[Pkg-openldap-devel] Bug#478883: Bug#478883: ldap-utils: ldapsearch -x from sid fail

Matt Kassawara battery at writeme.com
Mon Jun 8 15:14:47 UTC 2009


Did you upgrade from an older version of OpenLDAP built against OpenSSL?
 Did you generate your certificates with OpenSSL or GnuTLS?

On Mon, Jun 8, 2009 at 8:43 AM, Simone Piccardi <piccardi at truelite.it>wrote:

> Package: ldap-utils
> Version: 2.4.15-1.1
> Severity: normal
>
>
> I have the following configuration for ldap client:
>
> BASE    dc=truelite,dc=it
> URI     ldaps://ldap.fi.trl
>
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
>
> tls_checkpeer no
> TLS_CACERT /etc/ssl/certs/Truelite-cacert.pem
>
> and similar for libnss-ldap.conf and pam_ldap.conf, but while NSS and
> PAM are working using ldapsearch I got:
>
> piccardi at ellington:~$ ldapsearch -d 1 -x
> ldap_create
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP ldap.fi.trl:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 192.168.1.2:636
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> TLS: peer cert untrusted or revoked (0x102)
> TLS: can't connect: (unknown error code).
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
>
> configuration on the server did not change for a while and for TLS is:
>
> TLSCertificateFile      /etc/ssl/certs/ldap.fi.trl-cert.pem
> TLSCertificateKeyFile   /etc/ssl/private/ldap.fi.trl-key.pem
> TLSCipherSuite          HIGH
> TLSCACertificateFile    /etc/ssl/certs/Truelite-cacert.pem
>
>
> running the server in debug mode I got:
>
> [...]
> slapd starting
> >>> slap_listener(ldaps:///)ldap_pvt_gethostbyname_a: host=davis, r=0
> connection_get(12): got connid=0
> connection_read(12): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> connection_get(12): got connid=0
> connection_read(12): checking for input on id=0
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> TLS trace: SSL_accept:SSLv3 flush data
> connection_read(12): unable to get TLS client DN, error=49 id=0
> connection_get(12): got connid=0
> connection_read(12): checking for input on id=0
> ber_get_next
> ber_get_next on fd 12 failed errno=0 (Success)
> connection_closing: readying conn=0 sd=12 for close
> connection_close: conn=0 sd=12
> TLS trace: SSL3 alert write:warning:close notify
>
> I tryed to check the certificates and using openssl I got:
>
> ellington:/home/piccardi# openssl s_client -connect ldap.fi.trl:636 -CAfile
> /etc/ssl/certs/New-Truelite-cacert.pem
> CONNECTED(00000003)
> depth=1 /C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
> Authority/CN=Truelite Srl CA/emailAddress=info at truelite.it
> verify return:1
> depth=0 /C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
> Authority/CN=ldap.fi.trl/emailAddress=sistemi at truelite.it
> verify return:1
> ---
> Certificate chain
>  0 s:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
> Authority/CN=ldap.fi.trl/emailAddress=sistemi at truelite.it
>   i:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
> Authority/CN=Truelite Srl CA/emailAddress=info at truelite.it
>  1 s:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
> Authority/CN=Truelite Srl CA/emailAddress=info at truelite.it
>   i:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
> Authority/CN=Truelite Srl CA/emailAddress=info at truelite.it
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> [...]
> -----END CERTIFICATE-----
> subject=/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
> Authority/CN=ldap.fi.trl/emailAddress=sistemi at truelite.it
> issuer=/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
> Authority/CN=Truelite Srl CA/emailAddress=info at truelite.it
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3578 bytes and written 316 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>    Protocol  : TLSv1
>    Cipher    : AES256-SHA
>    Session-ID:
> 716BE0C7C993AC4F72CD2D02A57718AF8D2E55FC62356AD00BB8FF17265F4814
>    Session-ID-ctx:
>    Master-Key:
> D32B76AB62025227C6B3B8F210A7A544E10CD233056B59563DD2F3CBB07B94679315CDD9E9B3E88CFEC36DABEDF09930
