[Pkg-openldap-devel] Bug#538278: Bug#538278: ldaps doesn't work with tls

Matt Kassawara battery at writeme.com
Fri Jul 24 15:54:56 UTC 2009 

Looks like you're using cacert.org to sign your certificates.  Since Debian
already includes that CA, try installing the ca-certificates package and
changing TLSCACertificateFile to /etc/ssl/certs/ca-certificates.crt... at
least for testing purposes.

On Fri, Jul 24, 2009 at 9:16 AM, Nicolas Jungers <deblbug at jungers.net>wrote:

> Package: slapd
> Version: 2.4.11-1
>
> My installation of slapd fails to successfully negotiate a tls or a ssl
> connection. An unencrypted connection works fine. The used set of
> key/certificates works within the couple (gnutls-server,gnutls-cli).
>
> Any pointer to an obvious mistake will be appreciated :-)
>
> Nicolas
>
>
> #-------- bits from slapd.conf
>
> # TLS configuration
> # CA
> TLSCACertificateFile /etc/ssl/certs/cacert.org.pem
> # Cert
> TLSCertificateFile /etc/ssl/certs/main.jungers.net.pem
> TLSCertificateKeyFile /etc/ssl/private/main.jungers.net-key.pem
> #TLSCipherSuite HIGH  <-- not with gnutls (openssl keyword)
>
>
>
> where
>
>
>
> #-------- bits of system configuration
>
> ll /etc/ssl/private/main.jungers.net-key.pem
> -rw-r----- 1 root ssl-cert 1676 2009-07-23 23:07
> /etc/ssl/private/main.jungers.net-key.pem
>
> and
>
> grep ssl /etc/group
> ssl-cert:x:106:postgres,caldavd,openldap
>
>
>
> #-------- running with loglevel 64 gives
>
> main slapd[2532]: line 64 (TLSCACertificateFile
> /etc/ssl/certs/cacert.org.pem)
> main slapd[2532]: line 66 (TLSCertificateFile
> /etc/ssl/certs/main.jungers.net.pem)
> main slapd[2532]: line 67 (TLSCertificateKeyFile
> /etc/ssl/private/main.jungers.net-key.pem)
>
>
>
> #-------- and finally a strace gives
>
> open("/etc/ssl/certs/cacert.org.pem", O_RDONLY) = 10
> fstat(10, {st_mode=S_IFREG|0644, st_size=4720, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x7f55f1c9e000
> read(10, "-----BEGIN CERTIFICATE-----\nMIIHP"..., 8192) = 4720
> read(10, ""..., 4096)                   = 0
> close(10)                               = 0
> munmap(0x7f55f1c9e000, 4096)            = 0
> open("/etc/ssl/private/main.jungers.net-key.pem", O_RDONLY) = 10
> fstat(10, {st_mode=S_IFREG|0640, st_size=1676, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x7f55f1c9e000
> read(10, "-----BEGIN RSA PRIVATE KEY-----\nM"..., 8192) = 1676
> read(10, ""..., 4096)                   = 0
> close(10)                               = 0
> munmap(0x7f55f1c9e000, 4096)            = 0
> open("/etc/ssl/certs/main.jungers.net.pem", O_RDONLY) = 10
> fstat(10, {st_mode=S_IFREG|0644, st_size=1693, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
> = 0x7f55f1c9e000
> read(10, "-----BEGIN CERTIFICATE-----\nMIIEs"..., 8192) = 1693
> read(10, ""..., 4096)                   = 0
> close(10)                               = 0
>
>
>
> #-------- Now if I issue:
>
> ldapsearch -x  '(objectclass=*)'
>
> I get a dump of my near empty DB
>
>
>
> #-------- but
>
> ldapsearch -x  '(objectclass=*)' -ZZ -d 1
> ldap_create
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP main.jungers.net:389
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 91.121.14.130:389
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush2: 31 bytes to sd 3
> ldap_result ld 0x7f13fa91e1b0 msgid 1
> wait4msg ld 0x7f13fa91e1b0 msgid 1 (infinite timeout)
> wait4msg continue ld 0x7f13fa91e1b0 msgid 1 all 1
> ** ld 0x7f13fa91e1b0 Connections:
> * host: main.jungers.net  port: 389  (default)
>  refcnt: 2  status: Connected
>  last used: Fri Jul 24 16:50:46 2009
>
>
> ** ld 0x7f13fa91e1b0 Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>   outstanding referrals 0, parent count 0
>  ld 0x7f13fa91e1b0 request count 1 (abandoned 0)
> ** ld 0x7f13fa91e1b0 Response Queue:
>   Empty
>  ld 0x7f13fa91e1b0 response count 0
> ldap_chkResponseList ld 0x7f13fa91e1b0 msgid 1 all 1
> ldap_chkResponseList returns ld 0x7f13fa91e1b0 NULL
> ldap_int_select
> read1msg: ld 0x7f13fa91e1b0 msgid 1 all 1
> ber_get_next
> ber_get_next: tag 0x30 len 12 contents:
> read1msg: ld 0x7f13fa91e1b0 msgid 1 message type extended-result
> ber_scanf fmt ({eAA) ber:
> read1msg: ld 0x7f13fa91e1b0 0 new referrals
> read1msg:  mark request completed, ld 0x7f13fa91e1b0 msgid 1
> request done: ld 0x7f13fa91e1b0 msgid 1
