[Pkg-openssl-devel] Bug#1065424: Bug#1065424: Can't connect to Active Directory with openssl

Mon Mar 11 12:29:10 GMT 2024

Hi,

Thank You for the reply.

Port is open

root at nsd-sdproxy1:~# telnet 192.168.92.95 636
Trying 192.168.92.95...
Connected to 192.168.92.95.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
root at nsd-sdproxy1:~#

When I use stiati compiled openssl form different system I can have the 
connection

root at nsd-sdproxy1:~# /tmp/openssl version
OpenSSL 1.0.1t  3 May 2016
root at nsd-sdproxy1:~# /tmp/openssl  s_client -connect 192.168.92.95:636 
-CAfile /etc/ssl/certs/ca-certificates.crt
CONNECTED(00000003)
depth=1 DC = it, DC = dev, CN = dev-DC1-CA
verify return:1
depth=0 CN = dc1.dev.it
verify return:1
---
Certificate chain
  0 s:/CN=dc1.dev.it
    i:/DC=it/DC=dev/CN=dev-DC1-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFtDCCBJygAwIBAgITHQAAAAIpIoHQZ/LB4AAAAAAAAjANBgkqhkiG9w0BAQUF
ADA+MRIwEAYKCZImiZPyLGQBGRYCaXQxEzARBgoJkiaJk/IsZAEZFgNkZXYxEzAR
BgNVBAMTCmRldi1EQzEtQ0EwHhcNMjMxMjIwMjIzNDUyWhcNMjQxMjE5MjIzNDUy
WjAVMRMwEQYDVQQDEwpkYzEuZGV2Lml0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAuNy00MrsJl16YwJ7aBq3qKQkGKiWwIpJPIhnSxs+oSWHyXnPzElh
3YybHYSFmVhCioqgv9AacMEQUfgzanURMdDRetOMfnYD0TyfMM9FHcV+U3QR7XRc
gd9V+7V04Pp/tJzfatOljiZ32OIf+RpuOOzaAs7K2sPu7C9asoJvT292SWl6A+D/
I6y2ugaKpLfqQaJ3DD11u+Zyfsg+ynAvWrxOhWG1+ImHQShDuhzDZFaVnypw0HvA
Exm57lIsLGSYpecPCxN1x4dKQ0FgKfruH6S/IuAdY49WOjB8qDEg5dQFr85zYbZd
MyKqUN5e82v2Dy9cM/WBWC+M8DVsf75dQwIDAQABo4IC0jCCAs4wLwYJKwYBBAGC
NxQCBCIeIABEAG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZIhvcN
AQkPBGswaTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFl
AwQBKjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUr
DgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4EFgQUfBtL8l6VeeYQ7A98ffO89tTy72Iw
HwYDVR0jBBgwFoAU1YtlfOHW2JxHTtoslbmjPW0fmlUwgb8GA1UdHwSBtzCBtDCB
saCBrqCBq4aBqGxkYXA6Ly8vQ049ZGV2LURDMS1DQSxDTj1kYzEsQ049Q0RQLENO
PVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy
YXRpb24sREM9ZGV2LERDPWl0P2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz
ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBtwYIKwYBBQUHAQEE
gaowgacwgaQGCCsGAQUFBzAChoGXbGRhcDovLy9DTj1kZXYtREMxLUNBLENOPUFJ
QSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m
aWd1cmF0aW9uLERDPWRldixEQz1pdD9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0
Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA2BgNVHREELzAtoB8GCSsGAQQB
gjcZAaASBBDswipFcEo8QJ4wa+MD1ObxggpkYzEuZGV2Lml0MA0GCSqGSIb3DQEB
BQUAA4IBAQAsfoVcCK8W+IF2S70g96BNolfDj2fUJXDYU+T1cDMEo0nMT/Bmczj1
zI/leMKbHwJJIgZF6XDtZadv+AJtkjA9TBlvgJsLDVoD+Zr3u9tZ2uWbkPkvBEP2
4WD6ioij6w/WJZ4/ZLk654mPN4e59cd2QdaPlFJzXMmF04qBkAio7/OV/eStJA+m
NRj1c/7FvKMssMp8P++AG6bENRFEz8Syu4Bjhma69PR0c+1ElLwc/uZgaROSTvf5
6ZYoKvniP0B+r+tnHjuF1H72eDJV9TjL4/I00M+Qt1nsoms06A/GwrUfk6+gGsge
WN7jgiktT3hZ/xexMOFSWaWUK5/vc6Cp
-----END CERTIFICATE-----
subject=/CN=dc1.dev.it
issuer=/DC=it/DC=dev/CN=dev-DC1-CA
---
No client certificate CA names sent
---
SSL handshake has read 2291 bytes and written 341 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : DHE-RSA-AES256-GCM-SHA384
     Session-ID: 
96050000DE98486C541ADF2DA7439BFE02395A6DAFCB7D7AC73D22BF6521C5CB
     Session-ID-ctx:
     Master-Key: 
F4B51C97DF7B67E71D39B7C3F9BFE71BE0CFF63BE6F4A198F1DDF201281CFBEF683B9F1278874EF18125E254B1DBAA26
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     Start Time: 1710160065
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)
---
^C
root at nsd-sdproxy1:~#

On teh remote side is Windows 2008 with Active Directory over SSL/TLS.

Pozdrawiam serdecznie
Maciej Bogucki

On 4.03.2024 18:45, Sebastian Andrzej Siewior wrote:
> On 2024-03-04 11:16:14 [+0100], Maciej Bogucki wrote:
>>    When I invoke `/usr/bin/openssl s_client -connect 192.168.92.95:636`
> So you get no reply? That is odd. There has to be reply. A "Connected"
> line is something I would have expected. If there is nothing then I
> would assume that the port is silently blocked.
>
> …
>> from latest rocky linux it is ok
>>
>> [bogucki at nsd-ansible ~]$ /usr/bin/openssl  s_client -connect 192.168.92.95:636
>> CONNECTED(00000003)
> see, that line is missing.
>
> …
>> No client certificate CA names sent
>> Client Certificate Types: RSA sign, DSA sign, ECDSA sign
>> Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1
>> Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1
>> Peer signing digest: SHA1
>> Peer signature type: RSA
> The remote side looks limited. So from all the possibilities it decided
> to sign with RSA+SHA1. This is something openssl in bookworm rejects if
> I am not mistaken. But there has to be an error message about this.
>
> If *think* if you lower security level then it should work.
>
> Out of curiosity, what is the remote side running?
>
> Sebastian