[Pkg-openldap-devel] Bug#473796: TLS fails completely
debian at x.ray.net
debian at x.ray.net
Thu Apr 3 13:41:30 UTC 2008
ok, more testing, more news:
>> now with the slapd 2.4.7 package (with gnutls) this seems to force
>> client-certs, too. a TLS query without client-cert won't work - but
>> commenting the 'security' line out results in working TLS and working
>> non-TLS queries.
>
> The default behavior when TLS is enabled is "TLSVerifyClient never"; 2.4.7
> did have a bug related to this, but this was resolved in the 2.4.7-5
> package.
well it seems to me like with gnutls the 'security tls=' value controls
the tls reqirements, TLSVerifyClient is (more or less?) ignored. but i
could be missing something ofc...
all queries done with a server cert and without a client cert:
security tls=128
TLSVerifyClient never
ldapsearch fails (TLS confidentiality required)
ldapsearch -ZZ fails (stronger TLS confidentiality required)
security tls=1
TLSVerifyClient never
ldapsearch fails (TLS confidentiality required)
ldapsearch -ZZ works
security tls=0 (or no security tls=)
TLSVerifyClient never
ldapsearch works
ldapsearch -ZZ works
while simply documenting this behaviour would probably be a valid 'fix',
i guess this is not how it was intended...
>> user at host:~$ ldapsearch -ZZ -x -h localhost -b dc=foo-bar,dc=baz
>> "(objectClass=*)" -d 1
> [...]
>> res_errno: 13, res_error: <stronger TLS confidentiality required>,
> [...]
>
> Well, that's clear enough, anyway.
>
> Does server debugging indicate what it thinks the current TLS strength is?
> You specified -ZZ, so *some* TLS is in use - the question is why the server
> thinks it isn't strong enough?
hmm. according to the (sparse) documentation i found for the security strength
factor, the value is meant to specify the keylength. in my tests i've
been using AES256 (TLS_RSA_AES_256_CBC_SHA1).
i've been testing some ssf values - turns out that it (my -ZZ queries without
client cert) works up to a value of 32 (incl.).
this is the server debugging output with
security tls=128
TLSVerifyClient never
for a -ZZ query:
-----snip-----
daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(7):
>>> slap_listener(ldap://localhost)
daemon: listen=7, new connection on 12
daemon: added 12r (active) listener=(nil)
conn=0 fd=12 ACCEPT from IP=127.0.0.1:34892 (IP=127.0.0.1:389)
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_dump: buf=0x9be7a0 ptr=0x9be7a0 end=0x9be7bd len=29
0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4
0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=0 op=0 do_extended
ber_scanf fmt ({m) ber:
ber_dump: buf=0x9be7a0 ptr=0x9be7a3 end=0x9be7bd len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
conn=0 op=0 EXT oid=1.3.6.1.4.1.1466.20037
do_extended: oid=1.3.6.1.4.1.1466.20037
conn=0 op=0 STARTTLS
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 12
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
conn=0 op=0 RESULT oid= err=0 text=
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
tls_read: want=5, got=5
0000: 16 03 02 00 58 ....X
tls_read: want=88, got=88
0000: 01 00 00 54 03 02 47 f4 da 43 c2 44 fe 8a 79 a4 ...T..G..C.D..y.
0010: a0 87 49 0a 55 04 e2 3f 0f 5c 65 3f 0b ea 7c ab ..I.U..?.\e?..|.
0020: fd 33 42 42 31 5f 00 00 24 00 33 00 45 00 39 00 .3BB1_..$.3.E.9.
0030: 88 00 16 00 32 00 44 00 38 00 87 00 13 00 66 00 ....2.D.8.....f.
0040: 2f 00 41 00 35 00 84 00 0a 00 05 00 04 01 00 00 /.A.5...........
0050: 07 00 09 00 03 02 00 01 ........
tls_write: want=79, written=79
0000: 16 03 02 00 4a 02 00 00 46 03 02 47 f4 da 43 9c ....J...F..G..C.
0010: 08 42 1b 52 92 9c a1 39 a7 d2 e7 a3 ef 69 c6 9f .B.R...9.....i..
0020: 4a 3b f0 cf fa b1 a7 d9 4e 78 9c 20 e3 10 9f 0d J;......Nx. ....
