Hi,
I am trying configure openldap work with tls , but I have two question about this, first when I use tls openldap use port 389 and ssl port 639 , is this correct ? Second How I can test connection between client and server, cryptography is working ?
Thnaks.
This is a very good doc that provide an explanation and examples that you need: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
On Tue, Dec 8, 2009 at 10:36 PM, Bruno Steven aspenbr@gmail.com wrote:
Hi,
I am trying configure openldap work with tls , but I have two question about this, first when I use tls openldap use port 389 and ssl port 639 , is this correct ? Second How I can test connection between client and server, cryptography is working ?
Thnaks.
-- Bruno Steven - Administrador de sistemas. LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4 https://www.lpi.org/caf/Xamman/certification
MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100 https://mcp.microsoft.com/authenticate/validatemcp.aspx
P Antes de imprimir pense em sua responsabilidade e comprometimento com o Meio Ambiente. Before printing this message, think about your ecologic responsability and environment commitment.
That document is considered obsolete. Please read http://www.openldap.org/doc/admin24/tls.html and http://www.openldap.org/faq/data/cache/185.html instead.
Matt
On Wed, Dec 9, 2009 at 12:32 AM, Tony G. tonysk8@gmx.net wrote:
This is a very good doc that provide an explanation and examples that you need: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
On Tue, Dec 8, 2009 at 10:36 PM, Bruno Steven aspenbr@gmail.com wrote:
Hi,
I am trying configure openldap work with tls , but I have two question about this, first when I use tls openldap use port 389 and ssl port 639 , is this correct ? Second How I can test connection between client and server, cryptography is working ?
Thnaks.
-- Bruno Steven - Administrador de sistemas. LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4 https://www.lpi.org/caf/Xamman/certification
MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100 https://mcp.microsoft.com/authenticate/validatemcp.aspx
P Antes de imprimir pense em sua responsabilidade e comprometimento com o Meio Ambiente. Before printing this message, think about your ecologic responsability and environment commitment.
-- Tony
Bruno Steven aspenbr@gmail.com writes:
Hi,
I am trying configure openldap work with tls , but I have two question about this, first when I use tls openldap use port 389 and ssl port 639 , is this correct ? Second How I can test connection between client and server, cryptography is working ?
There is no ssl port! SSL (Secure Socket Layer) is a proprietary, licence based protocol, owned by Netscape? I don't know whether the IPR of this protocol have been part of the Netscape/AOL deal. OpenLDAP, and most other network based applications, have implemented Transport Layer Security (TLS), RFC 2246. As a LPI certified professional you should be aware of this. OpenLDAP uses port 639, which has not been assigned by IANA to LDAP(S) protocol, as TLS-enabled port. Port 389 is still required for the LDAP extended operation startTLS (RFC-4513). You may test your TLS session with: openssl s_client -connect localhost:639 -CAfile <file> Unfortunately openssl is not able to initiate a ldap_starttls session on port 389.
-Dieter
Dieter Kluenter wrote:
Bruno Steven aspenbr@gmail.com writes:
Hi,
I am trying configure openldap work with tls , but I have two question about this, first when I use tls openldap use port 389 and ssl port 639 , is this correct ? Second How I can test connection between client and server, cryptography is working ?
There is no ssl port! SSL (Secure Socket Layer) is a proprietary, licence based protocol, owned by Netscape? I don't know whether the IPR of this protocol have been part of the Netscape/AOL deal. OpenLDAP, and most other network based applications, have implemented Transport Layer Security (TLS), RFC 2246. As a LPI certified professional you should be aware of this.
[citation needed]
OpenLDAP uses port 639, which has not been assigned by IANA to LDAP(S) protocol, as TLS-enabled port. Port 389 is still required for the LDAP extended operation startTLS (RFC-4513).
# getent services ldaps ldaps 636/tcp
In my experience, OpenLDAP has no problems listening to port 636 as an SSL enabled port. TLS (using STARTTLS) runs on 389.
- Bjørn
--On Wednesday, December 09, 2009 8:53 PM +0100 Dieter Kluenter dieter@dkluenter.de wrote:
Bruno Steven aspenbr@gmail.com writes:
Hi,
I am trying configure openldap work with tls , but I have two question about this, first when I use tls openldap use port 389 and ssl port 639 , is this correct ? Second How I can test connection between client and server, cryptography is working ?
