Quanah Gibson-Mount quanah@zimbra.com wrote on 11/09/2009 05:04:27 PM:

Quanah Gibson-Mount quanah@zimbra.com 11/09/2009 05:04 PM

To

Tomasz Welman/Poland/IBM@IBMPL, openldap-technical@openldap.org

cc

Subject

Re: Problem with ldaps:// when switching from 2.3 to 2.4

--On Monday, November 09, 2009 1:08 PM +0100 Tomasz Welman tomasz.welman@pl.ibm.com wrote:

...

I have to machine, on the first there is no problem in connecting to

the

...

LDAP server (IBM directory server). The first machine is RedHat RHEL5 Client, the second is Ubuntu karmic 9.10.

...

root@xwing:/etc/ldap# uname -a Linux xwing 2.6.31-server #1 SMP Thu Oct 1 11:55:18 CEST 2009 i686 GNU/Linux root@xwing:/etc/ldap# dpkg -l |grep ldap ii ldap-utils 2.4.15-1ubuntu3 OpenLDAP utilities ii libldap-2.4-2 2.4.15-1ubuntu3 OpenLDAP libraries root@xwing:/etc/ldap# cat ldap.conf

Note that the second machine is using GnuTLS instead of OpenSSL, since

it

is Debian based. There have been a number of fixes to OpenLDAP for

GnuTLS

support since 2.4.15:

OpenLDAP 2.4.16 Release (2009/04/05) Fixed libldap GnuTLS with x509v1 CA certs (ITS#5992) Fixed libldap GnuTLS with CA chains (ITS#5991) Fixed libldap GnuTLS TLSVerifyClient try (ITS#5981)

OpenLDAP 2.4.17 Release (2009/07/13) Fixed libldap GnuTLS private key init (ITS#6053)

If you want to use a GnuTLS based version of OpenLDAP, I suggest you

build

a newer release.

I have a third machine with the same configuration but with an exception that it is upgraded to Ubuntu Karmic (sorry, earlier I said the 2nd was karmic but it's jaunty), so LDAP versions are:

root@darthvader:/etc/ldap# dpkg -l |grep ldap rc ldap-auth-config 0.5.2 Config package for LDAP authentication ii ldap-utils 2.4.18-0ubuntu1 OpenLDAP utilities ii libaprutil1-ldap 1.3.9+dfsg-1ubuntu1 The Apache Portable Runtime Utility Library - ii libldap-2.4-2 2.4.18-0ubuntu1 OpenLDAP libraries

and the TLS: root@darthvader:/etc/ldap# dpkg -l |grep tls ii libcurl3-gnutls 7.19.5-1ubuntu2 Multi-protocol file transfer library (GnuTLS) ii libgnutls26 2.8.3-2 the GNU TLS library - runtime library ii libneon27-gnutls 0.28.6-1 An HTTP and WebDAV client library (GnuTLS enab

The problem is exactly the same as on the second machine:

root@darthvader:/etc/ldap# ldapsearch -d5 -x -H ldaps://myldapserver.com ldap_url_parse_ext(ldaps://myldapserver.com) ldap_create ldap_url_parse_ext(ldaps://myldapserver.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP myldapserver.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 9.17.186.253:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Of course insecure connection works perfectly.

Any suggestions?

-- Tomasz 'Trog' Welman Software Developer external: 48-12-628-9449 ITN: 34819449 T/L: 9449

IBM SWG Lab, Krakow, Poland IBM Polska Sp. z o.o. oddział w Krakowie ul. Armii Krajowej 18 30 -150 Kraków NIP: 526-030-07-24, KRS 0000012941 Kapitał zakładowy: 33.000.000 PLN

openldap-technical-bounces+tomasz.welman=pl.ibm.com@openldap.org wrote on 11/11/2009 01:51:53 AM:

Mathias Gug mathiaz@ubuntu.com Sent by:

openldap-technical-bounces+tomasz.welman=pl.ibm.com@openldap.org

11/11/2009 01:51 AM

To

openldap-technical@openldap.org

cc

Subject

Re: Problem with ldaps:// when switching from 2.3 to 2.4

Hi,

2009/11/10 Tomasz Welman tomasz.welman@pl.ibm.com:

...

I have a third machine with the same configuration but with an

exception

...

that it is upgraded to Ubuntu Karmic (sorry, earlier I said the 2nd was karmic

but it's

...

jaunty), so LDAP versions are:

The problem is exactly the same as on the second machine:

root@darthvader:/etc/ldap# ldapsearch -d5 -x -H

ldaps://myldapserver.com

...

ldap_url_parse_ext(ldaps://myldapserver.com) ldap_create ldap_url_parse_ext(ldaps://myldapserver.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP myldapserver.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 9.17.186.253:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Any suggestions?

