[Pkg-openldap-devel] Bug#478883: ldap-utils: tls failing when connecting to slapd on etch server
Thorben Jändling
tj.trevelyan at gmail.com
Thu May 1 15:52:57 UTC 2008
Package: ldap-utils
Version: 2.4.7-6.2
Severity: important
This maybe an issue with libldap, or possibly libgnutls (which I doubt see tests below).
I can't get an ldaps connection to slapd running on our Etch servers.
The ldaps connections from other etch servers is fine, but for my lenny desktop I get:
Server syslog:
.... conn=400 fd=26 ACCEPT from IP=10.10.25.223:34424 (IP=0.0.0.0:636)
.... conn=400 fd=26 closed (TLS negotiation failure)
Client:
$ ldapsearch -x -d 5
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.10.20.157:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.10.20.157:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: can't connect: Error in the push function..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
To check this is not a tls issue I tested the ssl/tls connection with gnutls-cli:
$ gnutls-cli --x509cafile /etc/certs/ca-cert.pem --x509keyfile /etc/certs/key.pem --x509certfile
/etc/certs/cert.pem -d 5 -p 636 ithunn....
Processed 1 CA certificate(s).
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'ithunn....'...
Connecting to '10.10.20.157:636'...
....lots of cipher suite handshake stuff omitted....
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
# The hostname in the certificate matches 'ithunn...'.
# valid since: Tue Jul 24 10:31:38 BST 2007
# expires at: Wed Jul 23 10:31:38 BST 2008
# fingerprint: 6F:35:03:F2:C4:1E:C9:C5:BA:1E:C6:60:1B:A8:C2:07
# Subject's DN: ......
# Issuer's DN: .......
|<2>| ASSERT: mpi.c:588
|<2>| ASSERT: dn.c:1125
|<2>| ASSERT: dn.c:1125
- Peer's certificate is trusted
- Version: TLS1.1
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
|<2>| ASSERT: mpi.c:588
|<2>| ASSERT: dn.c:1125
|<2>| ASSERT: dn.c:1125
- Handshake was completed
- Simple Client Mode:
And server syslog:
.... conn=427 fd=37 ACCEPT from IP=10.10.25.223:34457 (IP=0.0.0.0:636)
.... conn=427 fd=37 TLS established tls_ssf=16 ssf=16
Here is my ldap.conf:
base ...
uri ldaps://10.10.20.157/ ldaps://10.10.20.159/
ssl on
tls_cacert /etc/certs/ca-cert.pem
tls_cacertfile /etc/certs/ca-cert.pem
tls_cert /etc/certs/cert.pem
tls_key /etc/certs/key.pem
So in summary:
I can make a raw tls connection from my desktop with gnutls, but ldap connections fail with some error about tls.
Regards,
Thorben
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (800, 'testing'), (600, 'unstable'), (400, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.24 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages ldap-utils depends on:
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libgnutls26 2.2.2-1 the GNU TLS library - runtime libr
ii libldap-2.4-2 2.4.7-6.2 OpenLDAP libraries
ii libsasl2-2 2.1.22.dfsg1-18 Cyrus SASL - authentication abstra
Versions of packages ldap-utils recommends:
ii libsasl2-modules 2.1.22.dfsg1-18 Cyrus SASL - pluggable authenticat
-- no debconf information
More information about the Pkg-openldap-devel
mailing list