0030: 5a a1 6c 7c 46 a3 2e e1 d6 3c 59 e2 8c 4c 61 ae Z.l|F....<Y..La.
0040: 48 8c 9c 68 f2 b6 47 cb e4 b9 07 a4 00 35 00 H..h..G......5.
tls_write: want=1130, written=1130
0000: 16 03 02 04 65 0b 00 04 61 00 04 5e 00 04 5b 30 ....e...a..^..[0
0010: 82 04 57 30 82 03 3f a0 03 02 01 02 02 09 00 d1 ..W0..?.........
0020: e1 8c a0 b7 21 50 5e 30 0d 06 09 2a 86 48 86 f7 ....!P^0...*.H..
0030: 0d 01 01 05 05 00 30 7a 31 0b 30 09 06 03 55 04 ......0z1.0...U.
0040: 06 13 02 41 55 31 13 30 11 06 03 55 04 08 13 0a ...AU1.0...U....
0050: 53 6f 6d 65 2d 53 74 61 74 65 31 0d 30 0b 06 03 Some-State1.0...
0060: 55 04 07 13 04 43 69 74 79 31 21 30 1f 06 03 55 U....City1!0...U
0070: 04 0a 13 18 49 6e 74 65 72 6e 65 74 20 57 69 64 ....Internet Wid
0080: 67 69 74 73 20 50 74 79 20 4c 74 64 31 10 30 0e gits Pty Ltd1.0.
0090: 06 03 55 04 0b 13 07 53 65 63 74 69 6f 6e 31 12 ..U....Section1.
00a0: 30 10 06 03 55 04 03 13 09 6c 6f 63 61 6c 68 6f 0...U....localho
00b0: 73 74 30 1e 17 0d 30 38 30 34 30 33 31 33 30 30 st0...0804031300
00c0: 30 35 5a 17 0d 30 38 30 35 30 33 31 33 30 30 30 05Z..08050313000
00d0: 35 5a 30 7a 31 0b 30 09 06 03 55 04 06 13 02 41 5Z0z1.0...U....A
00e0: 55 31 13 30 11 06 03 55 04 08 13 0a 53 6f 6d 65 U1.0...U....Some
00f0: 2d 53 74 61 74 65 31 0d 30 0b 06 03 55 04 07 13 -State1.0...U...
0100: 04 43 69 74 79 31 21 30 1f 06 03 55 04 0a 13 18 .City1!0...U....
0110: 49 6e 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 Internet Widgits
0120: 20 50 74 79 20 4c 74 64 31 10 30 0e 06 03 55 04 Pty Ltd1.0...U.
0130: 0b 13 07 53 65 63 74 69 6f 6e 31 12 30 10 06 03 ...Section1.0...
0140: 55 04 03 13 09 6c 6f 63 61 6c 68 6f 73 74 30 82 U....localhost0.
0150: 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 ."0...*.H.......
0160: 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 9a ......0.........
0170: 2f 31 f2 60 52 3e b3 c3 1e 89 9a f3 9c 5b 24 a5 /1.`R>.......[$.
0180: 97 fb 82 44 ee c6 42 7a ce f4 01 44 29 ab 87 21 ...D..Bz...D)..!
0190: 9f fb 5a 0d 14 98 07 f1 d4 de 51 0d 68 2c 8c 52 ..Z.......Q.h,.R
01a0: 79 f0 d3 cf 93 98 34 d8 c2 aa 5d eb 8a 2f eb d0 y.....4...]../..
01b0: 98 25 93 59 e1 a3 b3 17 62 b1 06 f6 fc dd c5 08 .%.Y....b.......
01c0: 2d 14 f2 47 03 ae 56 7f aa d2 5e 6c 55 6f 1e 79 -..G..V...^lUo.y
01d0: e1 2f 6f a8 cc 9d db 71 08 97 e4 f3 4d cd fc 23 ./o....q....M..#
01e0: 58 33 9a 6f 37 0a 92 16 a1 79 83 27 e4 49 a1 e3 X3.o7....y.'.I..
01f0: 1b a4 30 3c 6a 91 fb 40 4e bf 66 ab cd 4b e0 cb ..0<j.. at N.f..K..