Could you provide the debugging information outlined on the DebuggingOpenldap wiki page:

https://wiki.ubuntu.com/DebuggingOpenldap

Here is the debug info requested:

[root@darthvader ~]# cat /etc/ldap/ldap.conf # # LDAP Defaults #

# See ldap.conf(5) for details # This file should be world readable but not world writable.

#BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never

TLS_CACERT /etc/ldap/cacerts/bp.cert

[root@darthvader ~]# cat /etc/ldap/cacerts/bp.cert -----BEGIN CERTIFICATE----- MIIFbzCCBFegAwIBAgIQQqowfydfbhGjnIrdG/yoqTANBgkqhkiG9w0BAQUFADCB sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA4MDMxOTAwMDAw MFoXDTExMDUyMzIzNTk1OVowgeIxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhDb2xv cmFkbzEQMA4GA1UEBxQHQm91bGRlcjEoMCYGA1UEChQfSW50ZXJuYXRpb25hbCBC dXNpbmVzcyBNYWNoaW5lczEzMDEGA1UECxQqVGVybXMgb2YgdXNlIGF0IHd3dy52 ZXJpc2lnbi5jb20vcnBhIChjKTA1MTMwMQYDVQQLFCpUZXJtcyBvZiB1c2UgYXQg d3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDUxGjAYBgNVBAMUEWJsdWVwYWdlcy5p Ym0uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSUyh7l1px1jcmNeqf 48bV4DQUKhk1h0uBOn24+HdD5YS0TuYrOVtY7L/oX6jT+2Klaogyq8JdYaREnKJo NVAHyPoAYUrnCHwguZdK0KRo9EjbP55qGoYw0gtd0zD9f/G03237x+Kz6sVAvnmN zWeHZ8OT4EfLKDa1pGW/F7QHTQIDAQABo4IB0zCCAc8wCQYDVR0TBAIwADALBgNV HQ8EBAMCBaAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL1NWUlNlY3VyZS1jcmwu dmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUuY3JsMEQGA1UdIAQ9MDswOQYLYIZI AYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t L3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU b+yvoN2KpO/1KhBnLT9VgrzX7yUweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzAB hhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9T VlJTZWN1cmUtYWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LWFpYS5jZXIw bgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMC GgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNpZ24u Y29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQBXSkgfiiwhOkhj1jZn NYM+ic3E3niRM7xFuz4nz2vX5L7ThVFlYFlWoOynNyfuVXqMxqrf6f8Y2uVMY5Cj PohjrjVocgDsN8epFaplIH/HSXj21q385wAajfYBsxzTQqHytUZ0Apva7rpGAG9l TUYyqA7vxmr/xLTIPzWNk680hwXihFFw8f4vcIvS1riu1AwESUiRQN2BJkTAaRKt n2qjBWirioah4j8kJWvsH/p1P7OAg63rM9hEWi3t9aQBZ2JKKKwmdTI98J2wG/nC PkwhK2dIdkBjr+6ICd0Hp8MME0oTpXq8CuiAbEQRcvQ6aUttnDYOnE8dluRPccgf 5BFI -----END CERTIFICATE-----

[root@darthvader ~]# ldapsearch -d 7 -H ldaps://bluepages.ibm.com ldap_url_parse_ext(ldaps://bluepages.ibm.com) ldap_create ldap_url_parse_ext(ldaps://bluepages.ibm.com:636/??base) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_build_search_req ATTRS: supportedSASLMechanisms ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP bluepages.ibm.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 9.17.186.253:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 tls_write: want=81, written=81 0000: 16 03 02 00 4c 01 00 00 48 03 02 4a fb c2 e8 15 ....L...H..J....

0010: 11 1e 35 52 93 0d eb c2 8e 77 62 d5 64 01 a3 72 ..5R.....wb.d..r

0020: 19 b6 5a e7 45 df 9e 7a c0 55 e8 00 00 18 00 33 ..Z.E..z.U.....3

0030: 00 39 00 16 00 32 00 38 00 13 00 66 00 2f 00 35 .9...2.8...f./.5

0040: 00 0a 00 05 00 04 01 00 00 07 00 09 00 03 02 00 ................

0050: 01 . tls_read: want=5, got=5 0000: 16 03 01 0c b1 ..... tls_read: want=3249, got=3249 0000: 02 00 00 46 03 01 00 00 00 00 c8 53 6f e7 6e 95 ...F.......So.n.

0010: 35 cd b0 d7 30 6f b6 8d cf da 99 3e a4 71 2e b0 5...0o.....>.q..

0020: bb 31 79 ab 5f ba 20 00 01 60 68 ec d5 22 92 30 .1y._. ..`h..".0 0030: c5 bb c9 a4 4c f7 0a db 68 1b 47 58 58 58 58 00 ....L...h.GXXXX.

0040: 00 00 00 00 00 00 00 00 2f 00 0b 00 0c 5f 00 0c ......../...._..

0050: 5c 00 05 73 30 82 05 6f 30 82 04 57 a0 03 02 01 ..s0..o0..W....

0060: 02 02 10 42 aa 30 7f 27 5f 6e 11 a3 9c 8a dd 1b ...B.0.'_n......

0070: fc a8 a9 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 ...0...*.H......

0080: 05 00 30 81 b0 31 0b 30 09 06 03 55 04 06 13 02 ..0..1.0...U....

