[Pkg-openldap-devel] Bug#412706: slapd: Connecting with Client
certificates fails when _not_ run with -d2
Tim Dijkstra (tdykstra)
tim at famdijkstra.org
Tue Feb 27 15:18:11 UTC 2007
Package: slapd
Version: 2.3.30-4
Severity: important
I'm trying to get my clients to authenticate with Certificates. When
I set 'TLSVerifyClient try' the connection 'hangs' during the setup
phase ot the secure connection.
The funny thing is that when running slapd from a terminal with -d-1
makes it all work brilliantly. I first thought this was related with
the fact that it will not detach and run as root, but then I found
out that the behaviour was dependent on the debug level. Only
if I include '2 -- debug packet handling' in the loglevel I can
succesfully authenticate with Certificates.
Because the debug output is so different when adding '2', it is hard to
compare logfiles. I grepped for 'TLS' to clean it up a bit. It seems
already early in the negotiation something goes wrong.
Loglevel 1 (fail):
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:error in SSLv3 write certificate request B
TLS trace: SSL_accept:error in SSLv3 write certificate request B
Loglevel 3 (succes):
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS certificate verification: depth: 1, err: 0, subject: <CN of certificate issuer>
TLS certificate verification: depth: 0, err: 0, subject: <CN of certificate holder>
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read certificate verify A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL3 alert read:warning:close notify
TLS trace: SSL3 alert write:warning:close notify
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.13.1
Locale: LANG=nl_NL, LC_CTYPE=nl_NL (charmap=UTF-8) (ignored: LC_ALL set to nl_NL.utf8)
Versions of packages slapd depends on:
ii adduser 3.102 Add and remove users and groups
ii coreutils 5.97-5 The GNU core utilities
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii libc6 2.3.6.ds1-11 GNU C Library: Shared libraries
ii libdb4.2 4.2.52+dfsg-1 Berkeley v4.2 Database Libraries [
ii libiodbc2 3.52.4-3 iODBC Driver Manager
ii libldap-2.3-0 2.3.30-4 OpenLDAP libraries
ii libltdl3 1.5.22-4 A system independent dlopen wrappe
ii libperl5.8 5.8.8-7 Shared Perl library
ii libsasl2-2 2.1.22.dfsg1-8 Authentication abstraction library
ii libslp1 1.2.1-6 OpenSLP libraries
ii libssl0.9.8 0.9.8c-4 SSL shared libraries
ii libwrap0 7.6.dbs-12 Wietse Venema's TCP wrappers libra
ii perl [libmime-base64-perl 5.8.8-7 Larry Wall's Practical Extraction
ii psmisc 22.3-1 Utilities that use the proc filesy
Versions of packages slapd recommends:
pn libsasl2-modules <none> (no description available)
More information about the Pkg-openldap-devel
mailing list