0200: 11 d3 e0 ba bb c3 42 80 0a f8 d2 63 f6 d2 40 e4 ......B....c.. at .
0210: ea af 6b e7 ad e5 ac d0 6a e5 03 ef 5e dc f6 9b ..k.....j...^...
0220: 2e d9 e8 36 49 ed 46 56 c9 79 67 47 81 ae 27 0e ...6I.FV.ygG..'.
0230: 5b 3d 14 c6 43 2f 26 8a b5 66 c3 2f 96 49 77 9a [=..C/&..f./.Iw.
0240: fe cc 6e 2f f9 61 30 0e 1a e3 0c be d4 80 ea f5 ..n/.a0.........
0250: dd a0 4a 85 09 ac 80 5c ef 9e f4 d0 12 56 1a 72 ..J....\.....V.r
0260: 33 4e 3d 0f 70 b9 f6 ae 94 37 8b 0e 1e 3c 29 02 3N=.p....7...<).
0270: 03 01 00 01 a3 81 df 30 81 dc 30 1d 06 03 55 1d .......0..0...U.
0280: 0e 04 16 04 14 88 e2 6a 2c cf 59 37 9f 7a 16 b9 .......j,.Y7.z..
0290: ad 6f 4f 59 59 1a f9 b6 08 30 81 ac 06 03 55 1d .oOYY....0....U.
02a0: 23 04 81 a4 30 81 a1 80 14 88 e2 6a 2c cf 59 37 #...0......j,.Y7
02b0: 9f 7a 16 b9 ad 6f 4f 59 59 1a f9 b6 08 a1 7e a4 .z...oOYY.....~.
02c0: 7c 30 7a 31 0b 30 09 06 03 55 04 06 13 02 41 55 |0z1.0...U....AU
02d0: 31 13 30 11 06 03 55 04 08 13 0a 53 6f 6d 65 2d 1.0...U....Some-
02e0: 53 74 61 74 65 31 0d 30 0b 06 03 55 04 07 13 04 State1.0...U....
02f0: 43 69 74 79 31 21 30 1f 06 03 55 04 0a 13 18 49 City1!0...U....I
0300: 6e 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20 nternet Widgits
0310: 50 74 79 20 4c 74 64 31 10 30 0e 06 03 55 04 0b Pty Ltd1.0...U..
0320: 13 07 53 65 63 74 69 6f 6e 31 12 30 10 06 03 55 ..Section1.0...U
0330: 04 03 13 09 6c 6f 63 61 6c 68 6f 73 74 82 09 00 ....localhost...
0340: d1 e1 8c a0 b7 21 50 5e 30 0c 06 03 55 1d 13 04 .....!P^0...U...
0350: 05 30 03 01 01 ff 30 0d 06 09 2a 86 48 86 f7 0d .0....0...*.H...
0360: 01 01 05 05 00 03 82 01 01 00 92 8e 62 c7 34 c6 ............b.4.
0370: 5d bd a9 b6 d7 9f aa fa 8d de 71 c7 0d ba 67 f8 ].........q...g.
0380: 8c 69 0f 71 68 81 72 d5 1b 90 d4 fe 25 43 ac 7b .i.qh.r.....%C.{
0390: 74 54 f1 97 e6 9f ae b9 56 5f 64 d7 2d ba ed a3 tT......V_d.-...
03a0: a4 e5 ac 31 d5 aa 02 a3 07 ca 21 2b 71 6d aa f4 ...1......!+qm..
03b0: ef 7d 19 8f 8d e7 b6 dd 84 56 aa c3 02 3b 26 d6 .}.......V...;&.
03c0: 60 5b a6 cd bc d9 88 aa 02 57 97 16 8b 57 56 61 `[.......W...WVa
03d0: cd 43 4b 5c 54 d0 f4 55 c2 6f 39 57 88 4d 94 f1 .CK\T..U.o9W.M..
03e0: 6f 27 d5 31 6b 43 32 bf c8 55 22 3e f9 70 de 03 o'.1kC2..U">.p..
03f0: 71 73 90 39 8b 76 4a bc 61 88 75 88 43 46 6c 10 qs.9.vJ.a.u.CFl.
0400: 5c 28 18 c2 0a 64 ac ef 98 08 52 6e a7 85 99 8a \(...d....Rn....