0090: 55 53 31 17 30 15 06 03 55 04 0a 13 0e 56 65 72 US1.0...U....Ver

00a0: 69 53 69 67 6e 2c 20 49 6e 63 2e 31 1f 30 1d 06 iSign, Inc.1.0.. 00b0: 03 55 04 0b 13 16 56 65 72 69 53 69 67 6e 20 54 .U....VeriSign T 00c0: 72 75 73 74 20 4e 65 74 77 6f 72 6b 31 3b 30 39 rust Network1;09 00d0: 06 03 55 04 0b 13 32 54 65 72 6d 73 20 6f 66 20 ..U...2Terms of 00e0: 75 73 65 20 61 74 20 68 74 74 70 73 3a 2f 2f 77 use at https://w 00f0: 77 77 2e 76 65 72 69 73 69 67 6e 2e 63 6f 6d 2f ww.verisign.com/

0100: 72 70 61 20 28 63 29 30 35 31 2a 30 28 06 03 55 rpa (c)051*0(..U 0110: 04 03 13 21 56 65 72 69 53 69 67 6e 20 43 6c 61 ...!VeriSign Cla 0120: 73 73 20 33 20 53 65 63 75 72 65 20 53 65 72 76 ss 3 Secure Serv 0130: 65 72 20 43 41 30 1e 17 0d 30 38 30 33 31 39 30 er CA0...0803190 0140: 30 30 30 30 30 5a 17 0d 31 31 30 35 32 33 32 33 00000Z..11052323

0150: 35 39 35 39 5a 30 81 e2 31 0b 30 09 06 03 55 04 5959Z0..1.0...U.

0160: 06 13 02 55 53 31 11 30 0f 06 03 55 04 08 13 08 ...US1.0...U....

0170: 43 6f 6c 6f 72 61 64 6f 31 10 30 0e 06 03 55 04 Colorado1.0...U.

0180: 07 14 07 42 6f 75 6c 64 65 72 31 28 30 26 06 03 ...Boulder1(0&..

0190: 55 04 0a 14 1f 49 6e 74 65 72 6e 61 74 69 6f 6e U....Internation

01a0: 61 6c 20 42 75 73 69 6e 65 73 73 20 4d 61 63 68 al Business Mach 01b0: 69 6e 65 73 31 33 30 31 06 03 55 04 0b 14 2a 54 ines1301..U...*T

01c0: 65 72 6d 73 20 6f 66 20 75 73 65 20 61 74 20 77 erms of use at w 01d0: 77 77 2e 76 65 72 69 73 69 67 6e 2e 63 6f 6d 2f ww.verisign.com/

01e0: 72 70 61 20 28 63 29 30 35 31 33 30 31 06 03 55 rpa (c)051301..U 01f0: 04 0b 14 2a 54 65 72 6d 73 20 6f 66 20 75 73 65 ...*Terms of use 0200: 20 61 74 20 77 77 77 2e 76 65 72 69 73 69 67 6e at www.verisign 0210: 2e 63 6f 6d 2f 72 70 61 20 28 63 29 30 35 31 1a .com/rpa (c)051. 0220: 30 18 06 03 55 04 03 14 11 62 6c 75 65 70 61 67 0...U....bluepag

0230: 65 73 2e 69 62 6d 2e 63 6f 6d 30 81 9f 30 0d 06 es.ibm.com0..0..

0240: 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 .*.H............

0250: 30 81 89 02 81 81 00 d2 53 28 7b 97 5a 71 d6 37 0.......S({.Zq.7

0260: 26 35 ea 9f e3 c6 d5 e0 34 14 2a 19 35 87 4b 81 &5......4.*.5.K.

0270: 3a 7d b8 f8 77 43 e5 84 b4 4e e6 2b 39 5b 58 ec :}..wC...N.+9[X.

0280: bf e8 5f a8 d3 fb 62 a5 6a 88 32 ab c2 5d 61 a4 .._...b.j.2..]a.

0290: 44 9c a2 68 35 50 07 c8 fa 00 61 4a e7 08 7c 20 D..h5P....aJ..|

02a0: b9 97 4a d0 a4 68 f4 48 db 3f 9e 6a 1a 86 30 d2 ..J..h.H.?.j..0.

02b0: 0b 5d d3 30 fd 7f f1 b4 df 6d fb c7 e2 b3 ea c5 .].0.....m......

02c0: 40 be 79 8d cd 67 87 67 c3 93 e0 47 cb 28 36 b5 @.y..g.g...G.(6.

02d0: a4 65 bf 17 b4 07 4d 02 03 01 00 01 a3 82 01 d3 .e....M.........

02e0: 30 82 01 cf 30 09 06 03 55 1d 13 04 02 30 00 30 0...0...U....0.0

02f0: 0b 06 03 55 1d 0f 04 04 03 02 05 a0 30 44 06 03 ...U........0D..

0300: 55 1d 1f 04 3d 30 3b 30 39 a0 37 a0 35 86 33 68 U...=0;09.7.5.3h

0310: 74 74 70 3a 2f 2f 53 56 52 53 65 63 75 72 65 2d ttp://SVRSecure-

0320: 63 72 6c 2e 76 65 72 69 73 69 67 6e 2e 63 6f 6d crl.verisign.com

0330: 2f 53 56 52 53 65 63 75 72 65 32 30 30 35 2e 63 /SVRSecure2005.c

0340: 72 6c 30 44 06 03 55 1d 20 04 3d 30 3b 30 39 06 rl0D..U. .=0;09. 0350: 0b 60 86 48 01 86 f8 45 01 07 17 03 30 2a 30 28 .`.H...E....0*0(

0360: 06 08 2b 06 01 05 05 07 02 01 16 1c 68 74 74 70 ..+.........http

0370: 73 3a 2f 2f 77 77 77 2e 76 65 72 69 73 69 67 6e s://www.verisign

0380: 2e 63 6f 6d 2f 72 70 61 30 1d 06 03 55 1d 25 04 .com/rpa0...U.%.

