Bug#381788: [Pkg-openldap-devel] Bug#381788: slapd: TLS connections
fail when running as non-root
Berg, Michael
michaeljberg at gmail.com
Tue Aug 8 01:38:06 UTC 2006
>> And just for completeness, here are the contents of my ldap.conf file
>> ==========
>> BASE dc=mydomain,dc=dyndns,dc=org
>> URI ldap://ldap.mydomain.dyndns.org
>> TLS_CIPHER_SUITE HIGH:!ADH
>> TLS_CACERT /etc/ssl/certs/mydomain.dyndns.org_CA.pem
>> TLS_REQCERT demand
>> TLS_CRLCHECK none
>> ==========
>>
> This is the complete content of ldap.conf on the clients ?
Those are the only uncommented lines in my ldap.conf files.
>> I even tried purging slapd, reinstalling it, and re-populating it from scratch
>> (I didn't just reload a DB backup).
>>
>> The fresh install worked fine as non-root until a reboot - at which point the
>> problem described above returned and TLS connections fail.
>>
> That's strange.
I thought so too.
> Can you please send the output of: ldapsearch -x -ZZ -d 7
Output is attached.
-------------- next part --------------
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.misumasu.dyndns.org:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.30.1.1:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result ld 0x5101e0 msgid 1
ldap_chkResponseList ld 0x5101e0 msgid 1 all 1
ldap_chkResponseList returns ld 0x5101e0 NULL
wait4msg ld 0x5101e0 msgid 1 (infinite timeout)
wait4msg continue ld 0x5101e0 msgid 1 all 1
** ld 0x5101e0 Connections:
* host: ldap.misumasu.dyndns.org port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Aug 7 19:31:48 2006
** ld 0x5101e0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x5101e0 Response Queue:
Empty
ldap_chkResponseList ld 0x5101e0 msgid 1 all 1
ldap_chkResponseList returns ld 0x5101e0 NULL
ldap_int_select
read1msg: ld 0x5101e0 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 78 07 0a 0....x..
ldap_read: want=6, got=6
0000: 01 00 04 00 04 00 ......
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x5101e0 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x5101e0 0 new referrals
read1msg: mark request completed, ld 0x5101e0 msgid 1
request done: ld 0x5101e0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
tls_write: want=118, written=118
0000: 80 74 01 03 01 00 4b 00 00 00 20 00 c0 19 00 c0 .t....K... .....
0010: 18 00 c0 17 00 c0 14 00 c0 13 00 c0 12 00 c0 0f ................
0020: 00 c0 0e 00 c0 0d 00 c0 0a 00 c0 09 00 c0 08 00 ................
0030: c0 05 00 c0 04 00 c0 03 00 00 39 00 00 38 00 00 ..........9..8..
0040: 35 00 00 33 00 00 32 00 00 2f 00 00 16 00 00 13 5..3..2../......
0050: 00 00 0a 07 00 c0 8d 7f 9d 7d 45 b3 0c e1 2b 10 .........}E...+.
0060: 27 1d 46 9c 0d d5 80 a2 04 56 de 71 e5 6b 1f 41 '.F......V.q.k.A
0070: 0b 2c 15 18 a8 86 .,....
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 16 03 01 00 4a 02 00 ....J..
tls_read: want=72, got=72
0000: 00 46 03 01 44 d7 e9 84 26 c1 84 5c 39 64 71 f4 .F..D...&..\9dq.
0010: da 78 00 9a 6d 68 6b be 33 b3 6f 8a 0c 93 4a 41 .x..mhk.3.o...JA
0020: ca c0 53 c5 20 3c ab 22 1d 54 70 7b a0 e1 95 4e ..S. <.".Tp{...N
0030: 3f 2d 1d 07 69 18 ac 14 8c 9d 94 0b 58 22 8c 18 ?-..i.......X"..
0040: 13 59 66 85 d6 00 35 00 .Yf...5.
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
0000: 16 03 01 06 28 ....(
tls_read: want=1576, got=1576
0000: 0b 00 06 24 00 06 21 00 03 1b 30 82 03 17 30 82 ...$..!...0...0.