0410: 42 02 8c bc ed 47 12 10 f7 85 4a ba ea 04 5c 46 B....G....J...\F
0420: e3 25 c4 fa 95 ab 96 ed f3 78 b3 25 37 cd b3 c1 .%.......x.%7...
0430: d6 ad 16 99 37 1b de 2d 36 9a 41 10 bf 13 29 ab ....7..-6.A...).
0440: 34 d3 14 e1 ca ff 74 68 bb 74 2e 9c bd 09 8a 01 4.....th.t......
0450: 5a 9d 61 31 6b 6c e1 6c f6 7f 7b e1 53 30 3b 6f Z.a1kl.l..{.S0;o
0460: 47 5e 37 b8 66 fb c0 5c fc c9 G^7.f..\..
tls_write: want=9, written=9
0000: 16 03 02 00 04 0e 00 00 00 .........
tls_read: want=5 error=Resource temporarily unavailable
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
tls_read: want=5, got=5
0000: 16 03 02 01 06 .....
tls_read: want=262, got=262
0000: 10 00 01 02 01 00 67 3d 2e 32 3c 61 f6 2c 7f 46 ......g=.2<a.,.F
0010: 08 a1 8c a8 3b ba c8 f7 a4 8c 03 0e af 69 08 8e ....;........i..
0020: 87 8c dd 02 a3 73 d6 c6 fa b0 e1 6d 29 2b 08 40 .....s.....m)+.@
0030: 87 f4 04 b0 2a ca 51 82 1d 97 93 8b d4 02 e3 53 ....*.Q........S
0040: 76 0c 3c 1c e4 2b de 88 bf d3 de 6d f8 ad 8d 08 v.<..+.....m....
0050: 37 84 0e 22 cf de 82 22 f0 70 41 11 be 99 45 e7 7.."...".pA...E.
0060: 12 0f 0e 4f 8d 42 dd a7 72 5c d5 da a9 3f 04 15 ...O.B..r\...?..
0070: a5 20 59 e4 0f 69 ab e2 8f a4 00 b7 2a 7e ea 77 . Y..i......*~.w
0080: 9d f5 aa a0 56 24 3f 6a bc f4 ba 91 44 56 97 d6 ....V$?j....DV..
0090: ee 3e 24 89 0d 05 f2 81 b6 02 6b 9a ac 3d 51 b5 .>$.......k..=Q.
00a0: 0b 50 1c d4 36 a0 8c b8 04 8e c2 b2 31 25 87 7d .P..6.......1%.}
00b0: 15 1d be 10 88 47 c8 d3 f5 ed 72 4f ef ac 6a 96 .....G....rO..j.
00c0: 65 e6 fc 3d 50 3c 8a a0 a4 6f 86 e5 f8 30 6a 47 e..=P<...o...0jG
00d0: 20 51 ec ab 49 5a c4 03 06 90 e6 af 56 d7 bb 2c Q..IZ......V..,
00e0: c0 ac cc 9b e8 9d c5 d4 28 e4 ac 67 b3 dd d5 fa ........(..g....
00f0: 4f ae d6 64 7c 41 f4 78 95 53 0a 75 72 e6 b6 c9 O..d|A.x.S.ur...
0100: 7d c0 27 ca ce f8 }.'...
daemon: epoll: listen=7 active_threads=0 tvp=zero
tls_read: want=5, got=5
0000: 14 03 02 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5 error=Resource temporarily unavailable
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
daemon: epoll: listen=7 active_threads=0 tvp=zero
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
tls_read: want=5, got=5
0000: 16 03 02 00 50 ....P
tls_read: want=80, got=80
0000: c2 0e 3f 68 7d 18 00 2c 45 75 c0 00 6e ec 58 b8 ..?h}..,Eu..n.X.
0010: ff da 80 dd 77 71 e5 5b 98 06 93 db a5 f3 03 e8 ....wq.[........
0020: ee 32 ef 57 71 93 21 41 5f 71 d1 47 6b 46 d4 8c .2.Wq.!A_q.GkF..
