[Pkg-openldap-devel] Bug#478883: ldap-utils: tls failing when connecting to slapd on etch server

Thorben Jändling tj.trevelyan at gmail.com
Thu May 1 15:52:57 UTC 2008 

Package: ldap-utils
Version: 2.4.7-6.2
Severity: important

This maybe an issue with libldap, or possibly libgnutls (which I doubt see tests below).

I can't get an ldaps connection to slapd running on our Etch servers.
The ldaps connections from other etch servers is fine, but for my lenny desktop I get:

Server syslog:

.... conn=400 fd=26 ACCEPT from IP=10.10.25.223:34424 (IP=0.0.0.0:636)
.... conn=400 fd=26 closed (TLS negotiation failure)


Client:

$ ldapsearch -x -d 5
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.10.20.157:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.10.20.157:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: can't connect: Error in the push function..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


To check this is not a tls issue I tested the ssl/tls connection with gnutls-cli:

$ gnutls-cli --x509cafile /etc/certs/ca-cert.pem --x509keyfile /etc/certs/key.pem --x509certfile 
/etc/certs/cert.pem -d 5 -p 636 ithunn....
Processed 1 CA certificate(s).
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'ithunn....'...
Connecting to '10.10.20.157:636'...

....lots of cipher suite handshake stuff omitted....

- Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:
 # The hostname in the certificate matches 'ithunn...'.
 # valid since: Tue Jul 24 10:31:38 BST 2007
 # expires at: Wed Jul 23 10:31:38 BST 2008
 # fingerprint: 6F:35:03:F2:C4:1E:C9:C5:BA:1E:C6:60:1B:A8:C2:07
 # Subject's DN: ......
 # Issuer's DN: .......

|<2>| ASSERT: mpi.c:588
|<2>| ASSERT: dn.c:1125
|<2>| ASSERT: dn.c:1125

- Peer's certificate is trusted
- Version: TLS1.1
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
|<2>| ASSERT: mpi.c:588
|<2>| ASSERT: dn.c:1125
|<2>| ASSERT: dn.c:1125
- Handshake was completed

- Simple Client Mode:


And server syslog:

.... conn=427 fd=37 ACCEPT from IP=10.10.25.223:34457 (IP=0.0.0.0:636)
.... conn=427 fd=37 TLS established tls_ssf=16 ssf=16


Here is my ldap.conf:

base    ...
uri     ldaps://10.10.20.157/ ldaps://10.10.20.159/

ssl on

tls_cacert      /etc/certs/ca-cert.pem
tls_cacertfile      /etc/certs/ca-cert.pem
tls_cert        /etc/certs/cert.pem
tls_key         /etc/certs/key.pem


So in summary:

I can make a raw tls connection from my desktop with gnutls, but ldap connections fail with some error about tls.

Regards,

Thorben


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (800, 'testing'), (600, 'unstable'), (400, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages ldap-utils depends on:
ii  libc6                    2.7-10          GNU C Library: Shared libraries
ii  libgnutls26              2.2.2-1         the GNU TLS library - runtime libr
ii  libldap-2.4-2            2.4.7-6.2       OpenLDAP libraries
ii  libsasl2-2               2.1.22.dfsg1-18 Cyrus SASL - authentication abstra

Versions of packages ldap-utils recommends:
ii  libsasl2-modules         2.1.22.dfsg1-18 Cyrus SASL - pluggable authenticat

-- no debconf information

More information about the Pkg-openldap-devel mailing list