0390: 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 2b .0...+.........+

03a0: 06 01 05 05 07 03 02 30 1f 06 03 55 1d 23 04 18 .......0...U.#..

03b0: 30 16 80 14 6f ec af a0 dd 8a a4 ef f5 2a 10 67 0...o........*.g

03c0: 2d 3f 55 82 bc d7 ef 25 30 79 06 08 2b 06 01 05 -?U....%0y..+...

03d0: 05 07 01 01 04 6d 30 6b 30 24 06 08 2b 06 01 05 .....m0k0$..+...

03e0: 05 07 30 01 86 18 68 74 74 70 3a 2f 2f 6f 63 73 ..0...http://ocs

03f0: 70 2e 76 65 72 69 73 69 67 6e 2e 63 6f 6d 30 43 p.verisign.com0C

0400: 06 08 2b 06 01 05 05 07 30 02 86 37 68 74 74 70 ..+.....0..7http

0410: 3a 2f 2f 53 56 52 53 65 63 75 72 65 2d 61 69 61 ://SVRSecure-aia

0420: 2e 76 65 72 69 73 69 67 6e 2e 63 6f 6d 2f 53 56 .verisign.com/SV

0430: 52 53 65 63 75 72 65 32 30 30 35 2d 61 69 61 2e RSecure2005-aia.

0440: 63 65 72 30 6e 06 08 2b 06 01 05 05 07 01 0c 04 cer0n..+........

0450: 62 30 60 a1 5e a0 5c 30 5a 30 58 30 56 16 09 69 b0`.^.\0Z0X0V..i

0460: 6d 61 67 65 2f 67 69 66 30 21 30 1f 30 07 06 05 mage/gif0!0.0...

0470: 2b 0e 03 02 1a 04 14 4b 6b b9 28 96 06 0c bb d0 +......Kk.(.....

0480: 52 38 9b 29 ac 4b 07 8b 21 05 18 30 26 16 24 68 R8.).K..!..0&.$h

0490: 74 74 70 3a 2f 2f 6c 6f 67 6f 2e 76 65 72 69 73 ttp://logo.veris

04a0: 69 67 6e 2e 63 6f 6d 2f 76 73 6c 6f 67 6f 31 2e ign.com/vslogo1.

04b0: 67 69 66 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 gif0...*.H......

04c0: 05 00 03 82 01 01 00 57 4a 48 1f 8a 2c 21 3a 48 .......WJH..,!:H

04d0: 63 d6 36 67 35 83 3e 89 cd c4 de 78 91 33 bc 45 c.6g5.>....x.3.E

04e0: bb 3e 27 cf 6b d7 e4 be d3 85 51 65 60 59 56 a0 .>'.k.....Qe`YV.

04f0: ec a7 37 27 ee 55 7a 8c c6 aa df e9 ff 18 da e5 ..7'.Uz.........

0500: 4c 63 90 a3 3e 88 63 ae 35 68 72 00 ec 37 c7 a9 Lc..>.c.5hr..7..

0510: 15 aa 65 20 7f c7 49 78 f6 d6 ad fc e7 00 1a 8d ..e ..Ix........ 0520: f6 01 b3 1c d3 42 a1 f2 b5 46 74 02 9b da ee ba .....B...Ft.....

0530: 46 00 6f 65 4d 46 32 a8 0e ef c6 6a ff c4 b4 c8 F.oeMF2....j....

0540: 3f 35 8d 93 af 34 87 05 e2 84 51 70 f1 fe 2f 70 ?5...4....Qp../p

0550: 8b d2 d6 b8 ae d4 0c 04 49 48 91 40 dd 81 26 44 ........IH.@..&D

0560: c0 69 12 ad 9f 6a a3 05 68 ab 8a 86 a1 e2 3f 24 .i...j..h.....?$

0570: 25 6b ec 1f fa 75 3f b3 80 83 ad eb 33 d8 44 5a %k...u?.....3.DZ

0580: 2d ed f5 a4 01 67 62 4a 28 ac 26 75 32 3d f0 9d -....gbJ(.&u2=..

0590: b0 1b f9 c2 3e 4c 21 2b 67 48 76 40 63 af ee 88 ....>L!+gHv@c...

05a0: 09 dd 07 a7 c3 0c 13 4a 13 a5 7a bc 0a e8 80 6c .......J..z....l

05b0: 44 11 72 f4 3a 69 4b 6d 9c 36 0e 9c 4f 1d 96 e4 D.r.:iKm.6..O...

05c0: 4f 71 c8 1f e4 11 48 00 04 a0 30 82 04 9c 30 82 Oq....H...0...0.