0030: e8 8c 34 ac e1 4a df 14 4c ce b1 b0 9d db 4a 27 ..4..J..L.....J'
0040: be 90 ff 65 32 85 b2 e8 ce 68 07 ed 69 cc bf 6b ...e2....h..i..k
tls_write: want=6, written=6
0000: 14 03 02 00 01 01 ......
tls_write: want=101, written=101
0000: 16 03 02 00 60 c5 8f 8d 26 09 be aa 8b 46 2d 2c ....`...&....F-,
0010: 25 31 ff c8 d3 96 1c b8 66 ca af de 89 88 28 ed %1......f.....(.
0020: 7c 05 28 7d 93 36 07 8d ce be 97 8a 43 bc 19 b5 |.(}.6......C...
0030: 19 2b dc 4a cd 52 9f 3a 25 65 89 d9 3e ed 96 df .+.J.R.:%e..>...
0040: ff 7d f5 11 fe 15 a1 99 8e d4 94 b4 7f e0 41 52 .}............AR
0050: e4 ce 6f 82 18 ee 6d 54 8f 67 6c d0 28 cd 21 cb ..o...mT.gl.(.!.
0060: ed 40 f9 f8 80 . at ...
connection_read(12): unable to get TLS client DN, error=49 id=0
conn=0 fd=12 TLS established tls_ssf=32 ssf=32
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
daemon: epoll: listen=7 active_threads=0 tvp=zero
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
tls_read: want=5, got=5
0000: 17 03 02 00 50 ....P
tls_read: want=80, got=80
0000: ea 61 fd a8 67 c8 98 59 cb b2 2b aa 56 19 02 d2 .a..g..Y..+.V...
0010: ce dc b0 7d 5e 5f 66 f3 53 ba 22 98 11 0b aa 86 ...}^_f.S.".....
0020: ef b6 17 32 bd 1d 10 5d 9e f9 9f 23 e0 a9 36 d1 ...2...]...#..6.
0030: 35 7b d2 2f 26 f4 f8 3c e1 75 c7 c2 79 19 f2 5e 5{./&..<.u..y..^
0040: 44 73 cb c9 e1 2b e2 25 59 81 e8 e0 a2 68 06 0e Ds...+.%Y....h..
ldap_read: want=8, got=8
0000: 30 0c 02 01 02 60 07 02 0....`..
ldap_read: want=6, got=6
0000: 01 03 04 00 80 00 ......
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x7f2700 ptr=0x7f2700 end=0x7f270c len=12
0000: 02 01 02 60 07 02 01 03 04 00 80 00 ...`........
ber_get_next
tls_read: want=5 error=Resource temporarily unavailable
ldap_read: want=8, got=0
conn=0 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x7f2700 ptr=0x7f2703 end=0x7f270c len=9
0000: 60 07 02 01 03 04 00 80 00 `........
ber_scanf fmt (m}) ber:
ber_dump: buf=0x7f2700 ptr=0x7f270a end=0x7f270c len=2
0000: 00 00 ..
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
conn=0 op=1 BIND dn="" method=128
do_bind: version=3 dn="" method=128
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=2 tag=97 err=0
ber_flush2: 14 bytes to sd 12
0000: 30 0c 02 01 02 61 07 0a 01 00 04 00 04 00 0....a........
tls_write: want=85, written=85
0000: 17 03 02 00 50 51 d9 18 8d 3a 4d 65 4e 95 62 65 ....PQ...:MeN.be
0010: 0a 4e 56 29 e3 15 de 60 73 37 db 07 49 06 7c a9 .NV)...`s7..I.|.
0020: d0 39 eb b3 97 63 3b 4f e1 83 e3 c4 5c 27 7a a2 .9...c;O....\'z.
0030: f0 43 46 4c d1 12 60 b9 10 ce de 61 f6 a7 75 03 .CFL..`....a..u.
0040: 8d 75 05 67 db f1 71 8b 3c 01 88 41 26 d7 44 45 .u.g..q.<..A&.DE
0050: 8c 16 26 3b 9f ..&;.
ldap_write: want=14, written=14
0000: 30 0c 02 01 02 61 07 0a 01 00 04 00 04 00 0....a........
conn=0 op=1 RESULT tag=97 err=0 text=
do_bind: v3 anonymous bind
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
daemon: epoll: listen=7 active_threads=0 tvp=zero
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
tls_read: want=5, got=5
0000: 17 03 02 00 90 .....
tls_read: want=144, got=144
0000: 3f 27 ce 48 75 cd ce 48 05 72 0c 80 6d 0a 7a f6 ?'.Hu..H.r..m.z.
