[Pkg-openldap-devel] Bug#478883: ldap-utils: ldapsearch -x from sid fail

Simone Piccardi piccardi at truelite.it
Mon Jun 8 14:43:17 UTC 2009 

Package: ldap-utils
Version: 2.4.15-1.1
Severity: normal


I have the following configuration for ldap client:

BASE	dc=truelite,dc=it
URI	ldaps://ldap.fi.trl

#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never

tls_checkpeer no
TLS_CACERT /etc/ssl/certs/Truelite-cacert.pem

and similar for libnss-ldap.conf and pam_ldap.conf, but while NSS and
PAM are working using ldapsearch I got:

piccardi at ellington:~$ ldapsearch -d 1 -x
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.fi.trl:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.2:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x102)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


configuration on the server did not change for a while and for TLS is:

TLSCertificateFile      /etc/ssl/certs/ldap.fi.trl-cert.pem
TLSCertificateKeyFile   /etc/ssl/private/ldap.fi.trl-key.pem
TLSCipherSuite          HIGH
TLSCACertificateFile    /etc/ssl/certs/Truelite-cacert.pem


running the server in debug mode I got:

[...]
slapd starting
>>> slap_listener(ldaps:///)ldap_pvt_gethostbyname_a: host=davis, r=0
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=0
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12
TLS trace: SSL3 alert write:warning:close notify

I tryed to check the certificates and using openssl I got:

ellington:/home/piccardi# openssl s_client -connect ldap.fi.trl:636 -CAfile /etc/ssl/certs/New-Truelite-cacert.pem 
CONNECTED(00000003)
depth=1 /C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=Truelite Srl CA/emailAddress=info at truelite.it
verify return:1
depth=0 /C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=ldap.fi.trl/emailAddress=sistemi at truelite.it
verify return:1
---
Certificate chain
 0 s:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=ldap.fi.trl/emailAddress=sistemi at truelite.it
   i:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=Truelite Srl CA/emailAddress=info at truelite.it
 1 s:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=Truelite Srl CA/emailAddress=info at truelite.it
   i:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=Truelite Srl CA/emailAddress=info at truelite.it
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=ldap.fi.trl/emailAddress=sistemi at truelite.it
issuer=/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=Truelite Srl CA/emailAddress=info at truelite.it
---
No client certificate CA names sent
---
SSL handshake has read 3578 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 716BE0C7C993AC4F72CD2D02A57718AF8D2E55FC62356AD00BB8FF17265F4814
    Session-ID-ctx: 
    Master-Key: D32B76AB62025227C6B3B8F210A7A544E10CD233056B59563DD2F3CBB07B94679315CDD9E9B3E88CFEC36DABEDF09930
    Key-Arg   : None
    Start Time: 1244471759
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

while checking with gnutls-cli I got:

ellington:/home/piccardi# gnutls-cli -d 3 --x509cafile /etc/ssl/certs/New-Truelite-cacert.pem -p 636 ldap.fi.trl
Processed 1 CA certificate(s).
Resolving 'ldap.fi.trl'...
Connecting to '192.168.1.2:636'...
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1
|<2>| EXT[9d4a140]: Sending extension CERT_TYPE
|<2>| EXT[9d4a140]: Sending extension SERVER_NAME
|<3>| HSK[9d4a140]: CLIENT HELLO was send [124 bytes]
|<2>| ASSERT: gnutls_cipher.c:204
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| HSK[9d4a140]: SERVER HELLO was received [74 bytes]
|<3>| HSK[9d4a140]: Server's version: 3.1
|<3>| HSK[9d4a140]: SessionID length: 32
|<3>| HSK[9d4a140]: SessionID: 8a2dd5918d648cb0688cfa8a83b81b7355ca4c058215cf14c6d4e12c65c75235
|<3>| HSK[9d4a140]: Selected cipher suite: RSA_AES_128_CBC_SHA1
|<2>| ASSERT: gnutls_extensions.c:124
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| HSK[9d4a140]: CERTIFICATE was received [3426 bytes]
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| HSK[9d4a140]: SERVER HELLO DONE was received [4 bytes]
|<2>| ASSERT: gnutls_handshake.c:1123
|<3>| HSK[9d4a140]: CLIENT KEY EXCHANGE was send [134 bytes]
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| REC[9d4a140]: Sent ChangeCipherSpec
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| HSK[9d4a140]: Cipher Suite: RSA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Initializing internal [write] cipher sessions
|<3>| HSK[9d4a140]: FINISHED was send [16 bytes]
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| HSK[9d4a140]: Cipher Suite: RSA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Initializing internal [read] cipher sessions
|<3>| HSK[9d4a140]: FINISHED was received [16 bytes]
|<2>| ASSERT: ext_server_name.c:257
- Certificate type: X.509
 - Got a certificate list of 2 certificates.

 - Certificate[0] info:
 # The hostname in the certificate does NOT match 'ldap.fi.trl'.


so it seems something related to gnutls. 

(I checked using ldapsearch form an Ubuntu 9.4 and there it works). 

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.29-2-686 (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages ldap-utils depends on:
ii  libc6                     2.9-13         GNU C Library: Shared libraries
ii  libgnutls26               2.6.6-1        the GNU TLS library - runtime libr
ii  libldap-2.4-2             2.4.15-1.1     OpenLDAP libraries
ii  libsasl2-2                2.1.23.dfsg1-1 Cyrus SASL - authentication abstra

Versions of packages ldap-utils recommends:
ii  libsasl2-modules          2.1.23.dfsg1-1 Cyrus SASL - pluggable authenticat

ldap-utils suggests no packages.

-- no debconf information

More information about the Pkg-openldap-devel mailing list