Did you upgrade from an older version of OpenLDAP built against OpenSSL? Did you generate your certificates with OpenSSL or GnuTLS?<br><br><div class="gmail_quote">On Mon, Jun 8, 2009 at 8:43 AM, Simone Piccardi <span dir="ltr"><<a href="mailto:piccardi@truelite.it">piccardi@truelite.it</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Package: ldap-utils<br>
Version: 2.4.15-1.1<br>
Severity: normal<br>
<br>
<br>
I have the following configuration for ldap client:<br>
<br>
BASE dc=truelite,dc=it<br>
URI ldaps://ldap.fi.trl<br>
<br>
#SIZELIMIT 12<br>
#TIMELIMIT 15<br>
#DEREF never<br>
<br>
tls_checkpeer no<br>
TLS_CACERT /etc/ssl/certs/Truelite-cacert.pem<br>
<br>
and similar for libnss-ldap.conf and pam_ldap.conf, but while NSS and<br>
PAM are working using ldapsearch I got:<br>
<br>
piccardi@ellington:~$ ldapsearch -d 1 -x<br>
ldap_create<br>
ldap_sasl_bind<br>
ldap_send_initial_request<br>
ldap_new_connection 1 1 0<br>
ldap_int_open_connection<br>
ldap_connect_to_host: TCP ldap.fi.trl:636<br>
ldap_new_socket: 3<br>
ldap_prepare_socket: 3<br>
ldap_connect_to_host: Trying <a href="http://192.168.1.2:636" target="_blank">192.168.1.2:636</a><br>
ldap_pvt_connect: fd: 3 tm: -1 async: 0<br>
TLS: peer cert untrusted or revoked (0x102)<br>
TLS: can't connect: (unknown error code).<br>
ldap_err2string<br>
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br>
<br>
<br>
configuration on the server did not change for a while and for TLS is:<br>
<br>
TLSCertificateFile /etc/ssl/certs/ldap.fi.trl-cert.pem<br>
TLSCertificateKeyFile /etc/ssl/private/ldap.fi.trl-key.pem<br>
TLSCipherSuite HIGH<br>
TLSCACertificateFile /etc/ssl/certs/Truelite-cacert.pem<br>
<br>
<br>
running the server in debug mode I got:<br>
<br>
[...]<br>
slapd starting<br>
>>> slap_listener(ldaps:///)ldap_pvt_gethostbyname_a: host=davis, r=0<br>
connection_get(12): got connid=0<br>
connection_read(12): checking for input on id=0<br>
TLS trace: SSL_accept:before/accept initialization<br>
TLS trace: SSL_accept:SSLv3 read client hello A<br>
TLS trace: SSL_accept:SSLv3 write server hello A<br>
TLS trace: SSL_accept:SSLv3 write certificate A<br>
TLS trace: SSL_accept:SSLv3 write server done A<br>
TLS trace: SSL_accept:SSLv3 flush data<br>
TLS trace: SSL_accept:error in SSLv3 read client certificate A<br>
TLS trace: SSL_accept:error in SSLv3 read client certificate A<br>
connection_get(12): got connid=0<br>
connection_read(12): checking for input on id=0<br>
TLS trace: SSL_accept:SSLv3 read client key exchange A<br>
TLS trace: SSL_accept:SSLv3 read finished A<br>
TLS trace: SSL_accept:SSLv3 write change cipher spec A<br>
TLS trace: SSL_accept:SSLv3 write finished A<br>
TLS trace: SSL_accept:SSLv3 flush data<br>
connection_read(12): unable to get TLS client DN, error=49 id=0<br>
connection_get(12): got connid=0<br>
connection_read(12): checking for input on id=0<br>
ber_get_next<br>
ber_get_next on fd 12 failed errno=0 (Success)<br>
connection_closing: readying conn=0 sd=12 for close<br>
connection_close: conn=0 sd=12<br>
TLS trace: SSL3 alert write:warning:close notify<br>
<br>
I tryed to check the certificates and using openssl I got:<br>
<br>
ellington:/home/piccardi# openssl s_client -connect ldap.fi.trl:636 -CAfile /etc/ssl/certs/New-Truelite-cacert.pem<br>
CONNECTED(00000003)<br>
depth=1 /C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=Truelite Srl CA/emailAddress=<a href="mailto:info@truelite.it">info@truelite.it</a><br>
verify return:1<br>
depth=0 /C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=ldap.fi.trl/emailAddress=<a href="mailto:sistemi@truelite.it">sistemi@truelite.it</a><br>
verify return:1<br>
---<br>
Certificate chain<br>
0 s:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=ldap.fi.trl/emailAddress=<a href="mailto:sistemi@truelite.it">sistemi@truelite.it</a><br>
i:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=Truelite Srl CA/emailAddress=<a href="mailto:info@truelite.it">info@truelite.it</a><br>
1 s:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=Truelite Srl CA/emailAddress=<a href="mailto:info@truelite.it">info@truelite.it</a><br>
i:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=Truelite Srl CA/emailAddress=<a href="mailto:info@truelite.it">info@truelite.it</a><br>
---<br>
Server certificate<br>
-----BEGIN CERTIFICATE-----<br>
[...]<br>
-----END CERTIFICATE-----<br>
subject=/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=ldap.fi.trl/emailAddress=<a href="mailto:sistemi@truelite.it">sistemi@truelite.it</a><br>