0010: 0c 31 34 0c 80 61 aa 2b 9f 24 76 7f 3f af 2b ee .14..a.+.$v.?.+.
0020: de 7f 48 67 cf 98 40 7e 8a f3 f9 3d f8 8a dd c9 ..Hg..@~...=....
0030: 61 59 7e cf 1e 92 d1 ad 4c 71 5c 01 88 3c c9 d7 aY~.....Lq\..<..
0040: ac 3b e6 6e 17 a4 3b a3 b7 2f 96 00 5d ae 7d 61 .;.n..;../..].}a
0050: de 1a 74 0d 58 1d 68 dd 4b 41 9c dd 5d 56 2e 8a ..t.X.h.KA..]V..
0060: 76 38 44 cc e0 46 77 6b 14 d2 bd c4 06 3a fe 1c v8D..Fwk.....:..
0070: ea 7e dc 02 16 a9 b9 0f 68 13 43 83 dd e5 a5 99 .~......h.C.....
0080: e1 0f 05 58 16 e4 46 84 ff 1a 3e 94 c5 f2 03 b8 ...X..F...>.....
ldap_read: want=8, got=8
0000: 30 36 02 01 03 63 31 04 06...c1.
ldap_read: want=48, got=48
0000: 11 64 63 3d 66 6f 6f 2d 62 61 72 2c 64 63 3d 62 .dc=foo-bar,dc=b
0010: 61 7a 0a 01 02 0a 01 00 02 01 00 02 01 00 01 01 az..............
0020: 00 87 0b 6f 62 6a 65 63 74 43 6c 61 73 73 30 00 ...objectClass0.
ber_get_next: tag 0x30 len 54 contents:
ber_dump: buf=0xac5210 ptr=0xac5210 end=0xac5246 len=54
0000: 02 01 03 63 31 04 11 64 63 3d 66 6f 6f 2d 62 61 ...c1..dc=foo-ba
0010: 72 2c 64 63 3d 62 61 7a 0a 01 02 0a 01 00 02 01 r,dc=baz........
0020: 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 43 .........objectC
0030: 6c 61 73 73 30 00 lass0.
ber_get_next
tls_read: want=5 error=Resource temporarily unavailable
ldap_read: want=8, got=0
conn=0 op=2 do_search
ber_scanf fmt ({miiiib) ber:
ber_dump: buf=0xac5210 ptr=0xac5213 end=0xac5246 len=51
0000: 63 31 04 11 64 63 3d 66 6f 6f 2d 62 61 72 2c 64 c1..dc=foo-bar,d
0010: 63 3d 62 61 7a 0a 01 02 0a 01 00 02 01 00 02 01 c=baz...........
0020: 00 01 01 00 87 0b 6f 62 6a 65 63 74 43 6c 61 73 ......objectClas
0030: 73 30 00 s0.
>>> dnPrettyNormal: <dc=foo-bar,dc=baz>
=> ldap_bv2dn(dc=foo-bar,dc=baz,0)
<= ldap_bv2dn(dc=foo-bar,dc=baz)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=foo-bar,dc=baz)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=foo-bar,dc=baz)=0
<<< dnPrettyNormal: <dc=foo-bar,dc=baz>, <dc=foo-bar,dc=baz>
SRCH "dc=foo-bar,dc=baz" 2 0 0 0 0
begin get_filter
PRESENT
ber_scanf fmt (m) ber:
ber_dump: buf=0xac5210 ptr=0xac5237 end=0xac5246 len=15
0000: 87 0b 6f 62 6a 65 63 74 43 6c 61 73 73 30 00 ..objectClass0.
end get_filter 0
filter: (objectClass=*)
ber_scanf fmt ({M}}) ber:
ber_dump: buf=0xac5210 ptr=0xac5244 end=0xac5246 len=2
0000: 00 00 ..
attrs:
conn=0 op=2 SRCH base="dc=foo-bar,dc=baz" scope=2 deref=0 filter="(objectClass=*)"
send_ldap_result: conn=0 op=2 p=3
send_ldap_result: err=13 matched="" text="stronger TLS confidentiality required"
send_ldap_response: msgid=3 tag=101 err=13
ber_flush2: 51 bytes to sd 12
0000: 30 31 02 01 03 65 2c 0a 01 0d 04 00 04 25 73 74 01...e,......%st
0010: 72 6f 6e 67 65 72 20 54 4c 53 20 63 6f 6e 66 69 ronger TLS confi
0020: 64 65 6e 74 69 61 6c 69 74 79 20 72 65 71 75 69 dentiality requi
0030: 72 65 64 red
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
tls_write: want=325, written=325
0000: 17 03 02 01 40 60 f6 d4 ba 6b 3b 64 83 a4 b4 a2 ....@`...k;d....