0010: 02 82 a0 03 02 01 02 02 01 02 30 0b 06 09 2a 86 ..........0...*.
0020: 48 86 f7 0d 01 01 05 30 81 89 31 0b 30 09 06 03 H......0..1.0...
0030: 55 04 06 13 02 55 53 31 11 30 0f 06 03 55 04 0a U....US1.0...U..
0040: 13 08 6d 69 73 75 6d 61 73 75 31 1e 30 1c 06 03 ..misumasu1.0...
0050: 55 04 0b 13 15 43 65 72 74 69 66 69 63 61 74 65 U....Certificate
0060: 20 41 75 74 68 6f 72 69 74 79 31 14 30 12 06 03 Authority1.0...
0070: 55 04 07 13 0b 41 6c 62 75 71 75 65 72 71 75 65 U....Albuquerque
0080: 31 13 30 11 06 03 55 04 08 13 0a 4e 65 77 20 4d 1.0...U....New M
0090: 65 78 69 63 6f 31 1c 30 1a 06 03 55 04 03 13 13 exico1.0...U....
00a0: 6d 69 73 75 6d 61 73 75 2e 64 79 6e 64 6e 73 2e misumasu.dyndns.
00b0: 6f 72 67 30 1e 17 0d 30 36 30 31 32 32 31 38 30 org0...060122180
00c0: 32 35 39 5a 17 0d 31 36 30 31 32 30 31 38 30 32 259Z..1601201802
00d0: 35 39 5a 30 81 84 31 0b 30 09 06 03 55 04 06 13 59Z0..1.0...U...
00e0: 02 55 53 31 11 30 0f 06 03 55 04 0a 13 08 6d 69 .US1.0...U....mi
00f0: 73 75 6d 61 73 75 31 14 30 12 06 03 55 04 0b 13 sumasu1.0...U...
0100: 0b 4c 44 41 50 20 53 65 72 76 65 72 31 14 30 12 .LDAP Server1.0.
0110: 06 03 55 04 07 13 0b 41 6c 62 75 71 75 65 72 71 ..U....Albuquerq
0120: 75 65 31 13 30 11 06 03 55 04 08 13 0a 4e 65 77 ue1.0...U....New
0130: 20 4d 65 78 69 63 6f 31 21 30 1f 06 03 55 04 03 Mexico1!0...U..
0140: 13 18 6c 64 61 70 2e 6d 69 73 75 6d 61 73 75 2e ..ldap.misumasu.
0150: 64 79 6e 64 6e 73 2e 6f 72 67 30 81 9c 30 0b 06 dyndns.org0..0..
0160: 09 2a 86 48 86 f7 0d 01 01 01 03 81 8c 00 30 81 .*.H..........0.
0170: 88 02 81 80 b6 32 ef 73 0e 50 9a 1a dd 7f 72 c8 .....2.s.P....r.
0180: 59 dc fa 1e 6f 5f 7b ab 19 98 58 f2 3a 0c 91 ac Y...o_{...X.:...
0190: f3 06 18 a0 10 b4 d7 3e 69 94 ae 5d 24 62 9d e0 .......>i..]$b..
01a0: 3d 53 1b 9e c3 ef 4a 24 aa 9c 0d ae 5a ba 3b 5c =S....J$....Z.;\
01b0: a6 6f ab 1b f6 08 af 12 5c 4e 9e cd 4a 4d a2 f6 .o......\N..JM..
01c0: 7f fe 27 6f b1 be 87 c8 4a bc 57 80 e1 e2 67 c3 ..'o....J.W...g.
01d0: e5 76 c5 97 73 4c 25 19 77 1d 6f 49 38 ac a4 3b .v..sL%.w.oI8..;
01e0: 4d fb aa 80 fe 36 14 c7 94 e2 47 3b dd 25 f5 79 M....6....G;.%.y
01f0: 8d 44 7e cb 02 03 01 00 01 a3 81 98 30 81 95 30 .D~.........0..0
0200: 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 0f 06 ...U.......0.0..
