[Pkg-openldap-devel] How to do TLSVerifyClient demand in slapd.conf works ?

Javier Barroso javibarroso at gmail.com
Wed Nov 25 12:21:09 UTC 2009 

Hi,

First, sorry if this is not the correct list.

I'm trying to configure ldap + starttls server.

I tried various slapd version from etch, lenny and squeeze, but not
luck. Finally now I'm trying compiling with openssl and not with
gnutls (the problem is the same).

I don't know what I am doing wrong:

1. Create CA. cacert-company.pem is generated
# CA.pl -newca
2. Create ldap.company.com certificate  (finally named
ldap-company-{cert,key}.pem)
# CA.pl -newreq
# CA.pl -sign
# openssl rsa -in newcert.pem -out newcert-without-password.pem
3. Create client certificate (client-{cert,key}.pem (steps idem to 2.)

Now I configure my slapd.conf:
#grep TLS /etc/ldap/slapd.conf
TLSCACertificateFile /etc/ldap/tls/cacert-company.pem
TLSCertificateFile /etc/ldap/tls/ldap-company-cert.pem
TLSCertificateKeyFile /etc/ldap/tls/ldap-company-key.pem
TLSVerifyClient allow

Then configure my ldap.conf from client:
TLS_CACERT /etc/ca-certificates/company/cacert-company.pem
TLS_CERT /etc/ssl/client-cert.pem
TLS_KEY /etc/ssl/private/client-key.pem
TLS_REQCERT    demand

After restart slapd, I try search with ldapsearch works and
tcpdump shows ssl traffic:
ldapsearch -x -h ldap.company.com -b 'dc=company,dc=com' uid=jbarroso uid  -ZZ
result: 0 Success

# numResponses: 2
# numEntries: 1


If I change from "TLSVerifyClient allow" to "TLSVerifyClient demand",
ldapsearch command fails and finish:
...
tls_write: want=6, written=6
  0000:  14 03 01 00 01 01                                  ......
tls_write: want=197 error=Broken pipe
TLS: can't connect: Error in the push function..
ldap_err2string
ldap_start_tls: Connect error (-11)

I compiled slapd from deb-src with openssl support and the same result
but other client error:
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=5
  0000:  15 03 01 00 02                                     .....
tls_read: want=2, got=2
  0000:  02 28                                              .(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure.
ldap_err2string
ldap_start_tls: Connect error (-11)

I read
http://www.openldap.org/lists/openldap-software/200703/msg00253.html,
but I would like to understand why this config is not working.

I tested certificates with gnutls-serv / gnutls-cli and with these
certs work fine.

So, this is a known bug, should I report this mail , or did I miss
something to configure?

A guy in debian IRC point me to ldap faq [1], but I would like use
ldap from your packages (and I think this is not a package issue)

Thank you very much

[1] http://www.openldap.org/faq/data/cache/1456.html

More information about the Pkg-openldap-devel mailing list