>    Key-Arg   : None
>    Start Time: 1244471759
>    Timeout   : 300 (sec)
>    Verify return code: 0 (ok)
> ---
>
> while checking with gnutls-cli I got:
>
> ellington:/home/piccardi# gnutls-cli -d 3 --x509cafile
> /etc/ssl/certs/New-Truelite-cacert.pem -p 636 ldap.fi.trl
> Processed 1 CA certificate(s).
> Resolving 'ldap.fi.trl'...
> Connecting to '192.168.1.2:636'...
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1
> |<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1
> |<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1
> |<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1
> |<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1
> |<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1
> |<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_ARCFOUR_MD5
> |<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_AES_128_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_AES_256_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
> |<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_ARCFOUR_SHA1
> |<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1
> |<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1
> |<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1
> |<2>| EXT[9d4a140]: Sending extension CERT_TYPE
> |<2>| EXT[9d4a140]: Sending extension SERVER_NAME
> |<3>| HSK[9d4a140]: CLIENT HELLO was send [124 bytes]
> |<2>| ASSERT: gnutls_cipher.c:204
> |<2>| ASSERT: gnutls_cipher.c:204
> |<3>| HSK[9d4a140]: SERVER HELLO was received [74 bytes]
> |<3>| HSK[9d4a140]: Server's version: 3.1
> |<3>| HSK[9d4a140]: SessionID length: 32
> |<3>| HSK[9d4a140]: SessionID:
> 8a2dd5918d648cb0688cfa8a83b81b7355ca4c058215cf14c6d4e12c65c75235
> |<3>| HSK[9d4a140]: Selected cipher suite: RSA_AES_128_CBC_SHA1
> |<2>| ASSERT: gnutls_extensions.c:124
> |<2>| ASSERT: gnutls_cipher.c:204
> |<3>| HSK[9d4a140]: CERTIFICATE was received [3426 bytes]
> |<2>| ASSERT: gnutls_cipher.c:204
> |<3>| HSK[9d4a140]: SERVER HELLO DONE was received [4 bytes]
> |<2>| ASSERT: gnutls_handshake.c:1123
> |<3>| HSK[9d4a140]: CLIENT KEY EXCHANGE was send [134 bytes]
> |<2>| ASSERT: gnutls_cipher.c:204
> |<3>| REC[9d4a140]: Sent ChangeCipherSpec
> |<2>| ASSERT: gnutls_cipher.c:204
> |<3>| HSK[9d4a140]: Cipher Suite: RSA_AES_128_CBC_SHA1
> |<3>| HSK[9d4a140]: Initializing internal [write] cipher sessions
> |<3>| HSK[9d4a140]: FINISHED was send [16 bytes]
> |<2>| ASSERT: gnutls_cipher.c:204
> |<3>| HSK[9d4a140]: Cipher Suite: RSA_AES_128_CBC_SHA1
> |<3>| HSK[9d4a140]: Initializing internal [read] cipher sessions
> |<3>| HSK[9d4a140]: FINISHED was received [16 bytes]
> |<2>| ASSERT: ext_server_name.c:257
> - Certificate type: X.509
>  - Got a certificate list of 2 certificates.
>
>  - Certificate[0] info:
>  # The hostname in the certificate does NOT match 'ldap.fi.trl'.
>
>
> so it seems something related to gnutls.
>
> (I checked using ldapsearch form an Ubuntu 9.4 and there it works).
>
> -- System Information:
> Debian Release: squeeze/sid
>  APT prefers unstable
>  APT policy: (500, 'unstable')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.29-2-686 (SMP w/2 CPU cores)
> Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages ldap-utils depends on:
> ii  libc6                     2.9-13         GNU C Library: Shared
> libraries
> ii  libgnutls26               2.6.6-1        the GNU TLS library - runtime
> libr
> ii  libldap-2.4-2             2.4.15-1.1     OpenLDAP libraries
> ii  libsasl2-2                2.1.23.dfsg1-1 Cyrus SASL - authentication
> abstra
>
> Versions of packages ldap-utils recommends:
> ii  libsasl2-modules          2.1.23.dfsg1-1 Cyrus SASL - pluggable
> authenticat
>
> ldap-utils suggests no packages.
>
> -- no debconf information
>
>
>
> _______________________________________________
> Pkg-openldap-devel mailing list
> Pkg-openldap-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-openldap-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20090608/c7c25d33/attachment-0001.htm>


More information about the Pkg-openldap-devel mailing list