0210: 03 55 1d 0f 01 01 ff 04 05 03 03 07 a0 00 30 1d .U............0.
0220: 06 03 55 1d 0e 04 16 04 14 a6 48 7b 6c 98 61 44 ..U.......H{l.aD
0230: ba 45 00 97 58 a1 bb 2c a2 b6 8a 5e 83 30 1f 06 .E..X..,...^.0..
0240: 03 55 1d 23 04 18 30 16 80 14 c2 af 43 48 07 fb .U.#..0.....CH..
0250: 8b 76 14 9a ab 17 f7 b1 0e a5 28 4b df 9f 30 34 .v........(K..04
0260: 06 03 55 1d 1f 04 2d 30 2b 30 29 a0 27 a0 25 86 ..U...-0+0).'.%.
0270: 23 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 73 75 #http://www.misu
0280: 6d 61 73 75 2e 64 79 6e 64 6e 73 2e 6f 72 67 2f masu.dyndns.org/
0290: 63 72 6c 2f 30 0b 06 09 2a 86 48 86 f7 0d 01 01 crl/0...*.H.....
02a0: 05 03 81 81 00 21 9c 74 35 1c 11 eb 15 4b 1d cd .....!.t5....K..
02b0: c4 2d 9e 37 f5 3e 6c e8 b6 b1 b6 41 46 1d a4 94 .-.7.>l....AF...
02c0: d3 aa d8 98 8a 50 48 75 e8 84 ce 2f c3 d6 5c 0c .....PHu.../..\.
02d0: 70 8a 27 87 08 e3 61 7f a0 b4 dc a6 af 36 82 cb p.'...a......6..
02e0: 63 cb 31 db fc b8 ba 47 f7 23 c8 83 84 9c a1 cd c.1....G.#......
02f0: 7c 61 cd 6e 77 99 34 c7 e3 3e fe 7f 6a ee 89 9e |a.nw.4..>..j...
0300: 90 3d 51 58 23 8e c9 ad 47 99 e8 35 78 cd 1c ea .=QX#...G..5x...
0310: 3e 13 52 ff ff 7e 12 26 64 c6 f0 f2 88 bb 3f fe >.R..~.&d.....?.
0320: 09 99 7a ce 46 00 03 00 30 82 02 fc 30 82 02 67 ..z.F...0...0..g
0330: a0 03 02 01 02 02 01 01 30 0b 06 09 2a 86 48 86 ........0...*.H.
0340: f7 0d 01 01 05 30 81 89 31 0b 30 09 06 03 55 04 .....0..1.0...U.
0350: 06 13 02 55 53 31 11 30 0f 06 03 55 04 0a 13 08 ...US1.0...U....
0360: 6d 69 73 75 6d 61 73 75 31 1e 30 1c 06 03 55 04 misumasu1.0...U.
0370: 0b 13 15 43 65 72 74 69 66 69 63 61 74 65 20 41 ...Certificate A
0380: 75 74 68 6f 72 69 74 79 31 14 30 12 06 03 55 04 uthority1.0...U.
0390: 07 13 0b 41 6c 62 75 71 75 65 72 71 75 65 31 13 ...Albuquerque1.
03a0: 30 11 06 03 55 04 08 13 0a 4e 65 77 20 4d 65 78 0...U....New Mex
03b0: 69 63 6f 31 1c 30 1a 06 03 55 04 03 13 13 6d 69 ico1.0...U....mi
03c0: 73 75 6d 61 73 75 2e 64 79 6e 64 6e 73 2e 6f 72 sumasu.dyndns.or
03d0: 67 30 1e 17 0d 30 36 30 31 32 32 31 37 34 35 30 g0...06012217450
03e0: 38 5a 17 0d 31 36 30 31 32 32 31 37 34 35 30 38 8Z..160122174508
03f0: 5a 30 81 89 31 0b 30 09 06 03 55 04 06 13 02 55 Z0..1.0...U....U
0400: 53 31 11 30 0f 06 03 55 04 0a 13 08 6d 69 73 75 S1.0...U....misu
0410: 6d 61 73 75 31 1e 30 1c 06 03 55 04 0b 13 15 43 masu1.0...U....C
0420: 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f ertificate Autho
0430: 72 69 74 79 31 14 30 12 06 03 55 04 07 13 0b 41 rity1.0...U....A
0440: 6c 62 75 71 75 65 72 71 75 65 31 13 30 11 06 03 lbuquerque1.0...