There is no ssl port! SSL (Secure Socket Layer) is a proprietary, licence based protocol, owned by Netscape? I don't know whether the IPR of this protocol have been part of the Netscape/AOL deal. OpenLDAP, and most other network based applications, have implemented Transport Layer Security (TLS), RFC 2246. As a LPI certified professional you should be aware of this. OpenLDAP uses port 639, which has not been assigned by IANA to LDAP(S)
636?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount quanah@zimbra.com writes:
--On Wednesday, December 09, 2009 8:53 PM +0100 Dieter Kluenter dieter@dkluenter.de wrote:
Bruno Steven aspenbr@gmail.com writes:
Hi,
I am trying configure openldap work with tls , but I have two question about this, first when I use tls openldap use port 389 and ssl port 639 , is this correct ? Second How I can test connection between client and server, cryptography is working ?
There is no ssl port! SSL (Secure Socket Layer) is a proprietary, licence based protocol, owned by Netscape? I don't know whether the IPR of this protocol have been part of the Netscape/AOL deal. OpenLDAP, and most other network based applications, have implemented Transport Layer Security (TLS), RFC 2246. As a LPI certified professional you should be aware of this. OpenLDAP uses port 639, which has not been assigned by IANA to LDAP(S)
636?
Ups, my usual typo.
-Dieter
Dieter Kluenter wrote:
Bruno Steven aspenbr@gmail.com writes:
I am trying configure openldap work with tls , but I have two question about this, first when I use tls openldap use port 389 and ssl port 639 , is this correct ? Second How I can test connection between client and server, cryptography is working ?
There is no ssl port! SSL (Secure Socket Layer) is a proprietary, licence based protocol, owned by Netscape? I don't know whether the IPR of this protocol have been part of the Netscape/AOL deal. OpenLDAP, and most other network based applications, have implemented Transport Layer Security (TLS), RFC 2246. As a LPI certified professional you should be aware of this.
Sorry Dieter, don't mess up things. Your comment is at least strongly misleading: E.g. OpenSSL (also libnss) certainly implements SSLv3 (and even insecure SSLv2) and you can use that to connect to 3rd party LDAP servers with the OpenLDAP client libs or connect to OpenLDAP servers.
OpenLDAP uses port 639,
nb2:~ # grep ldaps /etc/services ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) ldaps 636/udp # ldap protocol over TLS/SSL (was sldap)
You may test your TLS session with: openssl s_client -connect localhost:639 -CAfile <file>
^ 636, if slapd was started with -h "ldaps://"
Ciao, Michael.
Before , I want thank at everybody for answer my questions. I have trying start service ldap with tls / ssl but when I start sldapd (slapd -d127 -h "ldaps:///") show this message down
TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=0
*TLS: can't accept.* *connection_read(12): TLS accept failure error=-1 id=4, closing* *connection_closing: readying conn=4 sd=12 for close* *connection_close: conn=4 sd=12* *daemon: removing 12* daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on:
slap_listener(ldaps:///)
daemon: listen=8, new connection on 12 daemon: added 12r (active) listener=(nil) daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 12r daemon: read active on 12 connection_get(12) connection_get(12): got connid=5 connection_read(12): checking for input on id=5 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=0
I done test for SSL connection
openssl s_client -connect localhost:636 -state -CAfile /etc/openldap/chaves/cacert.pem -key /etc/openldap/chaves/serverkey.pem -cert /etc/openldap/chaves/servercrt.pem
*Result *
CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= bruno@ainfra.net verify return:1 depth=0 /C=BR/ST=DF/L=Brasilia/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= bruno@ainfra.net verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=BR/ST=DF/L=Brasilia/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= bruno@ainfra.net i:/C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= bruno@ainfra.net 1 s:/C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= bruno@ainfra.net i:/C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= bruno@ainfra.net --- Server certificate -----BEGIN CERTIFICATE----- MIIC7TCCAlagAwIBAgIBATANBgkqhkiG9w0BAQUFADB0MQswCQYDVQQGEwJCUjEL MAkGA1UECBMCRGYxDzANBgNVBAoTBkFpbmZyYTEPMA0GA1UECxMGQWluZnJhMRUw EwYDVQQDEwxMaW51eERlZmF1bHQxHzAdBgkqhkiG9w0BCQEWEGJydW5vQGFpbmZy YS5uZXQwHhcNMDkxMjExMTE0NTA3WhcNMTAxMjExMTE0NTA3WjCBhzELMAkGA1UE BhMCQlIxCzAJBgNVBAgTAkRGMREwDwYDVQQHEwhCcmFzaWxpYTEPMA0GA1UEChMG