issuer=/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification Authority/CN=Truelite Srl CA/emailAddress=<a href="mailto:info@truelite.it">info@truelite.it</a><br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 3578 bytes and written 316 bytes<br>
---<br>
New, TLSv1/SSLv3, Cipher is AES256-SHA<br>
Server public key is 1024 bit<br>
Compression: NONE<br>
Expansion: NONE<br>
SSL-Session:<br>
Protocol : TLSv1<br>
Cipher : AES256-SHA<br>
Session-ID: 716BE0C7C993AC4F72CD2D02A57718AF8D2E55FC62356AD00BB8FF17265F4814<br>
Session-ID-ctx:<br>
Master-Key: D32B76AB62025227C6B3B8F210A7A544E10CD233056B59563DD2F3CBB07B94679315CDD9E9B3E88CFEC36DABEDF09930<br>
Key-Arg : None<br>
Start Time: 1244471759<br>
Timeout : 300 (sec)<br>
Verify return code: 0 (ok)<br>
---<br>
<br>
while checking with gnutls-cli I got:<br>
<br>
ellington:/home/piccardi# gnutls-cli -d 3 --x509cafile /etc/ssl/certs/New-Truelite-cacert.pem -p 636 ldap.fi.trl<br>
Processed 1 CA certificate(s).<br>
Resolving 'ldap.fi.trl'...<br>
Connecting to '192.168.1.2:636'...<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1<br>
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_ARCFOUR_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_ARCFOUR_MD5<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_AES_128_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_AES_256_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_ARCFOUR_SHA1<br>
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1<br>
|<2>| EXT[9d4a140]: Sending extension CERT_TYPE<br>
|<2>| EXT[9d4a140]: Sending extension SERVER_NAME<br>
|<3>| HSK[9d4a140]: CLIENT HELLO was send [124 bytes]<br>
|<2>| ASSERT: gnutls_cipher.c:204<br>
|<2>| ASSERT: gnutls_cipher.c:204<br>
|<3>| HSK[9d4a140]: SERVER HELLO was received [74 bytes]<br>
|<3>| HSK[9d4a140]: Server's version: 3.1<br>
|<3>| HSK[9d4a140]: SessionID length: 32<br>
|<3>| HSK[9d4a140]: SessionID: 8a2dd5918d648cb0688cfa8a83b81b7355ca4c058215cf14c6d4e12c65c75235<br>
|<3>| HSK[9d4a140]: Selected cipher suite: RSA_AES_128_CBC_SHA1<br>
|<2>| ASSERT: gnutls_extensions.c:124<br>
|<2>| ASSERT: gnutls_cipher.c:204<br>
|<3>| HSK[9d4a140]: CERTIFICATE was received [3426 bytes]<br>
|<2>| ASSERT: gnutls_cipher.c:204<br>
|<3>| HSK[9d4a140]: SERVER HELLO DONE was received [4 bytes]<br>
|<2>| ASSERT: gnutls_handshake.c:1123<br>
|<3>| HSK[9d4a140]: CLIENT KEY EXCHANGE was send [134 bytes]<br>
|<2>| ASSERT: gnutls_cipher.c:204<br>
|<3>| REC[9d4a140]: Sent ChangeCipherSpec<br>
|<2>| ASSERT: gnutls_cipher.c:204<br>
|<3>| HSK[9d4a140]: Cipher Suite: RSA_AES_128_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Initializing internal [write] cipher sessions<br>
|<3>| HSK[9d4a140]: FINISHED was send [16 bytes]<br>
|<2>| ASSERT: gnutls_cipher.c:204<br>
|<3>| HSK[9d4a140]: Cipher Suite: RSA_AES_128_CBC_SHA1<br>
|<3>| HSK[9d4a140]: Initializing internal [read] cipher sessions<br>
|<3>| HSK[9d4a140]: FINISHED was received [16 bytes]<br>
|<2>| ASSERT: ext_server_name.c:257<br>
- Certificate type: X.509<br>
- Got a certificate list of 2 certificates.<br>
<br>
- Certificate[0] info:<br>
# The hostname in the certificate does NOT match 'ldap.fi.trl'.<br>
<br>
<br>
so it seems something related to gnutls.<br>
<br>
(I checked using ldapsearch form an Ubuntu 9.4 and there it works).<br>
<br>
-- System Information:<br>
Debian Release: squeeze/sid<br>
APT prefers unstable<br>
APT policy: (500, 'unstable')<br>
Architecture: i386 (i686)<br>
<br>
Kernel: Linux 2.6.29-2-686 (SMP w/2 CPU cores)<br>
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)<br>
Shell: /bin/sh linked to /bin/bash<br>
<br>
Versions of packages ldap-utils depends on:<br>
ii libc6 2.9-13 GNU C Library: Shared libraries<br>
ii libgnutls26 2.6.6-1 the GNU TLS library - runtime libr<br>
ii libldap-2.4-2 2.4.15-1.1 OpenLDAP libraries<br>
ii libsasl2-2 2.1.23.dfsg1-1 Cyrus SASL - authentication abstra<br>
<br>
Versions of packages ldap-utils recommends:<br>
ii libsasl2-modules 2.1.23.dfsg1-1 Cyrus SASL - pluggable authenticat<br>
<br>
ldap-utils suggests no packages.<br>
<br>
-- no debconf information<br>
<br>
<br>
<br>
_______________________________________________<br>
Pkg-openldap-devel mailing list<br>
<a href="mailto:Pkg-openldap-devel@lists.alioth.debian.org">Pkg-openldap-devel@lists.alioth.debian.org</a><br>
<a href="http://lists.alioth.debian.org/mailman/listinfo/pkg-openldap-devel" target="_blank">http://lists.alioth.debian.org/mailman/listinfo/pkg-openldap-devel</a><br>
<br>
</blockquote></div><br>