>>>>> --- >>>>>>> No client certificate CA names sent >>>>>>> --- >>>>>>> SSL handshake has read 0 bytes and written 113 bytes >>>>>>> --- >>>>>>> New, (NONE), Cipher is (NONE) >>>>>>> Secure Renegotiation IS NOT supported >>>>>>> Compression: NONE >>>>>>> Expansion: NONE >>>>>>> --- >>>>>>> >>>>>>> The configurations are as follow (same command as above >>>>>>> but without the -Z option): >>>>>>> >>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config >>>>>>> -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config >>>>>>> dn: cn=config >>>>>>> objectClass: olcGlobal >>>>>>> cn: config >>>>>>> olcConfigFile: /etc/openldap/slapd.conf >>>>>>> olcConfigDir: /etc/openldap/slapd.d >>>>>>> olcAllows: bind_v2 >>>>>>> olcArgsFile: /var/run/openldap/slapd.args >>>>>>> olcAttributeOptions: lang- >>>>>>> olcAuthzPolicy: none >>>>>>> olcConcurrency: 0 >>>>>>> olcConnMaxPending: 100 >>>>>>> olcConnMaxPendingAuth: 1000 >>>>>>> olcGentleHUP: FALSE >>>>>>> olcIdleTimeout: 0 >>>>>>> olcIndexSubstrIfMaxLen: 4 >>>>>>> olcIndexSubstrIfMinLen: 2 >>>>>>> olcIndexSubstrAnyLen: 4 >>>>>>> olcIndexSubstrAnyStep: 2 >>>>>>> olcIndexIntLen: 4 >>>>>>> olcLocalSSF: 71 >>>>>>> olcLogLevel: 9 >>>>>>> olcPidFile: /var/run/openldap/slapd.pid >>>>>>> olcReadOnly: FALSE >>>>>>> olcReverseLookup: FALSE >>>>>>> olcSaslSecProps: noplain,noanonymous >>>>>>> olcSockbufMaxIncoming: 262143 >>>>>>> olcSockbufMaxIncomingAuth: 16777215 >>>>>>> olcThreads: 16 >>>>>>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >>>>>>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >>>>>>> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key >>>>>>> olcTLSVerifyClient: never >>>>>>> olcToolThreads: 1 >>>>>>> olcWriteTimeout: 0 >>>>>>> >>>>>>> >>>>>>> I verified the ldap user can read all the TLS files and >>>>>>> they are setup fine >>>>>>> >>>>>>> [root@ldaprov1 cacerts]# openssl verify -purpose sslserver >>>>>>> -CAfile cacert.pem ldaprov1.crt >>>>>>> ldaprov1.crt: OK >>>>>>> >>>>>>> >>>>>>> Anyone can tell me what I am missing here? >>>>>> No, but we're missing >>>>>> 1) platform >>>>>> 2) tls implementation (openssl, moznss, gnutls) >>>>>> 3) output of ldapsearch -x -d 1 -Z ...... rest of arguments >>>>>> ..... >>>>>> >>>>> >>>>> Its Fedora 15 >>>>> >>>>> ldd /usr/sbin/slapd >>>>> linux-vdso.so.1 => (0x00007fff76fff000) >>>>> libltdl.so.7 => /usr/lib64/libltdl.so.7 >>>>> (0x00007f0f29fcd000) >>>>> libdb-4.8.so => /lib64/libdb-4.8.so >>>>> (0x00007f0f29c53000) >>>>> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 >>>>> (0x00007f0f29a38000) >>>>> libcrypt.so.1 => /lib64/libcrypt.so.1 >>>>> (0x00007f0f29801000) >>>>> libresolv.so.2 => /lib64/libresolv.so.2 >>>>> (0x00007f0f295e6000) >>>>> libssl3.so => /usr/lib64/libssl3.so >>>>> (0x00007f0f293b0000) >>>>> libsmime3.so => /usr/lib64/libsmime3.so >>>>> (0x00007f0f29183000) >>>>> libnss3.so => /usr/lib64/libnss3.so >>>>> (0x00007f0f28e4b000) >>>>> libnssutil3.so => /usr/lib64/libnssutil3.so >>>>> (0x00007f0f28c2b000) >>>>> libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) >>>>> libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) >>>>> libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) >>>>> libpthread.so.0 => /lib64/libpthread.so.0 >>>>> (0x00007f0f283cb000) >>>>> libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) >>>>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) >>>>> libfreebl3.so => /lib64/libfreebl3.so >>>>> (0x00007f0f27bcc000) >>>>> libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) >>>>> /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000) >>>>> >>>>> >>>>> the ldapsearch -d 1 option tells me a lot more: >>>>> ..... >>>>> ldap_msgfree >>>>> TLS: file ldaprov1.crt does not end in [.0] - does not >>>>> appear to be a CA certificate directory file with a properly >>>>> hashed file name - skipping. >>>>> TLS: file cacert.pem does not end in [.0] - does not appear >>>>> to be a CA certificate directory file with a properly hashed >>>>> file name - skipping. >>>>> TLS: file ldaprov1.key does not end in [.0] - does not >>>>> appear to be a CA certificate directory file with a properly >>>>> hashed file name - skipping. >>>>> ..... >>>>> >>>>> I tell slapd to look for specific files but how come it is >>>>> still checking in a directory? >>>> I don't know. What does /etc/openldap/ldap.conf say? Do you >>>> have a ~/.ldaprc or ~/ldaprc for the user "ldap"? >>> >>> So even for slapd the setting TLS_CACERTDIR in >>> /etc/openldap/ldap.conf takes precedence over >>> olcTLSCACertificateFile in cn=config? I set >>> /etc/openldap/ldap.conf for client only and did not mean it >>> for slapd. >> I don't know. Can someone confirm that this is how it works >> when using openssl or gnutls for crypto? That is, I don't >> think this problem is specific to moznss. >>> >>> Now after I removed it from /etc/openldap/ldap.conf, >>> ldapsearch -d 1 is indicating the CA certificate not valid: >>> >>> TLS: certificate [CA certificate details omitted here...] is >>> not valid - error -8172:Unknown code ___f 20. >>> error -8172:Unknown code ___f 20. >>> tls_write: want=7, written=7 >>> 0000: 15 03 01 00 02 02 30 >>> ......0 >>> TLS: error: connect - force handshake failure: errno 21 - >>> moznss error -8172 >>> TLS: can't connect: TLS error -8172:Unknown code ___f 20. >>> ldap_err2string >>> ldap_start_tls: Connect error (-11) >>> additional info: TLS error -8172:Unknown code ___f 20 >>> >>> Does this mean all the certificates I created on the same >>> server with openssl can not be used by modnss in slapd? I >>> never delt with modnss before >> 20 means SEC_ERROR_UNTRUSTED_ISSUER >> >> Can you provide the entire log leading up to this point? you >> can paste it to fpaste.org if you don't want to spam the list >> with too much information. >> >> Yes, openldap with moznss should work _exactly_ like openldap >> with openssl. If this is something that was working before >> this is a bug that needs to be fixed asap. > > I ran the same ldapsearch command from a Centos box which has > openssl and the error messages says this : > > TLS certificate verification: Error, self signed certificate in > certificate chain > > which is not true. I have separate CA certificate and server > certificate. The server certificate is signed by the CA > certificate. openssl seems to be complaining about the CA certificate: # TLS certificate verification: depth: 1, err: 19, subject: /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com, issuer: /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com # TLS certificate verification: Error, self signed certificate in certificate chain
Note that the subject: is the same as the issuer: - that is, it is a self signed certificate (self issued).
But I'm not sure if this is the real problem.
That certificate it is complaining about is actually the ROOT CA. But I have another server certificate specified by "olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt" in cn=config and its subject and issuer are shown below:
certs]# openssl x509 -noout -issuer -subject -in /etc/ssl/certs/ldaprov1.crt issuer= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com subject= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=ldaprov1.prod/emailAddress=sysadmin@theepicmediagroup.com
Its that the client can't seem to get it for some reasons.
