[Pkg-openldap-devel] Bug#505191: slapd: TLS connection won't work with GnuTLS
LEVAI Daniel
leva at ecentrum.hu
Mon Nov 10 10:02:02 UTC 2008
Package: slapd
Version: 2.4.11-1
Severity: important
I'm using Debian testing, and installed slapd along with ldap-utils.
I've configured my slapd, with settings:
[...]
TLSCACertificateFile /etc/ssl/certs/fileserver.digiszfv.pem
TLSCertificateFile /etc/ssl/openldap_cert.pem
TLSCertificateKeyFile /etc/ssl/private/openldap_key.pem
TLSVerifyClient try
[...]
The server is running with these parameters:
$ pgrep -lf slapd
29104 /usr/sbin/slapd -h ldap://fileserver.digiszfv:389/ ldaps://fileserver.digiszfv/ -g openldap -u openldap -f /etc/ldap/slapd.conf
When trying to reach it:
$ ldapsearch -d 1 -Wx '(objectclass=*)' -H ldaps://fileserver.digiszfv
ldap_url_parse_ext(ldaps://fileserver.digiszfv)
ldap_create
ldap_url_parse_ext(ldaps://fileserver.digiszfv:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP fileserver.digiszfv:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.3:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x6120b0 msgid 1
wait4msg ld 0x6120b0 msgid 1 (infinite timeout)
wait4msg continue ld 0x6120b0 msgid 1 all 1
** ld 0x6120b0 Connections:
* host: fileserver.digiszfv port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Nov 10 10:51:02 2008
** ld 0x6120b0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x6120b0 request count 1 (abandoned 0)
** ld 0x6120b0 Response Queue:
Empty
ld 0x6120b0 response count 0
ldap_chkResponseList ld 0x6120b0 msgid 1 all 1
ldap_chkResponseList returns ld 0x6120b0 NULL
ldap_int_select
read1msg: ld 0x6120b0 msgid 1 all 1
ber_get_next
ldap_free_connection 1 0
ldap_free_connection: actually freed
ldap_err2string
ldap_result: Can't contact LDAP server (-1)
Meanwhile in the syslog:
slapd[29104]: slap_listener_activate(9):
slapd[29104]: >>> slap_listener(ldaps://fileserver.digiszfv/)
slapd[29104]: connection_get(14): got connid=1
slapd[29104]: connection_read(14): checking for input on id=1
slapd[29104]: connection_get(14): got connid=1
slapd[29104]: connection_read(14): checking for input on id=1
slapd[29104]: connection_get(14): got connid=1
slapd[29104]: connection_read(14): checking for input on id=1
slapd[29104]: connection_get(14): got connid=1
slapd[29104]: connection_read(14): checking for input on id=1
slapd[29104]: connection_get(14): got connid=1
slapd[29104]: connection_read(14): checking for input on id=1
slapd[29104]: connection_read(14): TLS accept failure error=-1 id=1, closing
slapd[29104]: connection_closing: readying conn=1 sd=14 for close
slapd[29104]: connection_close: conn=1 sd=14
The situation is the same when connecting to port 389, with the option -ZZ passed to ldapsearch.
What is working, is the connection without TLS:
$ ldapsearch -Wx '(objectclass=*)' -H ldap://fileserver.digiszfv
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
( Yes, it is an empty database )
I've downloaded the source package, modified the configure option; changed the --with-tls=gnutls to
--with-tls=openssl, and debuilt it. It is working with openssl, excluding the fact, that
I can not connect to it with an ldapsearch linked against GnuTLS, only with an ldapsearch compiled with
OpenSSL, but I think this will (or will not) be another bug report. Let's focus on the problem with slapd
compiled against GnuTLS, which is not accepting TLS connections.
Connecting to slapd with GnuTLS, using openssl as client:
$ openssl s_client -CAfile /etc/ssl/certs/fileserver.digiszfv.pem -connect fileserver.digiszfv:636 < /dev/null
[...]
---
SSL handshake has read 1122 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: AFB219E271AE35919C806F924A240E6E3790DF73F1A01FBA99A07CDB7DF3AEBB
Session-ID-ctx:
Master-Key: 16308E65B369B3BD4CA36168B7C9AC824049B3BB924A0FF8462EA87FB0B0F1374B133AC2D89122D446E20375AD50E93D
Key-Arg : None
Start Time: 1226311045
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
--
Daniel
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.24-etchnhalf.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=hu_HU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages slapd depends on:
ii adduser 3.110 add and remove users and groups
ii coreutils 6.10-6 The GNU core utilities
ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy
ii libc6 2.7-15 GNU C Library: Shared libraries
ii libdb4.2 4.2.52+dfsg-5 Berkeley v4.2 Database Libraries [
ii libgnutls26 2.4.2-1 the GNU TLS library - runtime libr
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii libltdl3 1.5.26-4 A system independent dlopen wrappe
ii libperl5.10 5.10.0-16 Shared Perl library
ii libsasl2-2 2.1.22.dfsg1-23 Cyrus SASL - authentication abstra
ii libslp1 1.2.1-7.4 OpenSLP libraries
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra
ii perl [libmime-base64-per 5.10.0-16 Larry Wall's Practical Extraction
ii psmisc 22.6-1 Utilities that use the proc filesy
ii unixodbc 2.2.11-16 ODBC tools libraries
Versions of packages slapd recommends:
ii libsasl2-modules 2.1.22.dfsg1-23 Cyrus SASL - pluggable authenticat
Versions of packages slapd suggests:
ii ldap-utils 2.4.11-1 OpenLDAP utilities
-- debconf-show failed
More information about the Pkg-openldap-devel
mailing list