[Pkg-openssl-devel] Bug#1065424: Can't connect to Active Directory with openssl
Maciej Bogucki
macbogucki at gmail.com
Mon Mar 4 10:16:14 GMT 2024
Package: openssl
Version: 3.0.11-1~deb12u2
When I invoke `/usr/bin/openssl s_client -connect 192.168.92.95:636`
root at nsd-sdproxy1:~# cat /etc/debian_version
12.5
root at nsd-sdproxy1:~#
root at nsd-sdproxy1:~# uname -a
Linux nsd-sdproxy1 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
root at nsd-sdproxy1:~#
I have the latest patches installed.
Telnet works
root at nsd-sdproxy1:~# telnet 192.168.92.95 636
Trying 192.168.92.95...
Connected to nsd-ad.
Escape character is '^]'.
from latest rocky linux it is ok
[bogucki at nsd-ansible ~]$ /usr/bin/openssl s_client -connect 192.168.92.95:636
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = dc1.dev.it
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = dc1.dev.it
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = dc1.dev.it
verify return:1
---
Certificate chain
0 s:CN = dc1.dev.it
i:DC = it, DC = dev, CN = dev-DC1-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFtDCCBJygAwIBAgITHQAAAAIpIoHQZ/LB4AAAAAAAAjANBgkqhkiG9w0BAQUF
ADA+MRIwEAYKCZImiZPyLGQBGRYCaXQxEzARBgoJkiaJk/IsZAEZFgNkZXYxEzAR
BgNVBAMTCmRldi1EQzEtQ0EwHhcNMjMxMjIwMjIzNDUyWhcNMjQxMjE5MjIzNDUy
WjAVMRMwEQYDVQQDEwpkYzEuZGV2Lml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAuNy00MrsJl16YwJ7aBq3qKQkGKiWwIpJPIhnSxs+oSWHyXnPzElh
3YybHYSFmVhCioqgv9AacMEQUfgzanURMdDRetOMfnYD0TyfMM9FHcV+U3QR7XRc
gd9V+7V04Pp/tJzfatOljiZ32OIf+RpuOOzaAs7K2sPu7C9asoJvT292SWl6A+D/
I6y2ugaKpLfqQaJ3DD11u+Zyfsg+ynAvWrxOhWG1+ImHQShDuhzDZFaVnypw0HvA
Exm57lIsLGSYpecPCxN1x4dKQ0FgKfruH6S/IuAdY49WOjB8qDEg5dQFr85zYbZd
MyKqUN5e82v2Dy9cM/WBWC+M8DVsf75dQwIDAQABo4IC0jCCAs4wLwYJKwYBBAGC
NxQCBCIeIABEAG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcN
AQkPBGswaTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFl
AwQBKjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUr
DgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUfBtL8l6VeeYQ7A98ffO89tTy72Iw
HwYDVR0jBBgwFoAU1YtlfOHW2JxHTtoslbmjPW0fmlUwgb8GA1UdHwSBtzCBtDCB
saCBrqCBq4aBqGxkYXA6Ly8vQ049ZGV2LURDMS1DQSxDTj1kYzEsQ049Q0RQLENO
PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy
YXRpb24sREM9ZGV2LERDPWl0P2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBtwYIKwYBBQUHAQEE
gaowgacwgaQGCCsGAQUFBzAChoGXbGRhcDovLy9DTj1kZXYtREMxLUNBLENOPUFJ
QSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m
aWd1cmF0aW9uLERDPWRldixEQz1pdD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0
Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA2BgNVHREELzAtoB8GCSsGAQQB
gjcZAaASBBDswipFcEo8QJ4wa+MD1ObxggpkYzEuZGV2Lml0MA0GCSqGSIb3DQEB
BQUAA4IBAQAsfoVcCK8W+IF2S70g96BNolfDj2fUJXDYU+T1cDMEo0nMT/Bmczj1
zI/leMKbHwJJIgZF6XDtZadv+AJtkjA9TBlvgJsLDVoD+Zr3u9tZ2uWbkPkvBEP2
4WD6ioij6w/WJZ4/ZLk654mPN4e59cd2QdaPlFJzXMmF04qBkAio7/OV/eStJA+m
NRj1c/7FvKMssMp8P++AG6bENRFEz8Syu4Bjhma69PR0c+1ElLwc/uZgaROSTvf5
6ZYoKvniP0B+r+tnHjuF1H72eDJV9TjL4/I00M+Qt1nsoms06A/GwrUfk6+gGsge
WN7jgiktT3hZ/xexMOFSWaWUK5/vc6Cp
-----END CERTIFICATE-----
subject=CN = dc1.dev.it
issuer=DC = it, DC = dev, CN = dev-DC1-CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1
Peer signing digest: SHA1
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2020 bytes and written 467 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-SHA256
Session-ID: 281C000089A8FE3766C77054BA467FB88A4AFE62F9B52D478E6840B5B29F2787
Session-ID-ctx:
Master-Key: 2A4EBD468A173EA25C9217F586BE7D91206D0D367D75F44118205118DEE042B5B804292F3FEFD020A19EC6034F86B19C
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1709547310
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
---
--
Pozdrawiam serdecznie
Maciej Bogucki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20240304/3d39a047/attachment.htm>
More information about the Pkg-openssl-devel
mailing list