Looks like you're using <a href="http://cacert.org">cacert.org</a> to sign your certificates. Since Debian already includes that CA, try installing the ca-certificates package and changing TLSCACertificateFile to /etc/ssl/certs/ca-certificates.crt... at least for testing purposes.<br>
<br><div class="gmail_quote">On Fri, Jul 24, 2009 at 9:16 AM, Nicolas Jungers <span dir="ltr"><<a href="mailto:deblbug@jungers.net">deblbug@jungers.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Package: slapd<br>
Version: 2.4.11-1<br>
<br>
My installation of slapd fails to successfully negotiate a tls or a ssl<br>
connection. An unencrypted connection works fine. The used set of<br>
key/certificates works within the couple (gnutls-server,gnutls-cli).<br>
<br>
Any pointer to an obvious mistake will be appreciated :-)<br>
<br>
Nicolas<br>
<br>
<br>
#-------- bits from slapd.conf<br>
<br>
# TLS configuration<br>
# CA<br>
TLSCACertificateFile /etc/ssl/certs/cacert.org.pem<br>
# Cert<br>
TLSCertificateFile /etc/ssl/certs/main.jungers.net.pem<br>
TLSCertificateKeyFile /etc/ssl/private/main.jungers.net-key.pem<br>
#TLSCipherSuite HIGH <-- not with gnutls (openssl keyword)<br>
<br>
<br>
<br>
where<br>
<br>
<br>
<br>
#-------- bits of system configuration<br>
<br>
ll /etc/ssl/private/main.jungers.net-key.pem<br>
-rw-r----- 1 root ssl-cert 1676 2009-07-23 23:07<br>
/etc/ssl/private/main.jungers.net-key.pem<br>
<br>
and<br>
<br>
grep ssl /etc/group<br>
ssl-cert:x:106:postgres,caldavd,openldap<br>
<br>
<br>
<br>
#-------- running with loglevel 64 gives<br>
<br>
main slapd[2532]: line 64 (TLSCACertificateFile<br>
/etc/ssl/certs/cacert.org.pem)<br>
main slapd[2532]: line 66 (TLSCertificateFile<br>
/etc/ssl/certs/main.jungers.net.pem)<br>
main slapd[2532]: line 67 (TLSCertificateKeyFile<br>
/etc/ssl/private/main.jungers.net-key.pem)<br>
<br>
<br>
<br>
#-------- and finally a strace gives<br>
<br>
open("/etc/ssl/certs/cacert.org.pem", O_RDONLY) = 10<br>
fstat(10, {st_mode=S_IFREG|0644, st_size=4720, ...}) = 0<br>
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)<br>
= 0x7f55f1c9e000<br>
read(10, "-----BEGIN CERTIFICATE-----\nMIIHP"..., 8192) = 4720<br>
read(10, ""..., 4096) = 0<br>
close(10) = 0<br>
munmap(0x7f55f1c9e000, 4096) = 0<br>
open("/etc/ssl/private/main.jungers.net-key.pem", O_RDONLY) = 10<br>
fstat(10, {st_mode=S_IFREG|0640, st_size=1676, ...}) = 0<br>
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)<br>
= 0x7f55f1c9e000<br>
read(10, "-----BEGIN RSA PRIVATE KEY-----\nM"..., 8192) = 1676<br>
read(10, ""..., 4096) = 0<br>
close(10) = 0<br>
munmap(0x7f55f1c9e000, 4096) = 0<br>
open("/etc/ssl/certs/main.jungers.net.pem", O_RDONLY) = 10<br>
fstat(10, {st_mode=S_IFREG|0644, st_size=1693, ...}) = 0<br>
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)<br>
= 0x7f55f1c9e000<br>
read(10, "-----BEGIN CERTIFICATE-----\nMIIEs"..., 8192) = 1693<br>
read(10, ""..., 4096) = 0<br>
close(10) = 0<br>
<br>
<br>
<br>
#-------- Now if I issue:<br>
<br>
ldapsearch -x '(objectclass=*)'<br>
<br>
I get a dump of my near empty DB<br>
<br>
<br>
<br>
#-------- but<br>
<br>
ldapsearch -x '(objectclass=*)' -ZZ -d 1<br>
ldap_create<br>
ldap_extended_operation_s<br>
ldap_extended_operation<br>
ldap_send_initial_request<br>
ldap_new_connection 1 1 0<br>
ldap_int_open_connection<br>
ldap_connect_to_host: TCP <a href="http://main.jungers.net:389" target="_blank">main.jungers.net:389</a><br>
ldap_new_socket: 3<br>
ldap_prepare_socket: 3<br>
ldap_connect_to_host: Trying <a href="http://91.121.14.130:389" target="_blank">91.121.14.130:389</a><br>
ldap_pvt_connect: fd: 3 tm: -1 async: 0<br>