0010: 56 62 b6 ad 20 b5 32 09 9b 53 19 52 96 da 17 b7 Vb.. .2..S.R....
0020: bc 85 bb 15 14 a6 a1 c7 0b 9c bb a2 5c f6 b9 62 ............\..b
0030: 93 97 7f fc 2d 26 9c 7d 3a 2e e0 56 12 cd a4 ce ....-&.}:..V....
0040: 91 2b cf bb be 55 f4 17 04 a9 bd 11 8c a3 bb 83 .+...U..........
0050: 9c 30 1f 25 f8 ac bb ad ba 4d 30 96 4c 22 53 62 .0.%.....M0.L"Sb
0060: 33 67 1c bd 2c 9a 82 af 43 e8 c9 8f cc 83 9d ee 3g..,...C.......
0070: a7 eb 33 d2 5e 81 90 80 f4 6b f2 f2 90 80 9b 7a ..3.^....k.....z
0080: a1 81 11 1b 55 ea 7a 7a 9c 79 0c 82 29 0b 71 71 ....U.zz.y..).qq
0090: 88 97 75 7a 46 ee aa b3 c9 19 4f 6b ec 1d b9 25 ..uzF.....Ok...%
00a0: a2 25 62 f6 b3 75 6b 6e 7e 16 8f 80 11 46 ea f2 .%b..ukn~....F..
00b0: ee af 1d c3 2e 64 38 02 71 fb 7b 53 15 ed 10 db .....d8.q.{S....
00c0: 7e b4 e4 3e 84 c6 4d 05 eb a8 b9 d0 2a 5d ab ba ~..>..M.....*]..
00d0: d4 69 58 cc 1d 60 66 cc 41 02 78 39 4a 0b 82 b4 .iX..`f.A.x9J...
00e0: 0b 6c 1f 34 b8 12 75 63 40 15 a4 2a 69 95 70 70 .l.4..uc at ..*i.pp
00f0: e6 65 7a 42 8c 76 e6 a8 8d 84 ab ed 63 ad e4 88 .ezB.v......c...
0100: 52 71 c4 81 53 91 49 54 b2 52 8a 84 b9 53 db b2 Rq..S.IT.R...S..
0110: 50 82 ed e4 31 a5 fa ab 36 fe 1a c4 76 00 fb 34 P...1...6...v..4
0120: 72 42 96 7f a3 27 1d c3 de 22 d0 3f 05 11 e9 aa rB...'...".?....
0130: f8 12 30 ea 87 39 73 ee 8b c4 09 dc df 67 4e f9 ..0..9s......gN.
0140: 08 6c 92 c9 98 .l...
ldap_write: want=51, written=51
0000: 30 31 02 01 03 65 2c 0a 01 0d 04 00 04 25 73 74 01...e,......%st
0010: 72 6f 6e 67 65 72 20 54 4c 53 20 63 6f 6e 66 69 ronger TLS confi
0020: 64 65 6e 74 69 61 6c 69 74 79 20 72 65 71 75 69 dentiality requi
0030: 72 65 64 red
conn=0 op=2 SEARCH RESULT tag=101 err=13 nentries=0 text=stronger TLS confidentiality required
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
tls_read: want=5, got=5
0000: 17 03 02 00 30 ....0
tls_read: want=48, got=48
0000: c8 82 d6 5b e2 4f ca 3b ce 33 ee 70 4a bb bb d9 ...[.O.;.3.pJ...
0010: 44 b6 e1 50 4a 9c d8 53 6a c6 a0 3f 53 c6 47 87 D..PJ..Sj..?S.G.