# TLS trace: SSL3 alert write:fatal:unknown CA
Do you have the CA cert on the client machine?
I put the same CA cert on the client machine, both in /etc/ldap.conf(/etc/nss_ldap.conf on Fedora now) and /etc/openldap/ldap.conf
> > Seems the server certificate defined in olcTLSCertificateFile > never gets recognized by the client. > > Centos openssl output pasted - http://fpaste.org/7Hju/ > Fedora moznss output pasted - http://fpaste.org/aE19/
If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and then specify olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key
That is what I have been doing, or trying to do the whole time. Note the last three lines from the current configuration as shown below from the Centos client:
.prod:/etc/openldap/cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wtesting123 -H ldap://ldaprov1.prod cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key
try starting slapd with -d 1
got the following from the log:
With -d 1 there should be a lot more output than this?
You mean those produced when it starts up?
Yes, and also when it's running - there should be a lot more messages from the TLS related code
On 11-08-09 3:37 PM, Rich Megginson wrote:
On 08/09/2011 01:36 PM, Daniel Qian wrote:
On 11-08-09 3:32 PM, Rich Megginson wrote:
On 08/09/2011 01:31 PM, Daniel Qian wrote:
On 11-08-09 2:45 PM, Rich Megginson wrote:
On 08/09/2011 12:43 PM, Daniel Qian wrote:
On 11-08-09 2:12 PM, Rich Megginson wrote: > On 08/09/2011 11:59 AM, Daniel Qian wrote: >> On 11-08-09 12:55 PM, Rich Megginson wrote: >>> On 08/09/2011 10:15 AM, Daniel Qian wrote: >>>> On 11-08-09 11:21 AM, Rich Megginson wrote: >>>>> On 08/09/2011 09:07 AM, Daniel Qian wrote: >>>>>> On 11-08-09 10:49 AM, Rich Megginson wrote: >>>>>>> On 08/09/2011 08:33 AM, Daniel Qian wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have slapd 2.4.24 and everything works without TLS. but >>>>>>>> if I add a -Z option to the ldapsearch command I get this: >>>>>>>> >>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config >>>>>>>> -D cn=admin,cn=config -wxxxxxxx -Z -H >>>>>>>> ldap://ldaprov1.prod cn=config >>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>> ldap_result: Can't contact LDAP server (-1) >>>>>>>> >>>>>>>> slapd.log shows something like this : >>>>>>>> connection_read(16): TLS accept failure error=-1 id=1006, >>>>>>>> closing >>>>>>>> >>>>>>>> Output from openssl debug: >>>>>>>> >>>>>>>> [root@ldaprov1 cacerts]# openssl s_client -connect >>>>>>>> hostname:389 -showcerts -state -CAfile cacert.pem >>>>>>>> CONNECTED(00000003) >>>>>>>> SSL_connect:before/connect initialization >>>>>>>> SSL_connect:SSLv2/v3 write client hello A >>>>>>>> 140225133647680:error:140790E5:SSL >>>>>>>> routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: >>>>>>>> --- >>>>>>>> no peer certificate available >>>>>>>> --- >>>>>>>> No client certificate CA names sent >>>>>>>> --- >>>>>>>> SSL handshake has read 0 bytes and written 113 bytes >>>>>>>> --- >>>>>>>> New, (NONE), Cipher is (NONE) >>>>>>>> Secure Renegotiation IS NOT supported >>>>>>>> Compression: NONE >>>>>>>> Expansion: NONE >>>>>>>> --- >>>>>>>> >>>>>>>> The configurations are as follow (same command as above >>>>>>>> but without the -Z option): >>>>>>>> >>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config >>>>>>>> -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config >>>>>>>> dn: cn=config >>>>>>>> objectClass: olcGlobal >>>>>>>> cn: config >>>>>>>> olcConfigFile: /etc/openldap/slapd.conf >>>>>>>> olcConfigDir: /etc/openldap/slapd.d >>>>>>>> olcAllows: bind_v2 >>>>>>>> olcArgsFile: /var/run/openldap/slapd.args >>>>>>>> olcAttributeOptions: lang- >>>>>>>> olcAuthzPolicy: none >>>>>>>> olcConcurrency: 0 >>>>>>>> olcConnMaxPending: 100 >>>>>>>> olcConnMaxPendingAuth: 1000 >>>>>>>> olcGentleHUP: FALSE >>>>>>>> olcIdleTimeout: 0 >>>>>>>> olcIndexSubstrIfMaxLen: 4 >>>>>>>> olcIndexSubstrIfMinLen: 2 >>>>>>>> olcIndexSubstrAnyLen: 4 >>>>>>>> olcIndexSubstrAnyStep: 2 >>>>>>>> olcIndexIntLen: 4 >>>>>>>> olcLocalSSF: 71 >>>>>>>> olcLogLevel: 9 >>>>>>>> olcPidFile: /var/run/openldap/slapd.pid >>>>>>>> olcReadOnly: FALSE >>>>>>>> olcReverseLookup: FALSE >>>>>>>> olcSaslSecProps: noplain,noanonymous >>>>>>>> olcSockbufMaxIncoming: 262143 >>>>>>>> olcSockbufMaxIncomingAuth: 16777215 >>>>>>>> olcThreads: 16 >>>>>>>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >>>>>>>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >>>>>>>> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key >>>>>>>> olcTLSVerifyClient: never >>>>>>>> olcToolThreads: 1 >>>>>>>> olcWriteTimeout: 0 >>>>>>>> >>>>>>>> >>>>>>>> I verified the ldap user can read all the TLS files and >>>>>>>> they are setup fine >>>>>>>> >>>>>>>> [root@ldaprov1 cacerts]# openssl verify -purpose >>>>>>>> sslserver -CAfile cacert.pem ldaprov1.crt >>>>>>>> ldaprov1.crt: OK >>>>>>>> >>>>>>>> >>>>>>>> Anyone can tell me what I am missing here? >>>>>>> No, but we're missing >>>>>>> 1) platform >>>>>>> 2) tls implementation (openssl, moznss, gnutls) >>>>>>> 3) output of ldapsearch -x -d 1 -Z ...... rest of >>>>>>> arguments ..... >>>>>>> >>>>>> >>>>>> Its Fedora 15 >>>>>> >>>>>> ldd /usr/sbin/slapd >>>>>> linux-vdso.so.1 => (0x00007fff76fff000) >>>>>> libltdl.so.7 => /usr/lib64/libltdl.so.7 >>>>>> (0x00007f0f29fcd000) >>>>>> libdb-4.8.so => /lib64/libdb-4.8.so >>>>>> (0x00007f0f29c53000) >>>>>> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 >>>>>> (0x00007f0f29a38000) >>>>>> libcrypt.so.1 => /lib64/libcrypt.so.1 >>>>>> (0x00007f0f29801000) >>>>>> libresolv.so.2 => /lib64/libresolv.so.2 >>>>>> (0x00007f0f295e6000) >>>>>> libssl3.so => /usr/lib64/libssl3.so >>>>>> (0x00007f0f293b0000) >>>>>> libsmime3.so => /usr/lib64/libsmime3.so >>>>>> (0x00007f0f29183000) >>>>>> libnss3.so => /usr/lib64/libnss3.so >>>>>> (0x00007f0f28e4b000) >>>>>> libnssutil3.so => /usr/lib64/libnssutil3.so >>>>>> (0x00007f0f28c2b000) >>>>>> libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) >>>>>> libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) >>>>>> libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) >>>>>> libpthread.so.0 => /lib64/libpthread.so.0 >>>>>> (0x00007f0f283cb000) >>>>>> libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) >>>>>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) >>>>>> libfreebl3.so => /lib64/libfreebl3.so >>>>>> (0x00007f0f27bcc000) >>>>>> libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) >>>>>> /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000) >>>>>> >>>>>> >>>>>> the ldapsearch -d 1 option tells me a lot more: >>>>>> ..... >>>>>> ldap_msgfree >>>>>> TLS: file ldaprov1.crt does not end in [.0] - does not >>>>>> appear to be a CA certificate directory file with a >>>>>> properly hashed file name - skipping. >>>>>> TLS: file cacert.pem does not end in [.0] - does not appear >>>>>> to be a CA certificate directory file with a