0450: 55 04 08 13 0a 4e 65 77 20 4d 65 78 69 63 6f 31 U....New Mexico1
0460: 1c 30 1a 06 03 55 04 03 13 13 6d 69 73 75 6d 61 .0...U....misuma
0470: 73 75 2e 64 79 6e 64 6e 73 2e 6f 72 67 30 81 9c su.dyndns.org0..
0480: 30 0b 06 09 2a 86 48 86 f7 0d 01 01 01 03 81 8c 0...*.H.........
0490: 00 30 81 88 02 81 80 e0 23 40 8e 3b 60 e9 4a 8f .0......#@.;`.J.
04a0: 27 74 47 a6 d4 53 73 d7 7d 2b e7 11 10 f2 db 58 'tG..Ss.}+.....X
04b0: e2 09 fe 37 17 29 97 d2 93 76 8a 7b fa db c2 2b ...7.)...v.{...+
04c0: 96 bb f9 10 af eb 3e 67 c5 78 aa 96 b7 36 3c e1 ......>g.x...6<.
04d0: 3c e5 25 8b c7 bf e6 1c 8b 5a 85 bb f0 a1 5b 94 <.%......Z....[.
04e0: 9d 3b 45 34 c4 96 16 1f e5 5c 69 d4 59 95 7f 80 .;E4.....\i.Y...
04f0: 75 ae b1 65 ae d2 5b 7b 59 02 68 7e 2f 25 1a 93 u..e..[{Y.h~/%..
0500: a5 56 e3 09 2d 17 f1 c0 44 72 34 56 da ca 95 0e .V..-...Dr4V....
0510: e3 a1 52 25 8b 2f 63 02 03 01 00 01 a3 79 30 77 ..R%./c......y0w
0520: 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 0...U.......0...
0530: ff 30 0f 06 03 55 1d 0f 01 01 ff 04 05 03 03 07 .0...U..........
0540: 06 00 30 1d 06 03 55 1d 0e 04 16 04 14 c2 af 43 ..0...U........C
0550: 48 07 fb 8b 76 14 9a ab 17 f7 b1 0e a5 28 4b df H...v........(K.
0560: 9f 30 34 06 03 55 1d 1f 04 2d 30 2b 30 29 a0 27 .04..U...-0+0).'
0570: a0 25 86 23 68 74 74 70 3a 2f 2f 77 77 77 2e 6d .%.#http://www.m
0580: 69 73 75 6d 61 73 75 2e 64 79 6e 64 6e 73 2e 6f isumasu.dyndns.o
0590: 72 67 2f 63 72 6c 2f 30 0b 06 09 2a 86 48 86 f7 rg/crl/0...*.H..
05a0: 0d 01 01 05 03 81 81 00 13 4b 65 88 1a 74 79 11 .........Ke..ty.
05b0: 3f 3b ff a8 90 33 95 11 62 56 98 73 cb d5 2f a0 ?;...3..bV.s../.
05c0: ef be c7 ea a6 36 13 db 80 45 1f 5e a8 aa c2 d4 .....6...E.^....
05d0: cf bd 50 5a 4c ab 67 99 23 77 74 00 e4 2a 3c 47 ..PZL.g.#wt..*<G
05e0: ea c4 e3 e9 3a 07 fb 7e c1 1a 12 30 97 25 58 9f ....:..~...0.%X.
05f0: 8c 0f a2 59 76 3b cd 10 96 c8 c5 f1 0c c4 04 a3 ...Yv;..........