ldap_open_defconn: successful<br>
ldap_send_server_request<br>
ber_scanf fmt ({it) ber:<br>
ber_scanf fmt ({) ber:<br>
ber_flush2: 31 bytes to sd 3<br>
ldap_result ld 0x7f13fa91e1b0 msgid 1<br>
wait4msg ld 0x7f13fa91e1b0 msgid 1 (infinite timeout)<br>
wait4msg continue ld 0x7f13fa91e1b0 msgid 1 all 1<br>
** ld 0x7f13fa91e1b0 Connections:<br>
* host: <a href="http://main.jungers.net" target="_blank">main.jungers.net</a> port: 389 (default)<br>
refcnt: 2 status: Connected<br>
last used: Fri Jul 24 16:50:46 2009<br>
<br>
<br>
** ld 0x7f13fa91e1b0 Outstanding Requests:<br>
* msgid 1, origid 1, status InProgress<br>
outstanding referrals 0, parent count 0<br>
ld 0x7f13fa91e1b0 request count 1 (abandoned 0)<br>
** ld 0x7f13fa91e1b0 Response Queue:<br>
Empty<br>
ld 0x7f13fa91e1b0 response count 0<br>
ldap_chkResponseList ld 0x7f13fa91e1b0 msgid 1 all 1<br>
ldap_chkResponseList returns ld 0x7f13fa91e1b0 NULL<br>
ldap_int_select<br>
read1msg: ld 0x7f13fa91e1b0 msgid 1 all 1<br>
ber_get_next<br>
ber_get_next: tag 0x30 len 12 contents:<br>
read1msg: ld 0x7f13fa91e1b0 msgid 1 message type extended-result<br>
ber_scanf fmt ({eAA) ber:<br>
read1msg: ld 0x7f13fa91e1b0 0 new referrals<br>
read1msg: mark request completed, ld 0x7f13fa91e1b0 msgid 1<br>
request done: ld 0x7f13fa91e1b0 msgid 1<br>
res_errno: 0, res_error: <>, res_matched: <><br>
ldap_free_request (origid 1, msgid 1)<br>
ldap_parse_extended_result<br>
ber_scanf fmt ({eAA) ber:<br>
ldap_parse_result<br>
ber_scanf fmt ({iAA) ber:<br>
ber_scanf fmt (}) ber:<br>
ldap_msgfree<br>
ldap_err2string<br>
ldap_start_tls: Connect error (-11)<br>
nicolas@i24:~$ ldapsearch -x '(objectclass=*)' -ZZ<br>
ldap_start_tls: Connect error (-11)<br>
<br>
<br>
<br>
#-------- and on the server (loglevel 256)<br>
<br>
Jul 24 16:48:04 main slapd[2533]: conn=6 fd=17 ACCEPT from<br>
IP=<a href="http://193.93.113.2:55765" target="_blank">193.93.113.2:55765</a> (IP=<a href="http://0.0.0.0:389" target="_blank">0.0.0.0:389</a>)<br>
Jul 24 16:48:04 main slapd[2533]: conn=6 op=0 EXT oid=1.3.6.1.4.1.1466.20037<br>
main slapd[2533]: conn=6 op=0 STARTTLS<br>
main slapd[2533]: conn=6 op=0 RESULT oid= err=0 text=<br>
main slapd[2533]: conn=6 fd=17 closed (TLS negotiation failure)<br>
<br>
<br>
<br>
#-------- if I try gnutls-cli I get<br>
<br>
gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem -p 389<br>
main.jungers.netProcessed 2 CA certificate(s).<br>
Resolving '<a href="http://main.jungers.net" target="_blank">main.jungers.net</a>'...<br>
Connecting to '91.121.14.130:389'...<br>
*** Fatal error: A TLS packet with unexpected length was received.<br>
*** Handshake has failed<br>
GNUTLS ERROR: A TLS packet with unexpected length was received.<br>
<br>
<br>
<br>
#-------- and on the server (loglevel 256)<br>
<br>
main slapd[2533]: conn=8 fd=17 ACCEPT from IP=<a href="http://193.93.113.2:55767" target="_blank">193.93.113.2:55767</a><br>
(IP=<a href="http://0.0.0.0:389" target="_blank">0.0.0.0:389</a>)<br>
main slapd[2533]: conn=8 fd=17 closed (connection lost)<br>
<br>
<br>
<br>
#-------- On a side note, it's not better with ssl:<br>
<br>
ldapsearch -x '(objectclass=*)' -H ldaps://<a href="http://main.jungers.net:636" target="_blank">main.jungers.net:636</a> -d1<br>
ldap_url_parse_ext(ldaps://<a href="http://main.jungers.net:636" target="_blank">main.jungers.net:636</a>)<br>
ldap_create<br>
ldap_url_parse_ext(ldaps://<a href="http://main.jungers.net:636/??base" target="_blank">main.jungers.net:636/??base</a>)<br>
ldap_sasl_bind<br>
ldap_send_initial_request<br>
ldap_new_connection 1 1 0<br>
ldap_int_open_connection<br>