properly >>>>>> hashed file name - skipping. >>>>>> TLS: file ldaprov1.key does not end in [.0] - does not >>>>>> appear to be a CA certificate directory file with a >>>>>> properly hashed file name - skipping. >>>>>> ..... >>>>>> >>>>>> I tell slapd to look for specific files but how come it is >>>>>> still checking in a directory? >>>>> I don't know. What does /etc/openldap/ldap.conf say? Do >>>>> you have a ~/.ldaprc or ~/ldaprc for the user "ldap"? >>>> >>>> So even for slapd the setting TLS_CACERTDIR in >>>> /etc/openldap/ldap.conf takes precedence over >>>> olcTLSCACertificateFile in cn=config? I set >>>> /etc/openldap/ldap.conf for client only and did not mean it >>>> for slapd. >>> I don't know. Can someone confirm that this is how it works >>> when using openssl or gnutls for crypto? That is, I don't >>> think this problem is specific to moznss. >>>> >>>> Now after I removed it from /etc/openldap/ldap.conf, >>>> ldapsearch -d 1 is indicating the CA certificate not valid: >>>> >>>> TLS: certificate [CA certificate details omitted here...] is >>>> not valid - error -8172:Unknown code ___f 20. >>>> error -8172:Unknown code ___f 20. >>>> tls_write: want=7, written=7 >>>> 0000: 15 03 01 00 02 02 30 >>>> ......0 >>>> TLS: error: connect - force handshake failure: errno 21 - >>>> moznss error -8172 >>>> TLS: can't connect: TLS error -8172:Unknown code ___f 20. >>>> ldap_err2string >>>> ldap_start_tls: Connect error (-11) >>>> additional info: TLS error -8172:Unknown code ___f 20 >>>> >>>> Does this mean all the certificates I created on the same >>>> server with openssl can not be used by modnss in slapd? I >>>> never delt with modnss before >>> 20 means SEC_ERROR_UNTRUSTED_ISSUER >>> >>> Can you provide the entire log leading up to this point? you >>> can paste it to fpaste.org if you don't want to spam the list >>> with too much information. >>> >>> Yes, openldap with moznss should work _exactly_ like openldap >>> with openssl. If this is something that was working before >>> this is a bug that needs to be fixed asap. >> >> I ran the same ldapsearch command from a Centos box which has >> openssl and the error messages says this : >> >> TLS certificate verification: Error, self signed certificate in >> certificate chain >> >> which is not true. I have separate CA certificate and server >> certificate. The server certificate is signed by the CA >> certificate. > openssl seems to be complaining about the CA certificate: > # > TLS certificate verification: depth: 1, err: 19, subject: > /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic > Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com, > issuer: /C=CA/ST=Ontario/L=Toronto/O=Epic Media > Group/OU=IT/CN=Epic Media Group root > CA/emailAddress=sysadmin@theepicmediagroup.com > # > TLS certificate verification: Error, self signed certificate in > certificate chain > > Note that the subject: is the same as the issuer: - that is, it > is a self signed certificate (self issued). > > But I'm not sure if this is the real problem.
That certificate it is complaining about is actually the ROOT CA. But I have another server certificate specified by "olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt" in cn=config and its subject and issuer are shown below:
certs]# openssl x509 -noout -issuer -subject -in /etc/ssl/certs/ldaprov1.crt issuer= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com subject= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=ldaprov1.prod/emailAddress=sysadmin@theepicmediagroup.com
Its that the client can't seem to get it for some reasons. > # > TLS trace: SSL3 alert write:fatal:unknown CA > > Do you have the CA cert on the client machine?
I put the same CA cert on the client machine, both in /etc/ldap.conf(/etc/nss_ldap.conf on Fedora now) and /etc/openldap/ldap.conf
>> >> Seems the server certificate defined in olcTLSCertificateFile >> never gets recognized by the client. >> >> Centos openssl output pasted - http://fpaste.org/7Hju/ >> Fedora moznss output pasted - http://fpaste.org/aE19/ > > If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and > then specify > olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem > olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt > olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key > That is what I have been doing, or trying to do the whole time. Note the last three lines from the current configuration as shown below from the Centos client:
.prod:/etc/openldap/cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wtesting123 -H ldap://ldaprov1.prod cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key
try starting slapd with -d 1
got the following from the log:
With -d 1 there should be a lot more output than this?
You mean those produced when it starts up?
Yes, and also when it's running - there should be a lot more messages from the TLS related code
startup log here http://fpaste.org/vy7x/
On 08/09/2011 01:59 PM, Daniel Qian wrote:
On 11-08-09 3:37 PM, Rich Megginson wrote:
On 08/09/2011 01:36 PM, Daniel Qian wrote:
On 11-08-09 3:32 PM, Rich Megginson wrote:
On 08/09/2011 01:31 PM, Daniel Qian wrote:
On 11-08-09 2:45 PM, Rich Megginson wrote:
On 08/09/2011 12:43 PM, Daniel Qian wrote: > On 11-08-09 2:12 PM, Rich Megginson wrote: >> On 08/09/2011 11:59 AM, Daniel Qian wrote: >>> On 11-08-09 12:55 PM, Rich Megginson wrote: >>>> On 08/09/2011 10:15 AM, Daniel Qian wrote: >>>>> On 11-08-09 11:21 AM, Rich Megginson wrote: >>>>>> On 08/09/2011 09:07 AM, Daniel Qian wrote: >>>>>>> On 11-08-09 10:49 AM, Rich Megginson wrote: >>>>>>>> On 08/09/2011 08:33 AM, Daniel Qian wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I have slapd 2.4.24 and everything works without TLS. >>>>>>>>> but if I add a -Z option to the ldapsearch command I get >>>>>>>>> this: >>>>>>>>> >>>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b >>>>>>>>> cn=config -D cn=admin,cn=config -wxxxxxxx -Z -H >>>>>>>>> ldap://ldaprov1.prod cn=config >>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>> ldap_result: Can't contact LDAP server (-1) >>>>>>>>> >>>>>>>>> slapd.log shows something like this : >>>>>>>>> connection_read(16): TLS accept failure error=-1 >>>>>>>>> id=1006, closing >>>>>>>>> >>>>>>>>> Output from openssl debug: >>>>>>>>> >>>>>>>>> [root@ldaprov1 cacerts]# openssl s_client -connect >>>>>>>>> hostname:389 -showcerts -state -CAfile cacert.pem >>>>>>>>> CONNECTED(00000003) >>>>>>>>> SSL_connect:before/connect initialization >>>>>>>>> SSL_connect:SSLv2/v3 write client hello A >>>>>>>>> 140225133647680:error:140790E5:SSL >>>>>>>>> routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: >>>>>>>>> --- >>>>>>>>> no peer certificate available >>>>>>>>> --- >>>>>>>>> No client certificate CA names sent >>>>>>>>> --- >>>>>>>>> SSL handshake has read 0 bytes and written 113 bytes >>>>>>>>> --- >>>>>>>>> New, (NONE), Cipher is (NONE) >>>>>>>>> Secure