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_parse_extended_result
> ber_scanf fmt ({eAA) ber:
> ldap_parse_result
> ber_scanf fmt ({iAA) ber:
> ber_scanf fmt (}) ber:
> ldap_msgfree
> ldap_err2string
> ldap_start_tls: Connect error (-11)
> nicolas at i24:~$ ldapsearch -x  '(objectclass=*)' -ZZ
> ldap_start_tls: Connect error (-11)
>
>
>
> #-------- and on the server (loglevel 256)
>
> Jul 24 16:48:04 main slapd[2533]: conn=6 fd=17 ACCEPT from
> IP=193.93.113.2:55765 (IP=0.0.0.0:389)
> Jul 24 16:48:04 main slapd[2533]: conn=6 op=0 EXT
> oid=1.3.6.1.4.1.1466.20037
> main slapd[2533]: conn=6 op=0 STARTTLS
> main slapd[2533]: conn=6 op=0 RESULT oid= err=0 text=
> main slapd[2533]: conn=6 fd=17 closed (TLS negotiation failure)
>
>
>
> #-------- if I try gnutls-cli I get
>
> gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem -p 389
> main.jungers.netProcessed 2 CA certificate(s).
> Resolving 'main.jungers.net'...
> Connecting to '91.121.14.130:389'...
> *** Fatal error: A TLS packet with unexpected length was received.
> *** Handshake has failed
> GNUTLS ERROR: A TLS packet with unexpected length was received.
>
>
>
> #-------- and on the server (loglevel 256)
>
> main slapd[2533]: conn=8 fd=17 ACCEPT from IP=193.93.113.2:55767
> (IP=0.0.0.0:389)
> main slapd[2533]: conn=8 fd=17 closed (connection lost)
>
>
>
> #-------- On a side note, it's not better with ssl:
>
> ldapsearch -x  '(objectclass=*)' -H ldaps://main.jungers.net:636 -d1
> ldap_url_parse_ext(ldaps://main.jungers.net:636)
> ldap_create
> ldap_url_parse_ext(ldaps://main.jungers.net:636/??base)
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP main.jungers.net:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 91.121.14.130:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
>
>
> #-------- and on the server (loglevel 256)
>
> main slapd[2533]: conn=7 fd=17 ACCEPT from IP=193.93.113.2:40004
> (IP=0.0.0.0:636)
> main slapd[2533]: conn=7 fd=17 closed (TLS negotiation failure)
>
>
>
> #-------- and
>
> ps ax|grep slapd
>  2533 ?        Ssl    0:00 /usr/sbin/slapd -h ldap:/// ldaps:/// -g
> openldap -u openldap -f /etc/ldap/slapd.conf
>
>
>
>
> At that point I imagined that my certificates where somewhat invalid, so
> I tried tos how that:
>
>
>
> #-------- here's the server part
>
> gnutls-serv --x509cafile certs/cacert.org.pem --x509certfile
> certs/main.jungers.net.pem --x509keyfile
> private/main.jungers.net-key.pem -p 2389 -a
> Set static Diffie Hellman parameters, consider --dhparams.
> Processed 2 CA certificate(s).
> Echo Server ready. Listening to port '2389'.
>
>
> * connection from ::ffff:193.93.113.2, port 49127
> - Given server name[1]: main.jungers.net
> - Ephemeral Diffie-Hellman parameters
>  - Using prime: 1032 bits
>  - Secret key: 1014 bits
>  - Peer's public key: 1024 bits
> - Certificate type: X.509
> No certificates found!
>
> - Peer did not send any certificate.
> - Version: TLS1.1
> - Key Exchange: DHE-RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> ^CExiting via signal 2
>
>
>
> #-------- here's the client part
>
> gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem -p 2389
> main.jungers.net
> Processed 2 CA certificate(s).
> Resolving 'main.jungers.net'...
> Connecting to '91.121.14.130:2389'...
> - Ephemeral Diffie-Hellman parameters
>  - Using prime: 1032 bits
>  - Secret key: 1013 bits
>  - Peer's public key: 1024 bits
> - Certificate type: X.509
>  - Got a certificate list of 1 certificates.
>
>  - Certificate[0] info:
>  # The hostname in the certificate matches 'main.jungers.net'.
>  # valid since: Thu Jul 23 23:05:41 CEST 2009
>  # expires at: Sat Jul 23 23:05:41 CEST 2011
>  # fingerprint: 0E:66:F0:48:1B:66:DE:A3:36:F2:F0:28:FE:CE:D1:69
>  # Subject's DN: CN=main.jungers.net
>  # Issuer's DN: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3
> Root
>
>
> - Peer's certificate is trusted
> - Version: TLS1.1
> - Key Exchange: DHE-RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> - Handshake was completed
>
> - Simple Client Mode:
>
>
>
>
>
>
> _______________________________________________
> Pkg-openldap-devel mailing list
> Pkg-openldap-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-openldap-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20090724/9e5c37d9/attachment-0001.htm>

More information about the Pkg-openldap-devel mailing list