Hello,
I am trying to use a pre-built Win32 binary of the "stunnel" application (from
www.stunnel.org), in order to get my 3rd-party Win32 application, which only speaks
LDAP, to speak to an Oracle OID server running LDAP over SSL.
I'm using stunnel version 4.05 along with OpenSSL / SSLeay version 0.9.7d
Unfortunately I'm getting errors from deep down in the OpenSSL code. The important bit
from the stunnel log file is:
SSL alert (read): fatal: close notify
SSL_read: 140943E8: error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000)
I've tracked through the source code for stunnel, and have found the following:
In "client.c", the routine "transfer()" calls "num=SSL_read(c->ssl,
c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);".
It then check the error by calling "err=SSL_get_error(c->ssl, num);".
There is an error condition of "SSL_ERROR_SSL", so it calls "sslerror("SSL_read")".
This is defined in "ssl.c".
So, it calls "ERR_get_error()". The resulting values are:
txt = "SSL_read"
err = 140943E8
string = error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000)
Breaking apart this error string, its components are as follows:
error:[error code]:[library name]:[function name]:[reason string]
error:
[error code] = 140943E8
[library name] = SSL routines
[function name] = SSL3_READ_BYTES
[reason string] = reason(1000)
I found in the various error header files for SSL, the following entries:
#define SSL3_AD_CLOSE_NOTIFY 0
and,
#define SSL_AD_REASON_OFFSET 1000
/* These alert types are for SSLv3 and TLSv1 */
#define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY
This would suggest an error code of 1,000 decimal. The error code above ends in "3E8"
which equals 1,000 decimal... but I'm not sure where the 0x14094000 gets OR-ed into it.
Does anyone have any suggestion on where to go from here? I've already confirmed it's
not a problem with random seeding, as I've set up a seed file and confirmed in the log
that it's being used.
Regards,
David Hansen
-----Original Message-----
From: Hansen, David-E
Sent: Montag, 12. Juli 2004 17:12
To: 'Jan Meijer'
Cc: [EMAIL PROTECTED]
Subject: RE: Problems using stunnel for LDAP-S to OID
Jan,
Hi. Yes, that's what I tried to explain in my original mail...
This works:
(LDAP client on Win32) <--> (stunnel on Linux) <--> (LDAP-S server on Solaris)
But this does not work:
(LDAP client on Win32) <--> (stunnel on Win32) <--> (LDAP-S server on Solaris)
So the problem lies in the fact that we're running "stunnel" on Win32 -- the same
version running on Linux works fine.
Regards,
David Hansen
-----Original Message-----
From: Jan Meijer [mailto:[EMAIL PROTECTED]
Sent: Montag, 12. Juli 2004 14:15
To: Hansen, David-E
Cc: [EMAIL PROTECTED]
Subject: RE: Problems using stunnel for LDAP-S to OID
David,
On Fri, 9 Jul 2004 [EMAIL PROTECTED] wrote:
> Further to the below error message, we logged the information on the OID
> server side, and it all looks fine, until it hits the following error:
>
> 2004/07/09:15:12:07 * gslsfwcCloseConnection: Exit
> 2004/07/09:15:12:07 * ServerDispatcher: Reading BER element failed. Closing
> connection 41
>
> Does anyone know what this "BER" structure is?
>
> More information: We tried a variation on the below configuration: we ran
> stunnel v3.22 on a Linux machine, accepting requests on port 6636 and
> forwarding to the OID server on its LDAP-S port (4030). Then, we told our
> client (on Win32) use the LDAP server on this Linux box... and it worked fine!
> then, we tried exactly the same thing above, but with stunnel v3.26 (and also
> 4.05)running on a Windows XP workstation -- and it failed again with the below
> error.
Did you run the stunnel on linux using client-mode? And then connect your LDAP
W32 client straight to the stunnel on linux using plain-text ldap?
Jan
--
/~\ The ASCII / Jan Meijer
\ / Ribbon Campaign -- -- SURFnet bv
X Against HTML / http://www.surfnet.nl/organisatie/jm/
/ \ Email http://cert.surfnet.nl/
Visit our website at http://www.ubs.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