Renegotiation IS NOT supported >>>>>>>>> Compression: NONE >>>>>>>>> Expansion: NONE >>>>>>>>> --- >>>>>>>>> >>>>>>>>> The configurations are as follow (same command as above >>>>>>>>> but without the -Z option): >>>>>>>>> >>>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b >>>>>>>>> cn=config -D cn=admin,cn=config -wxxxxxx -H >>>>>>>>> ldap://hostname cn=config >>>>>>>>> dn: cn=config >>>>>>>>> objectClass: olcGlobal >>>>>>>>> cn: config >>>>>>>>> olcConfigFile: /etc/openldap/slapd.conf >>>>>>>>> olcConfigDir: /etc/openldap/slapd.d >>>>>>>>> olcAllows: bind_v2 >>>>>>>>> olcArgsFile: /var/run/openldap/slapd.args >>>>>>>>> olcAttributeOptions: lang- >>>>>>>>> olcAuthzPolicy: none >>>>>>>>> olcConcurrency: 0 >>>>>>>>> olcConnMaxPending: 100 >>>>>>>>> olcConnMaxPendingAuth: 1000 >>>>>>>>> olcGentleHUP: FALSE >>>>>>>>> olcIdleTimeout: 0 >>>>>>>>> olcIndexSubstrIfMaxLen: 4 >>>>>>>>> olcIndexSubstrIfMinLen: 2 >>>>>>>>> olcIndexSubstrAnyLen: 4 >>>>>>>>> olcIndexSubstrAnyStep: 2 >>>>>>>>> olcIndexIntLen: 4 >>>>>>>>> olcLocalSSF: 71 >>>>>>>>> olcLogLevel: 9 >>>>>>>>> olcPidFile: /var/run/openldap/slapd.pid >>>>>>>>> olcReadOnly: FALSE >>>>>>>>> olcReverseLookup: FALSE >>>>>>>>> olcSaslSecProps: noplain,noanonymous >>>>>>>>> olcSockbufMaxIncoming: 262143 >>>>>>>>> olcSockbufMaxIncomingAuth: 16777215 >>>>>>>>> olcThreads: 16 >>>>>>>>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >>>>>>>>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >>>>>>>>> olcTLSCertificateKeyFile: >>>>>>>>> /etc/openldap/cacerts/ldaprov1.key >>>>>>>>> olcTLSVerifyClient: never >>>>>>>>> olcToolThreads: 1 >>>>>>>>> olcWriteTimeout: 0 >>>>>>>>> >>>>>>>>> >>>>>>>>> I verified the ldap user can read all the TLS files and >>>>>>>>> they are setup fine >>>>>>>>> >>>>>>>>> [root@ldaprov1 cacerts]# openssl verify -purpose >>>>>>>>> sslserver -CAfile cacert.pem ldaprov1.crt >>>>>>>>> ldaprov1.crt: OK >>>>>>>>> >>>>>>>>> >>>>>>>>> Anyone can tell me what I am missing here? >>>>>>>> No, but we're missing >>>>>>>> 1) platform >>>>>>>> 2) tls implementation (openssl, moznss, gnutls) >>>>>>>> 3) output of ldapsearch -x -d 1 -Z ...... rest of >>>>>>>> arguments ..... >>>>>>>> >>>>>>> >>>>>>> Its Fedora 15 >>>>>>> >>>>>>> ldd /usr/sbin/slapd >>>>>>> linux-vdso.so.1 => (0x00007fff76fff000) >>>>>>> libltdl.so.7 => /usr/lib64/libltdl.so.7 >>>>>>> (0x00007f0f29fcd000) >>>>>>> libdb-4.8.so => /lib64/libdb-4.8.so >>>>>>> (0x00007f0f29c53000) >>>>>>> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 >>>>>>> (0x00007f0f29a38000) >>>>>>> libcrypt.so.1 => /lib64/libcrypt.so.1 >>>>>>> (0x00007f0f29801000) >>>>>>> libresolv.so.2 => /lib64/libresolv.so.2 >>>>>>> (0x00007f0f295e6000) >>>>>>> libssl3.so => /usr/lib64/libssl3.so >>>>>>> (0x00007f0f293b0000) >>>>>>> libsmime3.so => /usr/lib64/libsmime3.so >>>>>>> (0x00007f0f29183000) >>>>>>> libnss3.so => /usr/lib64/libnss3.so >>>>>>> (0x00007f0f28e4b000) >>>>>>> libnssutil3.so => /usr/lib64/libnssutil3.so >>>>>>> (0x00007f0f28c2b000) >>>>>>> libplds4.so => /lib64/libplds4.so >>>>>>> (0x00007f0f28a28000) >>>>>>> libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) >>>>>>> libnspr4.so => /lib64/libnspr4.so >>>>>>> (0x00007f0f285e6000) >>>>>>> libpthread.so.0 => /lib64/libpthread.so.0 >>>>>>> (0x00007f0f283cb000) >>>>>>> libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) >>>>>>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) >>>>>>> libfreebl3.so => /lib64/libfreebl3.so >>>>>>> (0x00007f0f27bcc000) >>>>>>> libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) >>>>>>> /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000) >>>>>>> >>>>>>> >>>>>>> the ldapsearch -d 1 option tells me a lot more: >>>>>>> ..... >>>>>>> ldap_msgfree >>>>>>> TLS: file ldaprov1.crt does not end in [.0] - does not >>>>>>> appear to be a CA certificate directory file with a >>>>>>> properly hashed file name - skipping. >>>>>>> TLS: file cacert.pem does not end in [.0] - does not >>>>>>> appear to be a CA certificate directory file with a >>>>>>> properly hashed file name - skipping. >>>>>>> TLS: file ldaprov1.key does not end in [.0] - does not >>>>>>> appear to be a CA certificate directory file with a >>>>>>> properly hashed file name - skipping. >>>>>>> ..... >>>>>>> >>>>>>> I tell slapd to look for specific files but how come it is >>>>>>> still checking in a directory? >>>>>> I don't know. What does /etc/openldap/ldap.conf say? Do >>>>>> you have a ~/.ldaprc or ~/ldaprc for the user "ldap"? >>>>> >>>>> So even for slapd the setting TLS_CACERTDIR in >>>>> /etc/openldap/ldap.conf takes precedence over >>>>> olcTLSCACertificateFile in cn=config? I set >>>>> /etc/openldap/ldap.conf for client only and did not mean it >>>>> for slapd. >>>> I don't know. Can someone confirm that this is how it works >>>> when using openssl or gnutls for crypto? That is, I don't >>>> think this problem is specific to moznss. >>>>> >>>>> Now after I removed it from /etc/openldap/ldap.conf, >>>>> ldapsearch -d 1 is indicating the CA certificate not valid: >>>>> >>>>> TLS: certificate [CA certificate details omitted here...] is >>>>> not valid - error -8172:Unknown code ___f 20. >>>>> error -8172:Unknown code ___f 20. >>>>> tls_write: want=7, written=7 >>>>> 0000: 15 03 01 00 02 02 30 >>>>> ......0 >>>>> TLS: error: connect - force handshake failure: errno 21 - >>>>> moznss error -8172 >>>>> TLS: can't connect: TLS error -8172:Unknown code ___f 20. >>>>> ldap_err2string >>>>> ldap_start_tls: Connect error (-11) >>>>> additional info: TLS error -8172:Unknown code ___f 20 >>>>> >>>>> Does this mean all the certificates I created on the same >>>>> server with openssl can not be used by modnss in slapd? I >>>>> never delt with modnss before >>>> 20 means SEC_ERROR_UNTRUSTED_ISSUER >>>> >>>> Can you provide the entire log leading up to this point? you >>>> can paste it to fpaste.org if you don't want to spam the list >>>> with too much information. >>>> >>>> Yes, openldap with moznss should work _exactly_ like openldap >>>> with openssl. If this is something that was working before >>>> this is a bug that needs to be fixed asap. >>> >>> I ran the same ldapsearch command from a Centos box which has >>> openssl and the error messages says this : >>> >>> TLS certificate verification: Error, self signed certificate >>> in certificate chain >>> >>> which is not true. I have separate CA certificate and server >>> certificate. The server certificate is signed by the CA >>> certificate. >> openssl seems to be complaining about the CA certificate: >> # >> TLS certificate verification: depth: 1, err: 19, subject: >> /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic >> Media Group root >> CA/emailAddress=sysadmin@theepicmediagroup.com, issuer: >> /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic >> Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com >> # >> TLS certificate verification: Error, self