05d0: 04 05 a0 03 02 01 02 02 10 75 33 7d 9a b0 e1 23 .........u3}...#

05e0: 3b ae 2d 7d e4 46 91 62 d4 30 0d 06 09 2a 86 48 ;.-}.F.b.0...*.H

05f0: 86 f7 0d 01 01 05 05 00 30 5f 31 0b 30 09 06 03 ........0_1.0...

0600: 55 04 06 13 02 55 53 31 17 30 15 06 03 55 04 0a U....US1.0...U..

0610: 13 0e 56 65 72 69 53 69 67 6e 2c 20 49 6e 63 2e ..VeriSign, Inc. 0620: 31 37 30 35 06 03 55 04 0b 13 2e 43 6c 61 73 73 1705..U....Class

0630: 20 33 20 50 75 62 6c 69 63 20 50 72 69 6d 61 72 3 Public Primar 0640: 79 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 y Certification 0650: 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 30 35 30 Authority0...050

0660: 31 31 39 30 30 30 30 30 30 5a 17 0d 31 35 30 31 119000000Z..1501

0670: 31 38 32 33 35 39 35 39 5a 30 81 b0 31 0b 30 09 18235959Z0..1.0.

0680: 06 03 55 04 06 13 02 55 53 31 17 30 15 06 03 55 ..U....US1.0...U

0690: 04 0a 13 0e 56 65 72 69 53 69 67 6e 2c 20 49 6e ....VeriSign, In 06a0: 63 2e 31 1f 30 1d 06 03 55 04 0b 13 16 56 65 72 c.1.0...U....Ver

06b0: 69 53 69 67 6e 20 54 72 75 73 74 20 4e 65 74 77 iSign Trust Netw 06c0: 6f 72 6b 31 3b 30 39 06 03 55 04 0b 13 32 54 65 ork1;09..U...2Te

06d0: 72 6d 73 20 6f 66 20 75 73 65 20 61 74 20 68 74 rms of use at ht 06e0: 74 70 73 3a 2f 2f 77 77 77 2e 76 65 72 69 73 69 tps://www.verisi

06f0: 67 6e 2e 63 6f 6d 2f 72 70 61 20 28 63 29 30 35 gn.com/rpa (c)05 0700: 31 2a 30 28 06 03 55 04 03 13 21 56 65 72 69 53 1*0(..U...!VeriS

0710: 69 67 6e 20 43 6c 61 73 73 20 33 20 53 65 63 75 ign Class 3 Secu 0720: 72 65 20 53 65 72 76 65 72 20 43 41 30 82 01 22 re Server CA0.." 0730: 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 0...*.H.........

0740: 82 01 0f 00 30 82 01 0a 02 82 01 01 00 95 c3 21 ....0..........!

0750: 12 8e 40 c5 0d 01 5f 76 5e 66 94 d9 73 2c 58 19 ..@..._v^f..s,X.

0760: 22 b8 c9 fc 7a 39 90 2a 77 72 7c 1d 3e f7 d8 55 "...z9.*wr|.>..U

0770: e3 af 42 cb 87 30 02 dc 5b ac 70 e6 b8 44 b4 2b ..B..0..[.p..D.+

0780: 35 eb 93 d2 17 05 7e cb 46 d6 5c 53 a0 32 51 9d 5.....~.F.\S.2Q.

0790: 74 64 58 f9 0c 9a 00 ea 5e 44 49 64 72 f4 cd 10 tdX.....^DIdr...

07a0: e2 85 0a f9 34 ee b3 88 66 a9 a5 a4 5a d0 0e 98 ....4...f...Z...

07b0: 7f 58 0d 2b 52 bb 86 a9 7e 2e fa b2 48 7c 8d db .X.+R...~...H|..

07c0: 2d 5f 01 75 a2 8d 06 3b 8b b4 61 07 c9 be 22 99 -_.u...;..a...".

07d0: f8 1b d1 b5 57 66 04 4d 35 f4 91 71 96 b5 99 08 ....Wf.M5..q....

07e0: 25 9b 97 c8 3a f3 20 b1 dd 9e 98 0c 4a 63 b7 a6 %...:. .....Jc.. 07f0: ce b0 01 ce f8 93 6a f3 0c 6e 9f b1 e9 84 7b 81 ......j..n....{.

0800: 98 41 e6 81 dc 3d 2c e7 b4 6b e3 9e fc 08 16 d7 .A...=,..k......

0810: b3 d5 b9 66 12 99 7c 6d 71 c8 4d be c7 0f e3 fb ...f..|mq.M.....

0820: 37 ad d5 75 87 21 6b 86 d0 44 14 5a 54 79 39 96 7..u.!k..D.ZTy9.

0830: 69 56 c9 b9 31 cd 89 61 58 e1 d9 76 05 05 ad f7 iV..1..aX..v....

0840: b9 02 af a7 fd 47 91 a2 22 34 5a 31 d1 02 03 01 .....G.."4Z1....

0850: 00 01 a3 82 01 81 30 82 01 7d 30 12 06 03 55 1d ......0..}0...U.