QWluZnJhMQ8wDQYDVQQLEwZBaW5mcmExFTATBgNVBAMTDExpbnV4RGVmYXVsdDEf MB0GCSqGSIb3DQEJARYQYnJ1bm9AYWluZnJhLm5ldDCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAuZc4XzZD2yNKKtbzSsFZETNsKGKWxNfJ2R/Qz85vTkvmRHk3 kbfsqEiFnHVZFehg5BOyaa9HKQO4MkrI5HgjLitDg2Lb38B6Ol0ENSClUF/0BcoQ rgWDc14qANkA5zMaT90FF18GkcuY26lV15HEsJVOymroKZ460YmhwlFzT40CAwEA AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0 ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNhWyiIOJR9bIJB1bM5tgPYu9EAFMB8G A1UdIwQYMBaAFCmQRsAs/UNo/7VQUGnRXp6GRi1SMA0GCSqGSIb3DQEBBQUAA4GB AMJqfAQK/gbRMqiDm+Gm+iNUO4N93JdtT4eDcErEapd7lC4IMzjxCO8L9QYAjY9h NBXF5MN61ZlTPA++FX2eCbU6pdOw4gL9RnSyxWjUSVv0wTz57J87mMaPTNHHb5mP cqPjqEu7Gpe6is04qOQsI3HCwFWYcY96PHqtrlgHeQDT -----END CERTIFICATE----- subject=/C=BR/ST=DF/L=Brasilia/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= bruno@ainfra.net issuer=/C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= bruno@ainfra.net --- No client certificate CA names sent --- SSL handshake has read 1651 bytes and written 331 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: BC50DC3AD20A932A59FF109F33C6703632CDBB32A4BFF29C3A716119083B8044 Session-ID-ctx: Master-Key: DC38E06060E9473E21B043743718B690EFA4CA50AEE53CA6C7026741F2C026C5058366CF0DC7798DA395D47BCD7E747B Key-Arg : None Krb5 Principal: None Start Time: 1260541294 Timeout : 300 (sec) Verify return code: 0 (ok) ---
For me this ok !!!
How I should resolve this problem ?
2009/12/10 Michael Ströder michael@stroeder.com
Dieter Kluenter wrote:
Bruno Steven aspenbr@gmail.com writes:
I am trying configure openldap work with tls , but I have two question
about this, first
when I use tls openldap use port 389 and ssl port 639 , is this correct
?
Second How I can test connection between client and server, cryptography
is working ?
There is no ssl port! SSL (Secure Socket Layer) is a proprietary, licence based protocol, owned by Netscape? I don't know whether the IPR of this protocol have been part of the Netscape/AOL deal. OpenLDAP, and most other network based applications, have implemented Transport Layer Security (TLS), RFC 2246. As a LPI certified professional you should be aware of this.
Sorry Dieter, don't mess up things. Your comment is at least strongly misleading: E.g. OpenSSL (also libnss) certainly implements SSLv3 (and even insecure SSLv2) and you can use that to connect to 3rd party LDAP servers with the OpenLDAP client libs or connect to OpenLDAP servers.
OpenLDAP uses port 639,
nb2:~ # grep ldaps /etc/services ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) ldaps 636/udp # ldap protocol over TLS/SSL (was sldap)
You may test your TLS session with: openssl s_client -connect localhost:639 -CAfile <file>
^
636, if slapd was started with -h "ldaps://"
Ciao, Michael.
Bruno Steven aspenbr@gmail.com writes:
Before , I want thank at everybody for answer my questions. I have trying start service ldap with tls / ssl but when I start sldapd (slapd -d127 -h "ldaps:///") show this message down
TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=0
TLS: can't accept. connection_read(12): TLS accept failure error=-1 id=4, closing
[...]
That is hard to tell due to lack of information. Please provide the TLS related configuration parameters of slapd-config(5) and ldap.conf(5), and please describe the way you created the certificates.
-Dieter
Michael Ströder michael@stroeder.com writes:
Dieter Kluenter wrote:
Bruno Steven aspenbr@gmail.com writes:
I am trying configure openldap work with tls , but I have two question about this, first when I use tls openldap use port 389 and ssl port 639 , is this correct ? Second How I can test connection between client and server, cryptography is working ?
There is no ssl port! SSL (Secure Socket Layer) is a proprietary, licence based protocol, owned by Netscape? I don't know whether the IPR of this protocol have been part of the Netscape/AOL deal. OpenLDAP, and most other network based applications, have implemented Transport Layer Security (TLS), RFC 2246. As a LPI certified professional you should be aware of this.
Sorry Dieter, don't mess up things. Your comment is at least strongly misleading: E.g. OpenSSL (also libnss) certainly implements SSLv3 (and even insecure SSLv2) and you can use that to connect to 3rd party LDAP servers with the OpenLDAP client libs or connect to OpenLDAP servers.
Right you are, a client defines the protocol required in the client hello, which can either be SSLv3 oder TLSv1 (SSLv2 is deprecated), AFAIK OpenLDAP reports TLSv1 in the server hello. In the last few years I haven't seen any client or server that submits SSLv3 in the hello.
-Dieter
openldap-technical@openldap.org