signed certificate in >> certificate chain >> >> Note that the subject: is the same as the issuer: - that is, it >> is a self signed certificate (self issued). >> >> But I'm not sure if this is the real problem. > > That certificate it is complaining about is actually the ROOT > CA. But I have another server certificate specified by > "olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt" in > cn=config and its subject and issuer are shown below: > > certs]# openssl x509 -noout -issuer -subject -in > /etc/ssl/certs/ldaprov1.crt > issuer= /C=CA/ST=Ontario/L=Toronto/O=Epic Media > Group/OU=IT/CN=Epic Media Group root > CA/emailAddress=sysadmin@theepicmediagroup.com > subject= /C=CA/ST=Ontario/L=Toronto/O=Epic Media > Group/OU=IT/CN=ldaprov1.prod/emailAddress=sysadmin@theepicmediagroup.com > > > Its that the client can't seem to get it for some reasons. >> # >> TLS trace: SSL3 alert write:fatal:unknown CA >> >> Do you have the CA cert on the client machine? > > I put the same CA cert on the client machine, both in > /etc/ldap.conf(/etc/nss_ldap.conf on Fedora now) and > /etc/openldap/ldap.conf > >>> >>> Seems the server certificate defined in olcTLSCertificateFile >>> never gets recognized by the client. >>> >>> Centos openssl output pasted - http://fpaste.org/7Hju/ >>> Fedora moznss output pasted - http://fpaste.org/aE19/ >> >> If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and >> then specify >> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key >> > That is what I have been doing, or trying to do the whole time. > Note the last three lines from the current configuration as > shown below from the Centos client: > > .prod:/etc/openldap/cacerts]# ldapsearch -x -LLL -b cn=config > -D cn=admin,cn=config -wtesting123 -H ldap://ldaprov1.prod > cn=config > dn: cn=config > objectClass: olcGlobal > cn: config > olcConfigFile: /etc/openldap/slapd.conf > olcConfigDir: /etc/openldap/slapd.d > olcAllows: bind_v2 > olcArgsFile: /var/run/openldap/slapd.args > olcAttributeOptions: lang- > olcAuthzPolicy: none > olcConcurrency: 0 > olcConnMaxPending: 100 > olcConnMaxPendingAuth: 1000 > olcGentleHUP: FALSE > olcIdleTimeout: 0 > olcIndexSubstrIfMaxLen: 4 > olcIndexSubstrIfMinLen: 2 > olcIndexSubstrAnyLen: 4 > olcIndexSubstrAnyStep: 2 > olcIndexIntLen: 4 > olcLocalSSF: 71 > olcLogLevel: 9 > olcPidFile: /var/run/openldap/slapd.pid > olcReadOnly: FALSE > olcReverseLookup: FALSE > olcSaslSecProps: noplain,noanonymous > olcSockbufMaxIncoming: 262143 > olcSockbufMaxIncomingAuth: 16777215 > olcThreads: 16 > olcTLSVerifyClient: never > olcToolThreads: 1 > olcWriteTimeout: 0 > olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem > olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt > olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key try starting slapd with -d 1
got the following from the log:
With -d 1 there should be a lot more output than this?
You mean those produced when it starts up?
Yes, and also when it's running - there should be a lot more messages from the TLS related code
startup log here http://fpaste.org/vy7x/
looks like the TLS stuff was truncated. You can just send the output directly to my email address.
On 11-08-09 3:37 PM, Rich Megginson wrote:
On 08/09/2011 01:36 PM, Daniel Qian wrote:
On 11-08-09 3:32 PM, Rich Megginson wrote:
On 08/09/2011 01:31 PM, Daniel Qian wrote:
On 11-08-09 2:45 PM, Rich Megginson wrote:
On 08/09/2011 12:43 PM, Daniel Qian wrote:
On 11-08-09 2:12 PM, Rich Megginson wrote: > On 08/09/2011 11:59 AM, Daniel Qian wrote: >> On 11-08-09 12:55 PM, Rich Megginson wrote: >>> On 08/09/2011 10:15 AM, Daniel Qian wrote: >>>> On 11-08-09 11:21 AM, Rich Megginson wrote: >>>>> On 08/09/2011 09:07 AM, Daniel Qian wrote: >>>>>> On 11-08-09 10:49 AM, Rich Megginson wrote: >>>>>>> On 08/09/2011 08:33 AM, Daniel Qian wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have slapd 2.4.24 and everything works without TLS. but >>>>>>>> if I add a -Z option to the ldapsearch command I get this: >>>>>>>> >>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config >>>>>>>> -D cn=admin,cn=config -wxxxxxxx -Z -H >>>>>>>> ldap://ldaprov1.prod cn=config >>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>> ldap_result: Can't contact LDAP server (-1) >>>>>>>> >>>>>>>> slapd.log shows something like this : >>>>>>>> connection_read(16): TLS accept failure error=-1 id=1006, >>>>>>>> closing >>>>>>>> >>>>>>>> Output from openssl debug: >>>>>>>> >>>>>>>> [root@ldaprov1 cacerts]# openssl s_client -connect >>>>>>>> hostname:389 -showcerts -state -CAfile cacert.pem >>>>>>>> CONNECTED(00000003) >>>>>>>> SSL_connect:before/connect initialization >>>>>>>> SSL_connect:SSLv2/v3 write client hello A >>>>>>>> 140225133647680:error:140790E5:SSL >>>>>>>> routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: >>>>>>>> --- >>>>>>>> no peer certificate available >>>>>>>> --- >>>>>>>> No client certificate CA names sent >>>>>>>> --- >>>>>>>> SSL handshake has read 0 bytes and written 113 bytes >>>>>>>> --- >>>>>>>> New, (NONE), Cipher is (NONE) >>>>>>>> Secure Renegotiation IS NOT supported >>>>>>>> Compression: NONE >>>>>>>> Expansion: NONE >>>>>>>> --- >>>>>>>> >>>>>>>> The configurations are as follow (same command as above >>>>>>>> but without the -Z option): >>>>>>>> >>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b cn=config >>>>>>>> -D cn=admin,cn=config -wxxxxxx -H ldap://hostname cn=config >>>>>>>> dn: cn=config >>>>>>>> objectClass: olcGlobal >>>>>>>> cn: config >>>>>>>> olcConfigFile: /etc/openldap/slapd.conf >>>>>>>> olcConfigDir: /etc/openldap/slapd.d >>>>>>>> olcAllows: bind_v2 >>>>>>>> olcArgsFile: /var/run/openldap/slapd.args >>>>>>>> olcAttributeOptions: lang- >>>>>>>> olcAuthzPolicy: none >>>>>>>> olcConcurrency: 0 >>>>>>>> olcConnMaxPending: 100 >>>>>>>> olcConnMaxPendingAuth: 1000 >>>>>>>> olcGentleHUP: FALSE >>>>>>>> olcIdleTimeout: 0 >>>>>>>> olcIndexSubstrIfMaxLen: 4 >>>>>>>> olcIndexSubstrIfMinLen: 2 >>>>>>>> olcIndexSubstrAnyLen: 4 >>>>>>>> olcIndexSubstrAnyStep: 2 >>>>>>>> olcIndexIntLen: 4 >>>>>>>> olcLocalSSF: 71 >>>>>>>> olcLogLevel: 9 >>>>>>>> olcPidFile: /var/run/openldap/slapd.pid >>>>>>>> olcReadOnly: FALSE >>>>>>>> olcReverseLookup: FALSE >>>>>>>> olcSaslSecProps: noplain,noanonymous >>>>>>>> olcSockbufMaxIncoming: 262143 >>>>>>>> olcSockbufMaxIncomingAuth: 16777215 >>>>>>>> olcThreads: 16 >>>>>>>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >>>>>>>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >>>>>>>> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key >>>>>>>> olcTLSVerifyClient: never >>>>>>>> olcToolThreads: 1 >>>>>>>> olcWriteTimeout: 0 >>>>>>>> >>>>>>>> >>>>>>>> I verified the ldap user can read all the TLS files and >>>>>>>> they are setup fine >>>>>>>> >>>>>>>> [root@ldaprov1 cacerts]# openssl verify -purpose >>>>>>>> sslserver -CAfile cacert.pem ldaprov1.crt >>>>>>>> ldaprov1.crt: OK >>>>>>>> >>>>>>>> >>>>>>>> Anyone can tell me what I am missing here? >>>>>>> No, but we're missing >>>>>>> 1) platform >>>>>>> 2) tls implementation (openssl, moznss, gnutls) >>>>>>> 3) output of ldapsearch -x -d 1 -Z ...... rest of >>>>>>> arguments ..... >>>>>>> >>>>>> >>>>>> Its Fedora 15 >>>>>> >>>>>> ldd /usr/sbin/slapd >>>>>> linux-vdso.so.1 => (0x00007fff76fff000) >>>>>> libltdl.so.7 => /usr/lib64/libltdl.so.7 >>>>>> (0x00007f0f29fcd000) >>>>>> libdb-4.8.so => /lib64/libdb-4.8.so >>>>>> (0x00007f0f29c53000) >>>>>> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 >>>>>> (0x00007f0f29a38000) >>>>>> libcrypt.so.1 => /lib64/libcrypt.so.1 >>>>>> (0x00007f0f29801000) >>>>>> libresolv.so.2 => /lib64/libresolv.so.2 >>>>>> (0x00007f0f295e6000) >>>>>> libssl3.so => /usr/lib64/libssl3.so >>>>>> (0x00007f0f293b0000) >>>>>> libsmime3.so => /usr/lib64/libsmime3.so >>>>>> (0x00007f0f29183000) >>>>>> libnss3.so => /usr/lib64/libnss3.so >>>>>> (0x00007f0f28e4b000) >>>>>> libnssutil3.so => /usr/lib64/libnssutil3.so >>>>>> (0x00007f0f28c2b000) >>>>>> libplds4.so => /lib64/libplds4.so (0x00007f0f28a28000) >>>>>> libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) >>>>>> libnspr4.so => /lib64/libnspr4.so (0x00007f0f285e6000) >>>>>> libpthread.so.0 => /lib64/libpthread.so.0 >>>>>> (0x00007f0f283cb000) >>>>>> libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) >>>>>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) >>>>>> libfreebl3.so => /lib64/libfreebl3.so >>>>>> (0x00007f0f27bcc000) >>>>>> libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) >>>>>> /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000) >>>>>> >>>>>> >>>>>> the ldapsearch -d 1 option tells me a lot more: >>>>>> ..... >>>>>> ldap_msgfree >>>>>> TLS: file ldaprov1.crt does not end in [.0] - does not >>>>>> appear to be a CA certificate directory file with a >>>>>> properly hashed file name - skipping. >>>>>> TLS: file cacert.pem does not end in [.0] - does not appear >>>>>> to be a CA certificate directory file with a properly >>>>>> hashed file name - skipping. >>>>>> TLS: file ldaprov1.key does not end in [.0] - does not >>>>>> appear to be a CA certificate directory file with a >>>>>> properly hashed file name - skipping. >>>>>> ..... >>>>>> >>>>>> I tell slapd to look for specific files but how come it is >>>>>> still checking in a directory? >>>>> I don't know. What does /etc/openldap/ldap.conf say? Do >>>>> you have a ~/.ldaprc or ~/ldaprc for the user "ldap"? >>>> >>>> So even for slapd the setting TLS_CACERTDIR in >>>> /etc/openldap/ldap.conf takes precedence over >>>> olcTLSCACertificateFile in cn=config? I set >>>> /etc/openldap/ldap.conf for client only and did not mean it >>>> for slapd. >>> I don't know. Can someone confirm that this is how it works >>> when using openssl or gnutls for crypto? That is, I don't >>> think this problem is specific to moznss. >>>> >>>> Now after I removed it from /etc/openldap/ldap.conf, >>>> ldapsearch -d 1 is indicating the CA certificate not valid: >>>> >>>> TLS: certificate [CA certificate details omitted here...] is >>>> not valid - error -8172:Unknown code ___f 20. >>>> error -8172:Unknown code ___f 20. >>>> tls_write: want=7, written=7 >>>> 0000: 15 03 01 00 02 02 30 >>>> ......0 >>>> TLS: error: connect - force handshake failure: errno 21 - >>>> moznss error -8172 >>>> TLS: can't connect: TLS error -8172:Unknown code ___f 20. >>>> ldap_err2string >>>> ldap_start_tls: Connect error (-11) >>>> additional info: TLS error -8172:Unknown code ___f 20 >>>> >>>> Does this mean all the certificates I created on the same >>>> server with openssl can not be used by modnss in slapd? I >>>> never delt with modnss before >>> 20 means SEC_ERROR_UNTRUSTED_ISSUER >>> >>> Can you provide the entire log leading up to this point? you >>> can paste it to fpaste.org if you don't want to spam the list >>> with too much information. >>> >>> Yes, openldap with moznss should work _exactly_ like openldap >>> with openssl. If this is something that was working before >>> this is a bug that needs to be fixed asap. >> >> I ran the same ldapsearch command from a Centos box which has >> openssl and the error messages says this : >> >> TLS certificate verification: Error, self signed certificate in >> certificate chain >> >> which is not true. I have separate CA certificate and server >> certificate. The server certificate is signed by the CA >> certificate. > openssl seems to be complaining about the CA certificate: > # > TLS certificate verification: depth: 1, err: 19, subject: > /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic > Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com, > issuer: /C=CA/ST=Ontario/L=Toronto/O=Epic Media > Group/OU=IT/CN=Epic Media Group root > CA/emailAddress=sysadmin@theepicmediagroup.com > # > TLS certificate verification: Error, self signed certificate in > certificate chain > > Note that the subject: is the same as the issuer: - that is, it > is a self signed certificate (self issued). > > But I'm not sure if this is the real problem.
That certificate it is complaining about is actually the ROOT CA. But I have another server certificate specified by "olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt" in cn=config and its subject and issuer are shown below:
certs]# openssl x509 -noout -issuer -subject -in /etc/ssl/certs/ldaprov1.crt issuer= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com subject= /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=ldaprov1.prod/emailAddress=sysadmin@theepicmediagroup.com
Its that the client can't seem to get it for some reasons. > # > TLS trace: SSL3 alert write:fatal:unknown CA > > Do you have the CA cert on the client machine?
I put the same CA cert on the client machine, both in /etc/ldap.conf(/etc/nss_ldap.conf on Fedora now) and /etc/openldap/ldap.conf
>> >> Seems the server certificate defined in olcTLSCertificateFile >> never gets recognized by the client. >> >> Centos openssl output pasted - http://fpaste.org/7Hju/ >> Fedora moznss output pasted - http://fpaste.org/aE19/ > > If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and > then specify > olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem > olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt > olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key > That is what I have been doing, or trying to do the whole time. Note the last three lines from the current configuration as shown below from the Centos client:
.prod:/etc/openldap/cacerts]# ldapsearch -x -LLL -b cn=config -D cn=admin,cn=config -wtesting123 -H ldap://ldaprov1.prod cn=config dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 9 olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key
try starting slapd with -d 1
got the following from the log:
With -d 1 there should be a lot more output than this?
You mean those produced when it starts up?