0860: 13 01 01 ff 04 08 30 06 01 01 ff 02 01 00 30 44 ......0.......0D

0870: 06 03 55 1d 20 04 3d 30 3b 30 39 06 0b 60 86 48 ..U. .=0;09..`.H 0880: 01 86 f8 45 01 07 17 03 30 2a 30 28 06 08 2b 06 ...E....0*0(..+.

0890: 01 05 05 07 02 01 16 1c 68 74 74 70 73 3a 2f 2f ........https://

08a0: 77 77 77 2e 76 65 72 69 73 69 67 6e 2e 63 6f 6d www.verisign.com 08b0: 2f 72 70 61 30 31 06 03 55 1d 1f 04 2a 30 28 30 /rpa01..U...*0(0

08c0: 26 a0 24 a0 22 86 20 68 74 74 70 3a 2f 2f 63 72 &.$.". http://cr 08d0: 6c 2e 76 65 72 69 73 69 67 6e 2e 63 6f 6d 2f 70 l.verisign.com/p

08e0: 63 61 33 2e 63 72 6c 30 0e 06 03 55 1d 0f 01 01 ca3.crl0...U....

08f0: ff 04 04 03 02 01 06 30 11 06 09 60 86 48 01 86 .......0...`.H..

0900: f8 42 01 01 04 04 03 02 01 06 30 29 06 03 55 1d .B........0)..U.

0910: 11 04 22 30 20 a4 1e 30 1c 31 1a 30 18 06 03 55 .."0 ..0.1.0...U 0920: 04 03 13 11 43 6c 61 73 73 33 43 41 32 30 34 38 ....Class3CA2048

0930: 2d 31 2d 34 35 30 1d 06 03 55 1d 0e 04 16 04 14 -1-450...U......

0940: 6f ec af a0 dd 8a a4 ef f5 2a 10 67 2d 3f 55 82 o........*.g-?U.

0950: bc d7 ef 25 30 81 80 06 03 55 1d 23 04 79 30 77 ...%0....U.#.y0w

0960: a1 63 a4 61 30 5f 31 0b 30 09 06 03 55 04 06 13 .c.a0_1.0...U...

0970: 02 55 53 31 17 30 15 06 03 55 04 0a 13 0e 56 65 .US1.0...U....Ve

0980: 72 69 53 69 67 6e 2c 20 49 6e 63 2e 31 37 30 35 riSign, Inc.1705 0990: 06 03 55 04 0b 13 2e 43 6c 61 73 73 20 33 20 50 ..U....Class 3 P 09a0: 75 62 6c 69 63 20 50 72 69 6d 61 72 79 20 43 65 ublic Primary Ce 09b0: 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 rtification Auth 09c0: 6f 72 69 74 79 82 10 70 ba e4 1d 10 d9 29 34 b6 ority..p.....)4.

09d0: 38 ca 7b 03 cc ba bf 30 0d 06 09 2a 86 48 86 f7 8.{....0...*.H..

09e0: 0d 01 01 05 05 00 03 81 81 00 c3 7e 08 46 5d 91 ...........~.F].

09f0: 36 cf 67 dc d7 a7 af af b8 22 c3 8b 04 74 d3 b1 6.g......"...t..

0a00: 60 bc e6 fe b7 44 12 81 5b 31 73 14 63 56 c6 72 `....D..[1s.cV.r

0a10: 2e d1 1a 03 43 5c 38 0a 50 4a 4d cd da b6 19 a8 ....C\8.PJM.....

0a20: f4 99 0d af e3 f7 d8 f1 75 28 65 f6 6a fe 9b f4 ........u(e.j...

0a30: bd 52 d9 3f cb da 16 cb a5 9e 2e 8e 66 52 78 3d .R.?........fRx=

0a40: 26 fa fe 94 36 88 4a 95 5e 2a 4c 19 ef 6e fa 82 &...6.J.^*L..n..

0a50: 3f 2d 03 ef d6 28 b3 37 18 cf 42 b2 34 21 64 47 ?-...(.7..B.4!dG

0a60: d3 20 6b 3a 4c dc e6 03 90 0c 00 02 40 30 82 02 . k:L.......@0.. 0a70: 3c 30 82 01 a5 02 10 70 ba e4 1d 10 d9 29 34 b6 <0.....p.....)4.

0a80: 38 ca 7b 03 cc ba bf 30 0d 06 09 2a 86 48 86 f7 8.{....0...*.H..

0a90: 0d 01 01 02 05 00 30 5f 31 0b 30 09 06 03 55 04 ......0_1.0...U.

0aa0: 06 13 02 55 53 31 17 30 15 06 03 55 04 0a 13 0e ...US1.0...U....