0600: a6 c4 81 fd 5e 19 00 5c 69 3b f6 de 0f 44 5a 5e ....^..\i;...DZ^
0610: ea 64 58 62 0f 87 64 1c e1 e5 35 34 70 34 89 5b .dXb..d...54p4.[
0620: b8 79 cd fe 12 01 51 57 .y....QW
TLS certificate verification: depth: 1, err: 0, subject: /C=US/O=misumasu/OU=Certificate Authority/L=Albuquerque/ST=New Mexico/CN=misumasu.dyndns.org, issuer: /C=US/O=misumasu/OU=Certificate Authority/L=Albuquerque/ST=New Mexico/CN=misumasu.dyndns.org
TLS certificate verification: depth: 0, err: 0, subject: /C=US/O=misumasu/OU=LDAP Server/L=Albuquerque/ST=New Mexico/CN=ldap.misumasu.dyndns.org, issuer: /C=US/O=misumasu/OU=Certificate Authority/L=Albuquerque/ST=New Mexico/CN=misumasu.dyndns.org
TLS trace: SSL_connect:SSLv3 read server certificate A
tls_read: want=5, got=5
0000: 16 03 01 00 9c .....
tls_read: want=156, got=156
0000: 0d 00 00 94 03 01 02 40 00 8e 00 8c 30 81 89 31 ....... at ....0..1
0010: 0b 30 09 06 03 55 04 06 13 02 55 53 31 11 30 0f .0...U....US1.0.
0020: 06 03 55 04 0a 13 08 6d 69 73 75 6d 61 73 75 31 ..U....misumasu1
0030: 1e 30 1c 06 03 55 04 0b 13 15 43 65 72 74 69 66 .0...U....Certif
0040: 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 31 icate Authority1
0050: 14 30 12 06 03 55 04 07 13 0b 41 6c 62 75 71 75 .0...U....Albuqu
0060: 65 72 71 75 65 31 13 30 11 06 03 55 04 08 13 0a erque1.0...U....
0070: 4e 65 77 20 4d 65 78 69 63 6f 31 1c 30 1a 06 03 New Mexico1.0...
0080: 55 04 03 13 13 6d 69 73 75 6d 61 73 75 2e 64 79 U....misumasu.dy
0090: 6e 64 6e 73 2e 6f 72 67 0e 00 00 00 ndns.org....
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
tls_write: want=210, written=210
0000: 16 03 01 00 07 0b 00 00 03 00 00 00 16 03 01 00 ................
0010: 86 10 00 00 82 00 80 6e 52 8b 76 63 08 1c 1e ba .......nR.vc....
0020: 81 bf 6d 7d 46 52 7f 06 0a 65 db 79 38 76 fe 61 ..m}FR...e.y8v.a
0030: 37 15 cf c2 63 06 c9 c6 93 30 b8 a1 33 64 d5 ea 7...c....0..3d..
0040: 57 84 8e 2a c6 78 83 f0 d0 f8 aa 47 43 9f df 56 W..*.x.....GC..V
0050: c2 54 b2 31 4c a8 f5 15 03 fc 09 26 1f 57 18 fb .T.1L......&.W..
0060: 97 e3 4e 30 0a 45 09 3c 85 b7 a9 b6 72 15 06 e6 ..N0.E.<....r...
0070: ef ac 74 3a 34 ea 45 b2 ee 33 83 68 75 74 f6 e3 ..t:4.E..3.hut..
0080: 9f e3 18 c0 2a 3d dc c9 7a 3f d3 d5 2f c3 9f 2c ....*=..z?../..,
0090: 2e 93 96 d1 14 5d da 14 03 01 00 01 01 16 03 01 .....]..........
00a0: 00 30 26 b4 12 b1 1c f9 80 0f 4c 45 92 fd a3 4c .0&.......LE...L
00b0: 28 3b 34 3b 82 b6 f6 22 3a d4 74 71 2e e6 32 7a (;4;...":.tq..2z
00c0: 14 b6 7f d7 4a 48 7c c5 f9 83 08 a0 1d 36 18 a6 ....JH|......6..
00d0: d9 97 ..
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 28 .(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
More information about the Pkg-openldap-devel
mailing list