Yes, and also when it's running - there should be a lot more messages from the TLS related code
and this is the log when I did the query
slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 29 contents: op tag 0x77, time 1312934328 ber_get_next conn=1000 op=0 do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 12 connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 TLS: loaded CA certificate file /etc/ssl/certs/cacert.pem. TLS: certificate [E=sysadmin@theepicmediagroup.com,CN=ldaprov1.prod,OU=IT,O=Epic Media Group,L=Toronto,ST=Ontario,C=CA] is valid connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 TLS: error: accept - force handshake failure: errno 11 - moznss error -12195 TLS: can't accept: TLS error -12195:Unknown code ___P 93. connection_read(12): TLS accept failure error=-1 id=1000, closing connection_close: conn=1000 sd=12
So it looks like the server picks up the certificate fine (CN=ldaprov1.prod)
On 08/09/2011 02:03 PM, Daniel Qian wrote:
On 11-08-09 3:37 PM, Rich Megginson wrote:
On 08/09/2011 01:36 PM, Daniel Qian wrote:
On 11-08-09 3:32 PM, Rich Megginson wrote:
On 08/09/2011 01:31 PM, Daniel Qian wrote:
On 11-08-09 2:45 PM, Rich Megginson wrote:
On 08/09/2011 12:43 PM, Daniel Qian wrote: > On 11-08-09 2:12 PM, Rich Megginson wrote: >> On 08/09/2011 11:59 AM, Daniel Qian wrote: >>> On 11-08-09 12:55 PM, Rich Megginson wrote: >>>> On 08/09/2011 10:15 AM, Daniel Qian wrote: >>>>> On 11-08-09 11:21 AM, Rich Megginson wrote: >>>>>> On 08/09/2011 09:07 AM, Daniel Qian wrote: >>>>>>> On 11-08-09 10:49 AM, Rich Megginson wrote: >>>>>>>> On 08/09/2011 08:33 AM, Daniel Qian wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I have slapd 2.4.24 and everything works without TLS. >>>>>>>>> but if I add a -Z option to the ldapsearch command I get >>>>>>>>> this: >>>>>>>>> >>>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b >>>>>>>>> cn=config -D cn=admin,cn=config -wxxxxxxx -Z -H >>>>>>>>> ldap://ldaprov1.prod cn=config >>>>>>>>> ldap_start_tls: Connect error (-11) >>>>>>>>> ldap_result: Can't contact LDAP server (-1) >>>>>>>>> >>>>>>>>> slapd.log shows something like this : >>>>>>>>> connection_read(16): TLS accept failure error=-1 >>>>>>>>> id=1006, closing >>>>>>>>> >>>>>>>>> Output from openssl debug: >>>>>>>>> >>>>>>>>> [root@ldaprov1 cacerts]# openssl s_client -connect >>>>>>>>> hostname:389 -showcerts -state -CAfile cacert.pem >>>>>>>>> CONNECTED(00000003) >>>>>>>>> SSL_connect:before/connect initialization >>>>>>>>> SSL_connect:SSLv2/v3 write client hello A >>>>>>>>> 140225133647680:error:140790E5:SSL >>>>>>>>> routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: >>>>>>>>> --- >>>>>>>>> no peer certificate available >>>>>>>>> --- >>>>>>>>> No client certificate CA names sent >>>>>>>>> --- >>>>>>>>> SSL handshake has read 0 bytes and written 113 bytes >>>>>>>>> --- >>>>>>>>> New, (NONE), Cipher is (NONE) >>>>>>>>> Secure Renegotiation IS NOT supported >>>>>>>>> Compression: NONE >>>>>>>>> Expansion: NONE >>>>>>>>> --- >>>>>>>>> >>>>>>>>> The configurations are as follow (same command as above >>>>>>>>> but without the -Z option): >>>>>>>>> >>>>>>>>> [root@ldaprov1 cacerts]# ldapsearch -x -LLL -b >>>>>>>>> cn=config -D cn=admin,cn=config -wxxxxxx -H >>>>>>>>> ldap://hostname cn=config >>>>>>>>> dn: cn=config >>>>>>>>> objectClass: olcGlobal >>>>>>>>> cn: config >>>>>>>>> olcConfigFile: /etc/openldap/slapd.conf >>>>>>>>> olcConfigDir: /etc/openldap/slapd.d >>>>>>>>> olcAllows: bind_v2 >>>>>>>>> olcArgsFile: /var/run/openldap/slapd.args >>>>>>>>> olcAttributeOptions: lang- >>>>>>>>> olcAuthzPolicy: none >>>>>>>>> olcConcurrency: 0 >>>>>>>>> olcConnMaxPending: 100 >>>>>>>>> olcConnMaxPendingAuth: 1000 >>>>>>>>> olcGentleHUP: FALSE >>>>>>>>> olcIdleTimeout: 0 >>>>>>>>> olcIndexSubstrIfMaxLen: 4 >>>>>>>>> olcIndexSubstrIfMinLen: 2 >>>>>>>>> olcIndexSubstrAnyLen: 4 >>>>>>>>> olcIndexSubstrAnyStep: 2 >>>>>>>>> olcIndexIntLen: 4 >>>>>>>>> olcLocalSSF: 71 >>>>>>>>> olcLogLevel: 9 >>>>>>>>> olcPidFile: /var/run/openldap/slapd.pid >>>>>>>>> olcReadOnly: FALSE >>>>>>>>> olcReverseLookup: FALSE >>>>>>>>> olcSaslSecProps: noplain,noanonymous >>>>>>>>> olcSockbufMaxIncoming: 262143 >>>>>>>>> olcSockbufMaxIncomingAuth: 16777215 >>>>>>>>> olcThreads: 16 >>>>>>>>> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >>>>>>>>> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >>>>>>>>> olcTLSCertificateKeyFile: >>>>>>>>> /etc/openldap/cacerts/ldaprov1.key >>>>>>>>> olcTLSVerifyClient: never >>>>>>>>> olcToolThreads: 1 >>>>>>>>> olcWriteTimeout: 0 >>>>>>>>> >>>>>>>>> >>>>>>>>> I verified the ldap user can read all the TLS files and >>>>>>>>> they are setup fine >>>>>>>>> >>>>>>>>> [root@ldaprov1 cacerts]# openssl verify -purpose >>>>>>>>> sslserver -CAfile cacert.pem ldaprov1.crt >>>>>>>>> ldaprov1.crt: OK >>>>>>>>> >>>>>>>>> >>>>>>>>> Anyone can tell me what I am missing here? >>>>>>>> No, but we're missing >>>>>>>> 1) platform >>>>>>>> 2) tls implementation (openssl, moznss, gnutls) >>>>>>>> 3) output of ldapsearch -x -d 1 -Z ...... rest of >>>>>>>> arguments ..... >>>>>>>> >>>>>>> >>>>>>> Its Fedora 15 >>>>>>> >>>>>>> ldd /usr/sbin/slapd >>>>>>> linux-vdso.so.1 => (0x00007fff76fff000) >>>>>>> libltdl.so.7 => /usr/lib64/libltdl.so.7 >>>>>>> (0x00007f0f29fcd000) >>>>>>> libdb-4.8.so => /lib64/libdb-4.8.so >>>>>>> (0x00007f0f29c53000) >>>>>>> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 >>>>>>> (0x00007f0f29a38000) >>>>>>> libcrypt.so.1 => /lib64/libcrypt.so.1 >>>>>>> (0x00007f0f29801000) >>>>>>> libresolv.so.2 => /lib64/libresolv.so.2 >>>>>>> (0x00007f0f295e6000) >>>>>>> libssl3.so => /usr/lib64/libssl3.so >>>>>>> (0x00007f0f293b0000) >>>>>>> libsmime3.so => /usr/lib64/libsmime3.so >>>>>>> (0x00007f0f29183000) >>>>>>> libnss3.so => /usr/lib64/libnss3.so >>>>>>> (0x00007f0f28e4b000) >>>>>>> libnssutil3.so => /usr/lib64/libnssutil3.so >>>>>>> (0x00007f0f28c2b000) >>>>>>> libplds4.so => /lib64/libplds4.so >>>>>>> (0x00007f0f28a28000) >>>>>>> libplc4.so => /lib64/libplc4.so (0x00007f0f28824000) >>>>>>> libnspr4.so => /lib64/libnspr4.so >>>>>>> (0x00007f0f285e6000) >>>>>>> libpthread.so.0 => /lib64/libpthread.so.0 >>>>>>> (0x00007f0f283cb000) >>>>>>> libc.so.6 => /lib64/libc.so.6 (0x00007f0f28032000) >>>>>>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f27e2d000) >>>>>>> libfreebl3.so => /lib64/libfreebl3.so >>>>>>> (0x00007f0f27bcc000) >>>>>>> libz.so.1 => /lib64/libz.so.1 (0x00007f0f279b5000) >>>>>>> /lib64/ld-linux-x86-64.so.2 (0x00007f0f2a66a000) >>>>>>> >>>>>>> >>>>>>> the ldapsearch -d 1 option tells me a lot more: >>>>>>> ..... >>>>>>> ldap_msgfree >>>>>>> TLS: file ldaprov1.crt does not end in [.0] - does not >>>>>>> appear to be a CA certificate directory file with a >>>>>>> properly hashed file name - skipping. >>>>>>> TLS: file cacert.pem does not end in [.0] - does not >>>>>>> appear to be a CA certificate directory file with a >>>>>>> properly hashed file name - skipping. >>>>>>> TLS: file ldaprov1.key does not end in [.0] - does