0ab0: 56 65 72 69 53 69 67 6e 2c 20 49 6e 63 2e 31 37 VeriSign, Inc.17 0ac0: 30 35 06 03 55 04 0b 13 2e 43 6c 61 73 73 20 33 05..U....Class 3 0ad0: 20 50 75 62 6c 69 63 20 50 72 69 6d 61 72 79 20 Public Primary 0ae0: 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 Certification Au 0af0: 74 68 6f 72 69 74 79 30 1e 17 0d 39 36 30 31 32 thority0...96012 0b00: 39 30 30 30 30 30 30 5a 17 0d 32 38 30 38 30 31 9000000Z..280801 0b10: 32 33 35 39 35 39 5a 30 5f 31 0b 30 09 06 03 55 235959Z0_1.0...U 0b20: 04 06 13 02 55 53 31 17 30 15 06 03 55 04 0a 13 ....US1.0...U... 0b30: 0e 56 65 72 69 53 69 67 6e 2c 20 49 6e 63 2e 31 .VeriSign, Inc.1 0b40: 37 30 35 06 03 55 04 0b 13 2e 43 6c 61 73 73 20 705..U....Class 0b50: 33 20 50 75 62 6c 69 63 20 50 72 69 6d 61 72 79 3 Public Primary 0b60: 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 Certification A 0b70: 75 74 68 6f 72 69 74 79 30 81 9f 30 0d 06 09 2a uthority0..0...* 0b80: 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 .H............0. 0b90: 89 02 81 81 00 c9 5c 59 9e f2 1b 8a 01 14 b4 10 ......\Y........ 0ba0: df 04 40 db e3 57 af 6a 45 40 8f 84 0c 0b d1 33 ..@..W.jE@.....3 0bb0: d9 d9 11 cf ee 02 58 1f 25 f7 2a a8 44 05 aa ec ......X.%.*.D... 0bc0: 03 1f 78 7f 9e 93 b9 9a 00 aa 23 7d d6 ac 85 a2 ..x.......#}.... 0bd0: 63 45 c7 72 27 cc f4 4c c6 75 71 d2 39 ef 4f 42 cE.r'..L.uq.9.OB 0be0: f0 75 df 0a 90 c6 8e 20 6f 98 0f f8 ac 23 5f 70 .u..... o....#_p 0bf0: 29 36 a4 c9 86 e7 b1 9a 20 cb 53 a5 85 e7 3d be )6...... .S...=. 0c00: 7d 9a fe 24 45 33 dc 76 15 ed 0f a2 71 64 4c 65 }..$E3.v....qdLe 0c10: 2e 81 68 45 a7 02 03 01 00 01 30 0d 06 09 2a 86 ..hE......0...*. 0c20: 48 86 f7 0d 01 01 02 05 00 03 81 81 00 bb 4c 12 H.............L. 0c30: 2b cf 2c 26 00 4f 14 13 dd a6 fb fc 0a 11 84 8c +.,&.O.......... 0c40: f3 28 1c 67 92 2f 7c b6 c5 fa df f0 e8 95 bc 1d .(.g./|......... 0c50: 8f 6c 2c a8 51 cc 73 d8 a4 c0 53 f0 4e d6 26 c0 .l,.Q.s...S.N.&. 0c60: 76 01 57 81 92 5e 21 f1 d1 b1 ff e7 d0 21 58 cd v.W..^!......!X. 0c70: 69 17 e3 44 1c 9c 19 44 39 89 5c dc 9c 00 0f 56 i..D...D9.....V 0c80: 8d 02 99 ed a2 90 45 4c e4 bb 10 a4 3d f0 32 03 ......EL....=.2. 0c90: 0e f1 ce f8 e8 c9 51 8c e6 62 9f e6 9f c0 7d b7 ......Q..b....}. 0ca0: 72 9c c9 36 3a 6b 9f 4e a8 ff 64 0d 64 0e 00 00 r..6:k.N..d.d... 0cb0: 00 . tls_write: want=139, written=139 0000: 16 03 01 00 86 10 00 00 82 00 80 9a ef 3e bc a0 .............>.. 0010: 09 eb 5e 2e 78 83 00 fd e1 cb 48 a1 b9 af 4f af ..^.x.....H...O. 0020: 44 82 be fc 07 e0 21 9a 98 93 9d 0b a1 26 b4 d1 D.....!......&.. 0030: c8 64 f1 e4 7a 5f 3d d0 45 05 60 e1 5b 16 57 81 .d..z_=.E.`.[.W. 0040: 12 d7 d4 27 4c 10 d9 f6 37 b8 31 73 15 a5 b5 10 ...'L...7.1s.... 0050: d5 58 09 73 20 54 f7 47 0f 24 a1 d3 d7 c7 71 58 .X.s T.G.$....qX 0060: 28 53 29 0b 70 d2 07 cd 7b 31 7e 21 ca e0 27 c9 (S).p...{1~!..'. 0070: 39 37 a9 0b a4 ba 22 25 3e a3 77 c5 df 27 3e 48 97...."%>.w..'>H 0080: 27 4d 82 0c 1f d7 f6 76 47 cf 62 'M.....vG.b tls_write: want=6, written=6 0000: 14 03 01 00 01 01 ...... tls_write: want=69, written=69 0000: 16 03 01 00 40 09 f5 48 2b f7 47 56 dd 21 0f a8 ....@..H+.GV.!.. 0010: 1c d0 02 da f2 89 ff eb 12 38 46 39 18 56 42 68 .........8F9.VBh 0020: c1 25 cc 56 64 a1 f5 88 53 11 a1 05 6e 21 12 7a .%.Vd...S...n!.z 0030: c6 b3 b4 85 b9 df fa 74 93 0a cb 4a 0f 00 43 af .......t...J..C. 0040: 0a 41 00 a7 40 .A..@ tls_read: want=5, got=5 0000: 14 03 01 00 01 ..... tls_read: want=1, got=1 0000: 01 . tls_read: want=5, got=5 0000: 15 03 01 00 20 .... tls_read: want=32, got=32 0000: a5 3c 60 d3 49 b3 0a 47 a5 65 9b 45 bd ba 44 84 .<`.I..G.e.E..D. 0010: 50 88 b4 4b 23 f1 13 be 93 f4 8e 42 0a 97 b5 b7 P..K#......B.... TLS: can't connect: Decryption has failed.. ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

