[Pkg-openldap-devel] Bug#538278: ldaps doesn't work with tls

Nicolas Jungers deblbug at jungers.net
Fri Jul 24 15:16:30 UTC 2009


Package: slapd
Version: 2.4.11-1

My installation of slapd fails to successfully negotiate a tls or a ssl
connection. An unencrypted connection works fine. The used set of
key/certificates works within the couple (gnutls-server,gnutls-cli).

Any pointer to an obvious mistake will be appreciated :-)

Nicolas


#-------- bits from slapd.conf

# TLS configuration
# CA
TLSCACertificateFile /etc/ssl/certs/cacert.org.pem
# Cert
TLSCertificateFile /etc/ssl/certs/main.jungers.net.pem
TLSCertificateKeyFile /etc/ssl/private/main.jungers.net-key.pem
#TLSCipherSuite HIGH  <-- not with gnutls (openssl keyword)



where



#-------- bits of system configuration

ll /etc/ssl/private/main.jungers.net-key.pem
-rw-r----- 1 root ssl-cert 1676 2009-07-23 23:07
/etc/ssl/private/main.jungers.net-key.pem

and

grep ssl /etc/group
ssl-cert:x:106:postgres,caldavd,openldap



#-------- running with loglevel 64 gives

main slapd[2532]: line 64 (TLSCACertificateFile
/etc/ssl/certs/cacert.org.pem)
main slapd[2532]: line 66 (TLSCertificateFile
/etc/ssl/certs/main.jungers.net.pem)
main slapd[2532]: line 67 (TLSCertificateKeyFile
/etc/ssl/private/main.jungers.net-key.pem)



#-------- and finally a strace gives

open("/etc/ssl/certs/cacert.org.pem", O_RDONLY) = 10
fstat(10, {st_mode=S_IFREG|0644, st_size=4720, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7f55f1c9e000
read(10, "-----BEGIN CERTIFICATE-----\nMIIHP"..., 8192) = 4720
read(10, ""..., 4096)                   = 0
close(10)                               = 0
munmap(0x7f55f1c9e000, 4096)            = 0
open("/etc/ssl/private/main.jungers.net-key.pem", O_RDONLY) = 10
fstat(10, {st_mode=S_IFREG|0640, st_size=1676, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7f55f1c9e000
read(10, "-----BEGIN RSA PRIVATE KEY-----\nM"..., 8192) = 1676
read(10, ""..., 4096)                   = 0
close(10)                               = 0
munmap(0x7f55f1c9e000, 4096)            = 0
open("/etc/ssl/certs/main.jungers.net.pem", O_RDONLY) = 10
fstat(10, {st_mode=S_IFREG|0644, st_size=1693, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7f55f1c9e000
read(10, "-----BEGIN CERTIFICATE-----\nMIIEs"..., 8192) = 1693
read(10, ""..., 4096)                   = 0
close(10)                               = 0



#-------- Now if I issue:

ldapsearch -x  '(objectclass=*)'

I get a dump of my near empty DB



#-------- but

ldapsearch -x  '(objectclass=*)' -ZZ -d 1
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP main.jungers.net:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 91.121.14.130:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7f13fa91e1b0 msgid 1
wait4msg ld 0x7f13fa91e1b0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f13fa91e1b0 msgid 1 all 1
** ld 0x7f13fa91e1b0 Connections:
* host: main.jungers.net  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Jul 24 16:50:46 2009


** ld 0x7f13fa91e1b0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f13fa91e1b0 request count 1 (abandoned 0)
** ld 0x7f13fa91e1b0 Response Queue:
   Empty
  ld 0x7f13fa91e1b0 response count 0
ldap_chkResponseList ld 0x7f13fa91e1b0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f13fa91e1b0 NULL
ldap_int_select
read1msg: ld 0x7f13fa91e1b0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x7f13fa91e1b0 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f13fa91e1b0 0 new referrals
read1msg:  mark request completed, ld 0x7f13fa91e1b0 msgid 1
request done: ld 0x7f13fa91e1b0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_start_tls: Connect error (-11)
nicolas at i24:~$ ldapsearch -x  '(objectclass=*)' -ZZ
ldap_start_tls: Connect error (-11)



#-------- and on the server (loglevel 256)

Jul 24 16:48:04 main slapd[2533]: conn=6 fd=17 ACCEPT from
IP=193.93.113.2:55765 (IP=0.0.0.0:389)
Jul 24 16:48:04 main slapd[2533]: conn=6 op=0 EXT oid=1.3.6.1.4.1.1466.20037
main slapd[2533]: conn=6 op=0 STARTTLS
main slapd[2533]: conn=6 op=0 RESULT oid= err=0 text=
main slapd[2533]: conn=6 fd=17 closed (TLS negotiation failure)



#-------- if I try gnutls-cli I get

gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem -p 389
main.jungers.netProcessed 2 CA certificate(s).
Resolving 'main.jungers.net'...
Connecting to '91.121.14.130:389'...
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GNUTLS ERROR: A TLS packet with unexpected length was received.



#-------- and on the server (loglevel 256)

main slapd[2533]: conn=8 fd=17 ACCEPT from IP=193.93.113.2:55767
(IP=0.0.0.0:389)
main slapd[2533]: conn=8 fd=17 closed (connection lost)



#-------- On a side note, it's not better with ssl:

ldapsearch -x  '(objectclass=*)' -H ldaps://main.jungers.net:636 -d1
ldap_url_parse_ext(ldaps://main.jungers.net:636)
ldap_create
ldap_url_parse_ext(ldaps://main.jungers.net:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP main.jungers.net:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 91.121.14.130:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)



#-------- and on the server (loglevel 256)

main slapd[2533]: conn=7 fd=17 ACCEPT from IP=193.93.113.2:40004
(IP=0.0.0.0:636)
main slapd[2533]: conn=7 fd=17 closed (TLS negotiation failure)



#-------- and

ps ax|grep slapd
 2533 ?        Ssl    0:00 /usr/sbin/slapd -h ldap:/// ldaps:/// -g
openldap -u openldap -f /etc/ldap/slapd.conf




At that point I imagined that my certificates where somewhat invalid, so
I tried tos how that:



#-------- here's the server part

gnutls-serv --x509cafile certs/cacert.org.pem --x509certfile
certs/main.jungers.net.pem --x509keyfile
private/main.jungers.net-key.pem -p 2389 -a
Set static Diffie Hellman parameters, consider --dhparams.
Processed 2 CA certificate(s).
Echo Server ready. Listening to port '2389'.


* connection from ::ffff:193.93.113.2, port 49127
- Given server name[1]: main.jungers.net
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1032 bits
 - Secret key: 1014 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
No certificates found!

- Peer did not send any certificate.
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
^CExiting via signal 2



#-------- here's the client part

gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem -p 2389
main.jungers.net
Processed 2 CA certificate(s).
Resolving 'main.jungers.net'...
Connecting to '91.121.14.130:2389'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1032 bits
 - Secret key: 1013 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:
 # The hostname in the certificate matches 'main.jungers.net'.
 # valid since: Thu Jul 23 23:05:41 CEST 2009
 # expires at: Sat Jul 23 23:05:41 CEST 2011
 # fingerprint: 0E:66:F0:48:1B:66:DE:A3:36:F2:F0:28:FE:CE:D1:69
 # Subject's DN: CN=main.jungers.net
 # Issuer's DN: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3
Root


- Peer's certificate is trusted
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:








More information about the Pkg-openldap-devel mailing list