0020: 61 86 20 0e 1a 68 06 f6 89 e7 76 5d 51 d7 3a 8f a. ..h....v]Q.:.
daemon: epoll: listen=7 active_threads=0 tvp=zero
ldap_read: want=8, got=7
0000: 30 05 02 01 04 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x7f2600 ptr=0x7f2600 end=0x7f2605 len=5
0000: 02 01 04 42 00 ...B.
ber_get_next
tls_read: want=5, got=5
0000: 15 03 02 00 60 ....`
tls_read: want=96, got=96
0000: 6c fb 23 a1 a2 f3 da 2f 21 2f 03 1f a8 55 19 a1 l.#..../!/...U..
0010: 01 76 96 47 6b 52 d6 93 35 ca d5 18 4c 53 94 dc .v.GkR..5...LS..
0020: 37 bd 90 62 16 b3 d9 1a 2d 83 8c 88 7f bf 2a 07 7..b....-.....*.
0030: f2 c5 55 fd 5f bc 94 ce 5a c0 71 e3 60 90 3e fc ..U._...Z.q.`.>.
0040: 91 fd 39 72 0d 10 9f 3b b3 da 97 48 77 da 82 c0 ..9r...;...Hw...
0050: 8a f7 db cc fe ea b5 d6 6a ef c3 1f 95 48 5b 55 ........j....H[U
ldap_read: want=8, got=0
ber_get_next on fd 12 failed errno=0 (Success)
connection_read(12): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=12 for close
connection_close: deferring conn=0 sd=12
conn=0 op=3 do_unbind
conn=0 op=3 UNBIND
connection_resched: attempting closing conn=0 sd=12
connection_close: conn=0 sd=12
daemon: activity on 1 descriptor
daemon: activity on:
daemon: removing 12
tls_write: want=245, written=245
0000: 15 03 02 00 f0 4b 06 9e 30 b1 ee 45 f1 13 13 eb .....K..0..E....
0010: e0 cb 36 bd c1 33 d3 f1 9f e9 8b 46 11 4b 30 f8 ..6..3.....F.K0.
0020: 86 2f 9b 97 b1 2a f5 31 9e aa 50 9c 65 0c db 80 ./...*.1..P.e...
0030: de 9b 79 ce d1 57 a4 98 46 79 1e d2 1c d9 6a 99 ..y..W..Fy....j.
0040: 7a 7b 51 21 b0 d5 5d c9 dc 4e 62 17 34 14 9b dd z{Q!..]..Nb.4...
0050: 15 d9 c2 20 b9 2b e5 56 01 3d 60 47 42 ed f6 1d ... .+.V.=`GB...
0060: 0e fe 6d eb d5 9f 25 c7 13 31 fb 2d ed b1 b2 30 ..m...%..1.-...0
0070: 9e 9c 76 38 bc 3a 7e 77 7c cc 69 18 46 5e 5f 5c ..v8.:~w|.i.F^_\
0080: 24 f9 60 ee 07 4d 20 c2 78 f0 ac 48 9c 3f 15 b5 $.`..M .x..H.?..
0090: 02 52 21 ed bf b2 6b 72 bb d5 81 65 cb 8e 09 8a .R!...kr...e....
00a0: c7 69 75 38 21 62 f4 91 23 eb 75 2f 4e 31 6f 8d .iu8!b..#.u/N1o.
00b0: 10 0a cf 08 08 7c 10 be 0e 23 b3 c7 2e 4a 0d 26 .....|...#...J.&
00c0: 5b 59 66 70 32 c6 23 5e c0 50 dc b9 9b 64 99 97 [Yfp2.#^.P...d..
00d0: d2 73 c0 50 5c a4 35 46 82 8c 92 1b 7c 15 9c e4 .s.P\.5F....|...
00e0: 34 0a c7 b3 bb 0c 0d e4 01 dc 80 87 a3 a0 b4 35 4..............5
00f0: b3 39 a5 cf 2c .9..,
conn=0 fd=12 closed
daemon: epoll: listen=7 active_threads=0 tvp=zero
-----snap-----
to me this doesn't say very much... and as the only documentation for
'security tls=' says it's keylengths, plus i've been testing with the
strongest cipher available, i assumed it must probably be a client cert
issue.
regards,
Chris
More information about the Pkg-openldap-devel
mailing list