The gnutls-cli I've launched 3 times and the error messages differ, look:

[root@darthvader ~]# gnutls-cli --x509cafile /etc/ldap/cacerts/bp.cert -p 636 bluepages.ibm.com Processed 1 CA certificate(s). Resolving 'bluepages.ibm.com'... Connecting to '9.17.186.253:636'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GNUTLS ERROR: A TLS packet with unexpected length was received. [root@darthvader ~]# gnutls-cli --x509cafile /etc/ldap/cacerts/bp.cert -p 636 bluepages.ibm.com Processed 1 CA certificate(s). Resolving 'bluepages.ibm.com'... Connecting to '9.17.186.253:636'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GNUTLS ERROR: A TLS packet with unexpected length was received. [root@darthvader ~]# gnutls-cli --x509cafile /etc/ldap/cacerts/bp.cert -p 636 bluepages.ibm.com Processed 1 CA certificate(s). Resolving 'bluepages.ibm.com'... Connecting to '9.17.186.253:636'... *** Fatal error: Decryption has failed. *** Handshake has failed GNUTLS ERROR: Decryption has failed.

[root@darthvader ~]# dpkg-query -W -f='${Package} ${Version} ${Source} ${Status}\n' | egrep 'slapd|ldap|gnutls' gnutls-bin 2.8.3-2 gnutls26 install ok installed ldap-auth-config 0.5.2 ldap-auth-client deinstall ok config-files ldap-utils 2.4.18-0ubuntu1 openldap install ok installed libaprutil1-ldap 1.3.9+dfsg-1ubuntu1 apr-util install ok installed libcurl3-gnutls 7.19.5-1ubuntu2 curl install ok installed libgnutls26 2.8.3-2 gnutls26 install ok installed libldap-2.4-2 2.4.18-0ubuntu1 openldap install ok installed libneon27-gnutls 0.28.6-1 neon27 install ok installed

Let me know if you need more information.

-- Tomasz 'Trog' Welman Software Developer external: 48-12-628-9449 ITN: 34819449 T/L: 9449

IBM SWG Lab, Krakow, Poland IBM Polska Sp. z o.o. oddział w Krakowie ul. Armii Krajowej 18 30 -150 Kraków NIP: 526-030-07-24, KRS 0000012941 Kapitał zakładowy: 33.000.000 PLN

Mathias Gug mathiaz@ubuntu.com wrote on 11/12/2009 06:13:29 PM:

Mathias Gug mathiaz@ubuntu.com 11/12/2009 06:13 PM

To

Tomasz Welman/Poland/IBM@IBMPL

cc

openldap-technical@openldap.org

Subject

Re: Problem with ldaps:// when switching from 2.3 to 2.4

On Thu, Nov 12, 2009 at 09:17:12AM +0100, Tomasz Welman wrote: [...]

...

TLS: can't connect: Decryption has failed.. ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

The gnutls-cli I've launched 3 times and the error messages differ,

look:

...

[root@darthvader ~]# gnutls-cli --x509cafile /etc/ldap/cacerts/bp.cert

-p

...

636 bluepages.ibm.com Processed 1 CA certificate(s). Resolving 'bluepages.ibm.com'... Connecting to '9.17.186.253:636'...

...

*** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GNUTLS ERROR: A TLS packet with unexpected length was received.

...

[root@darthvader ~]# gnutls-cli --x509cafile /etc/ldap/cacerts/bp.cert

-p

...

636 bluepages.ibm.com Processed 1 CA certificate(s). Resolving 'bluepages.ibm.com'... Connecting to '9.17.186.253:636'...

...

*** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GNUTLS ERROR: A TLS packet with unexpected length was received.

...

[root@darthvader ~]# gnutls-cli --x509cafile /etc/ldap/cacerts/bp.cert

-p

...

636 bluepages.ibm.com Processed 1 CA certificate(s). Resolving 'bluepages.ibm.com'... Connecting to '9.17.186.253:636'... *** Fatal error: Decryption has failed. *** Handshake has failed GNUTLS ERROR: Decryption has failed.

Seems like there is an error with the gnutls library rather than

openldap.

Could you try to connect to the server with openssl s_client instead of gnutls-cli?

I did it in order to get this bp.cert. It's working perfectly.

What should I do now?

-- Tomasz 'Trog' Welman Software Developer external: 48-12-628-9449 ITN: 34819449 T/L: 9449

IBM SWG Lab, Krakow, Poland IBM Polska Sp. z o.o. oddział w Krakowie ul. Armii Krajowej 18 30 -150 Kraków NIP: 526-030-07-24, KRS 0000012941 Kapitał zakładowy: 33.000.000 PLN