ldap_connect_to_host: TCP <a href="http://main.jungers.net:636" target="_blank">main.jungers.net:636</a><br>
ldap_new_socket: 3<br>
ldap_prepare_socket: 3<br>
ldap_connect_to_host: Trying <a href="http://91.121.14.130:636" target="_blank">91.121.14.130:636</a><br>
ldap_pvt_connect: fd: 3 tm: -1 async: 0<br>
ldap_err2string<br>
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)<br>
<br>
<br>
<br>
#-------- and on the server (loglevel 256)<br>
<br>
main slapd[2533]: conn=7 fd=17 ACCEPT from IP=<a href="http://193.93.113.2:40004" target="_blank">193.93.113.2:40004</a><br>
(IP=<a href="http://0.0.0.0:636" target="_blank">0.0.0.0:636</a>)<br>
main slapd[2533]: conn=7 fd=17 closed (TLS negotiation failure)<br>
<br>
<br>
<br>
#-------- and<br>
<br>
ps ax|grep slapd<br>
2533 ? Ssl 0:00 /usr/sbin/slapd -h ldap:/// ldaps:/// -g<br>
openldap -u openldap -f /etc/ldap/slapd.conf<br>
<br>
<br>
<br>
<br>
At that point I imagined that my certificates where somewhat invalid, so<br>
I tried tos how that:<br>
<br>
<br>
<br>
#-------- here's the server part<br>
<br>
gnutls-serv --x509cafile certs/cacert.org.pem --x509certfile<br>
certs/main.jungers.net.pem --x509keyfile<br>
private/main.jungers.net-key.pem -p 2389 -a<br>
Set static Diffie Hellman parameters, consider --dhparams.<br>
Processed 2 CA certificate(s).<br>
Echo Server ready. Listening to port '2389'.<br>
<br>
<br>
* connection from ::ffff:193.93.113.2, port 49127<br>
- Given server name[1]: <a href="http://main.jungers.net" target="_blank">main.jungers.net</a><br>
- Ephemeral Diffie-Hellman parameters<br>
- Using prime: 1032 bits<br>
- Secret key: 1014 bits<br>
- Peer's public key: 1024 bits<br>
- Certificate type: X.509<br>
No certificates found!<br>
<br>
- Peer did not send any certificate.<br>
- Version: TLS1.1<br>
- Key Exchange: DHE-RSA<br>
- Cipher: AES-128-CBC<br>
- MAC: SHA1<br>
- Compression: NULL<br>
^CExiting via signal 2<br>
<br>
<br>
<br>
#-------- here's the client part<br>
<br>
gnutls-cli --x509cafile /etc/ssl/certs/cacert.org.pem -p 2389<br>
<a href="http://main.jungers.net" target="_blank">main.jungers.net</a><br>
Processed 2 CA certificate(s).<br>
Resolving '<a href="http://main.jungers.net" target="_blank">main.jungers.net</a>'...<br>
Connecting to '91.121.14.130:2389'...<br>
- Ephemeral Diffie-Hellman parameters<br>
- Using prime: 1032 bits<br>
- Secret key: 1013 bits<br>
- Peer's public key: 1024 bits<br>
- Certificate type: X.509<br>
- Got a certificate list of 1 certificates.<br>
<br>
- Certificate[0] info:<br>
# The hostname in the certificate matches '<a href="http://main.jungers.net" target="_blank">main.jungers.net</a>'.<br>
# valid since: Thu Jul 23 23:05:41 CEST 2009<br>
# expires at: Sat Jul 23 23:05:41 CEST 2011<br>
# fingerprint: 0E:66:F0:48:1B:66:DE:A3:36:F2:F0:28:FE:CE:D1:69<br>
# Subject's DN: CN=<a href="http://main.jungers.net" target="_blank">main.jungers.net</a><br>
# Issuer's DN: O=CAcert Inc.,OU=<a href="http://www.CAcert.org" target="_blank">http://www.CAcert.org</a>,CN=CAcert Class 3<br>
Root<br>
<br>
<br>
- Peer's certificate is trusted<br>
- Version: TLS1.1<br>
- Key Exchange: DHE-RSA<br>
- Cipher: AES-128-CBC<br>
- MAC: SHA1<br>
- Compression: NULL<br>
- Handshake was completed<br>
<br>
- Simple Client Mode:<br>
<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Pkg-openldap-devel mailing list<br>
<a href="mailto:Pkg-openldap-devel@lists.alioth.debian.org">Pkg-openldap-devel@lists.alioth.debian.org</a><br>
<a href="http://lists.alioth.debian.org/mailman/listinfo/pkg-openldap-devel" target="_blank">http://lists.alioth.debian.org/mailman/listinfo/pkg-openldap-devel</a><br>
<br>
</blockquote></div><br>