not >>>>>>> appear to be a CA certificate directory file with a >>>>>>> properly hashed file name - skipping. >>>>>>> ..... >>>>>>> >>>>>>> I tell slapd to look for specific files but how come it is >>>>>>> still checking in a directory? >>>>>> I don't know. What does /etc/openldap/ldap.conf say? Do >>>>>> you have a ~/.ldaprc or ~/ldaprc for the user "ldap"? >>>>> >>>>> So even for slapd the setting TLS_CACERTDIR in >>>>> /etc/openldap/ldap.conf takes precedence over >>>>> olcTLSCACertificateFile in cn=config? I set >>>>> /etc/openldap/ldap.conf for client only and did not mean it >>>>> for slapd. >>>> I don't know. Can someone confirm that this is how it works >>>> when using openssl or gnutls for crypto? That is, I don't >>>> think this problem is specific to moznss. >>>>> >>>>> Now after I removed it from /etc/openldap/ldap.conf, >>>>> ldapsearch -d 1 is indicating the CA certificate not valid: >>>>> >>>>> TLS: certificate [CA certificate details omitted here...] is >>>>> not valid - error -8172:Unknown code ___f 20. >>>>> error -8172:Unknown code ___f 20. >>>>> tls_write: want=7, written=7 >>>>> 0000: 15 03 01 00 02 02 30 >>>>> ......0 >>>>> TLS: error: connect - force handshake failure: errno 21 - >>>>> moznss error -8172 >>>>> TLS: can't connect: TLS error -8172:Unknown code ___f 20. >>>>> ldap_err2string >>>>> ldap_start_tls: Connect error (-11) >>>>> additional info: TLS error -8172:Unknown code ___f 20 >>>>> >>>>> Does this mean all the certificates I created on the same >>>>> server with openssl can not be used by modnss in slapd? I >>>>> never delt with modnss before >>>> 20 means SEC_ERROR_UNTRUSTED_ISSUER >>>> >>>> Can you provide the entire log leading up to this point? you >>>> can paste it to fpaste.org if you don't want to spam the list >>>> with too much information. >>>> >>>> Yes, openldap with moznss should work _exactly_ like openldap >>>> with openssl. If this is something that was working before >>>> this is a bug that needs to be fixed asap. >>> >>> I ran the same ldapsearch command from a Centos box which has >>> openssl and the error messages says this : >>> >>> TLS certificate verification: Error, self signed certificate >>> in certificate chain >>> >>> which is not true. I have separate CA certificate and server >>> certificate. The server certificate is signed by the CA >>> certificate. >> openssl seems to be complaining about the CA certificate: >> # >> TLS certificate verification: depth: 1, err: 19, subject: >> /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic >> Media Group root >> CA/emailAddress=sysadmin@theepicmediagroup.com, issuer: >> /C=CA/ST=Ontario/L=Toronto/O=Epic Media Group/OU=IT/CN=Epic >> Media Group root CA/emailAddress=sysadmin@theepicmediagroup.com >> # >> TLS certificate verification: Error, self signed certificate in >> certificate chain >> >> Note that the subject: is the same as the issuer: - that is, it >> is a self signed certificate (self issued). >> >> But I'm not sure if this is the real problem. > > That certificate it is complaining about is actually the ROOT > CA. But I have another server certificate specified by > "olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt" in > cn=config and its subject and issuer are shown below: > > certs]# openssl x509 -noout -issuer -subject -in > /etc/ssl/certs/ldaprov1.crt > issuer= /C=CA/ST=Ontario/L=Toronto/O=Epic Media > Group/OU=IT/CN=Epic Media Group root > CA/emailAddress=sysadmin@theepicmediagroup.com > subject= /C=CA/ST=Ontario/L=Toronto/O=Epic Media > Group/OU=IT/CN=ldaprov1.prod/emailAddress=sysadmin@theepicmediagroup.com > > > Its that the client can't seem to get it for some reasons. >> # >> TLS trace: SSL3 alert write:fatal:unknown CA >> >> Do you have the CA cert on the client machine? > > I put the same CA cert on the client machine, both in > /etc/ldap.conf(/etc/nss_ldap.conf on Fedora now) and > /etc/openldap/ldap.conf > >>> >>> Seems the server certificate defined in olcTLSCertificateFile >>> never gets recognized by the client. >>> >>> Centos openssl output pasted - http://fpaste.org/7Hju/ >>> Fedora moznss output pasted - http://fpaste.org/aE19/ >> >> If you remove TLS_CACERTDIR from /etc/openldap/ldap.conf and >> then specify >> olcTLSCACertificateFile: /etc/openldap/cacerts/cacert.pem >> olcTLSCertificateFile: /etc/openldap/cacerts/ldaprov1.crt >> olcTLSCertificateKeyFile: /etc/openldap/cacerts/ldaprov1.key >> > That is what I have been doing, or trying to do the whole time. > Note the last three lines from the current configuration as > shown below from the Centos client: > > .prod:/etc/openldap/cacerts]# ldapsearch -x -LLL -b cn=config > -D cn=admin,cn=config -wtesting123 -H ldap://ldaprov1.prod > cn=config > dn: cn=config > objectClass: olcGlobal > cn: config > olcConfigFile: /etc/openldap/slapd.conf > olcConfigDir: /etc/openldap/slapd.d > olcAllows: bind_v2 > olcArgsFile: /var/run/openldap/slapd.args > olcAttributeOptions: lang- > olcAuthzPolicy: none > olcConcurrency: 0 > olcConnMaxPending: 100 > olcConnMaxPendingAuth: 1000 > olcGentleHUP: FALSE > olcIdleTimeout: 0 > olcIndexSubstrIfMaxLen: 4 > olcIndexSubstrIfMinLen: 2 > olcIndexSubstrAnyLen: 4 > olcIndexSubstrAnyStep: 2 > olcIndexIntLen: 4 > olcLocalSSF: 71 > olcLogLevel: 9 > olcPidFile: /var/run/openldap/slapd.pid > olcReadOnly: FALSE > olcReverseLookup: FALSE > olcSaslSecProps: noplain,noanonymous > olcSockbufMaxIncoming: 262143 > olcSockbufMaxIncomingAuth: 16777215 > olcThreads: 16 > olcTLSVerifyClient: never > olcToolThreads: 1 > olcWriteTimeout: 0 > olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem > olcTLSCertificateFile: /etc/ssl/certs/ldaprov1.crt > olcTLSCertificateKeyFile: /etc/ssl/certs/ldaprov1.key try starting slapd with -d 1
got the following from the log:
With -d 1 there should be a lot more output than this?
You mean those produced when it starts up?
Yes, and also when it's running - there should be a lot more messages from the TLS related code
and this is the log when I did the query
slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 29 contents: op tag 0x77, time 1312934328 ber_get_next conn=1000 op=0 do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 12 connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 TLS: loaded CA certificate file /etc/ssl/certs/cacert.pem. TLS: certificate [E=sysadmin@theepicmediagroup.com,CN=ldaprov1.prod,OU=IT,O=Epic Media Group,L=Toronto,ST=Ontario,C=CA] is valid connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 TLS: error: accept - force handshake failure: errno 11 - moznss error -12195 TLS: can't accept: TLS error -12195:Unknown code ___P 93. connection_read(12): TLS accept failure error=-1 id=1000, closing connection_close: conn=1000 sd=12
So it looks like the server picks up the certificate fine (CN=ldaprov1.prod)
Error -12195 is SSL_ERROR_UNKNOWN_CA_ALERT - it means the client does not know about or does not trust the CA cert that issued the SSL server cert of the server.
openldap-technical@openldap.org