Good morning
We are trying to setup apache vs ldaps
We have the next situation:
server openldap with:
- client ldapsearch --> OK
- client openssl s_client --> OK
- client Apache/2.2.4 (Ubuntu) (another machine) --> OK
- client Apache/2.2.3 --> FAILED (tls_read: want=11, got=0 TLS: can't
accept.)
In openldap-2.3.37/libraries/libldap/tls.c:
err = SSL_accept( ssl );
if ( err <= 0 ) {
...
Debug( LDAP_DEBUG_ANY,"TLS: can't accept.\n",0,0,0 );
...
a) how can we have more TLS-ldap trace?
b) what can be the failure? any idea?
MY CONFIG:
SO: RH5SE - redhat 5 server edition
Openssl Version
OpenSSL 0.9.8b 04 May 2006
Apache Version
/usr/sbin/httpd -version
Server version: Apache/2.2.3
Server built: Aug 6 2007 07:22:24
Openldap Version
/usr/sbin/slapd -VV
@(#) $OpenLDAP: slapd 2.3.27 (Nov 10 2007 09:23:56) $
[EMAIL
PROTECTED]:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd
launch openldap (debug)
/usr/sbin/slapd -d 65535 -h "ldaps:///"
Openldap trace:
slapd starting
daemon: added 4r
daemon: added 7r
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: listen=7, new connection on 11
ldap_pvt_gethostbyname_a: host=servmadrono, r=0
daemon: added 11r
conn=0 fd=11 ACCEPT from IP=212.128.2.2:53785 (IP=0.0.0.0:636)
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 2 descriptors
daemon: activity on: 11r
daemon: read active on 11
connection_get(11)
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=0
TLS: can't accept.
connection_read(11): TLS accept failure error=-1 id=0, closing
connection_closing: readying conn=0 sd=11 for close
connection_close: conn=0 sd=11
daemon: removing 11
conn=0 fd=11 closed (TLS negotiation failure)
daemon: listen=7, new connection on 11
Apache trace (error_log):
[Thu Apr 03 14:04:52 2008] [warn] [client -----] [5249] auth_ldap
authenticate: user MYUSER authentication failed; URI /intranet3/ [LDAP:
ldap_simple_bind_s() failed][Can't contact LDAP server]
ldapsearch:
ldapsearch -w MYPASSWD -H "ldaps:///" -x -b "dc=MYDOMAIN,dc=COM" "cn=USER"
-D "cn=Manager,dc=MYDOMAIN,dc=COM"
# extended LDIF
#
# LDAPv3
# base <dc=MYDOMAIN,dc=COM> with scope subtree
# filter: cn=USER
# requesting: ALL
#
# USER, Director, ClaseA, People, MYDOMAIN.COM
dn: uid=USER,ou=Director,ou=ClaseA,ou=People,dc=MYDOMAIN,dc= COM
sn:
userPassword:: [BLANK]
uidNumber: 1
gidNumber: 1
correoelectronico: [EMAIL PROTECTED]
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: MYDOMAIN
uid: USER
universidad: XXXX
direccionIP: XXXX
cn: USER
homeDirectory: /dev/null
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
openssl
openssl s_client -CAfile /etc/openldap/cacert.pem -connect localhost:636
CONNECTED(00000003)
depth=1 /C=ES/ST=Madrid/O=XXX CA/CN=servidor/emailAddress=XXX
verify return:1
depth=0 /C=ES/ST=Madrid/L=Madrid/O=My Company Ltd/OU=XXX
LDAP/CN=servidor/emailAddress=XXX
verify return:1
---
Certificate chain
0 s:/C=ES/ST=Madrid/L=Madrid/O=My Company Ltd/OU=XXX
LDAP/CN=servidor/emailAddress=XXX
i:/C=ES/ST=Madrid/O=XXX CA/CN=servidor/emailAddress=XXX
1 s:/C=ES/ST=Madrid/O=XXX CA/CN=servidor/emailAddress=XXX
i:/C=ES/ST=Madrid/O=XXX CA/CN=servidor/emailAddress=XXX
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDIzCCAoygAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCRVMx
DzANBgNVBAgTBk1hZHJpZDEdMBsGA1UEChMUQ29uc29yY2lvIE1hZHJvbm8gQ0Ex
FDASBgNVBAMTC3NlcnZtYWRyb25vMS0wKwYJKoZIhvcNAQkBFh53ZWJtYXN0ZXJA
Y29uc29yY2lvbWFkcm9uby5uZXQwHhcNMDgwNDAzMTMzMjUwWhcNMDkwNDAzMTMz
MjUwWjCBrjELMAkGA1UEBhMCRVMxDzANBgNVBAgTBk1hZHJpZDEPMA0GA1UEBxMG
TWFkcmlkMRcwFQYDVQQKEw5NeSBDb21wYW55IEx0ZDEfMB0GA1UECxMWQ29uc29y
Y2lvIE1hZHJvbm8gTERBUDEUMBIGA1UEAxMLc2Vydm1hZHJvbm8xLTArBgkqhkiG
9w0BCQEWHndlYm1hc3RlckBjb25zb3JjaW9tYWRyb25vLm5ldDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAqIbUka+glb2QPGAO7eyX8Sf5HULvGJy3sYFyPJvy
vpaRpNXTIz7i7gqlUlnvliwaP+IqKpuiWGLoNgjEfWxsjA5I1N7Z23xqSTckYQ55
aFJzvXEMOwYX0kYd07ojlB1wN7ZlWisHx51NiD4mPeIlD/7gUYQe5OwTGYz5XV+s
qHMCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFO1mKQDjYq+wZJwktcCWklzj
4pIfMB8GA1UdIwQYMBaAFClbJ9tUy8/jJwM0W/jEVngIezzzMA0GCSqGSIb3DQEB
BQUAA4GBAC29vzNEEJpfEoZ+//1X202knlVtwkIHPOAGV6GwDw0kYTxAO+kLXY5D
RBrA5jxyzC4MAypp9oNEMFKR3izbELWVbNm7RdZQrTPkV92+zMW51+O6vZ3C7SZ6
+n+lAhAC9FmTf45AHQ1Qu7PnvQwHTPCncjuQO6eoTtfCk2vUURxq
-----END CERTIFICATE-----
subject=/C=ES/ST=Madrid/L=Madrid/O=My Company Ltd/OU=XXX
LDAP/CN=servidor/emailAddress=XXX
issuer=/C=ES/ST=Madrid/O=Consorcio Madrono CA/CN=servidor/emailAddress=XXX
---
No client certificate CA names sent
---
SSL handshake has read 1735 bytes and written 331 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: XXXXXXX
Session-ID-ctx:
Master-Key: XXXXXXX
Key-Arg : None
Krb5 Principal: None
Start Time: 1207229830
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Config Files: slapd.conf / ldap.conf / httpd.conf
Cert:
CA.sh -newca
sudo /usr/bin/openssl req -nodes -newkey rsa:1024 -days 9999 -keyout
slapd-key.pem -out slapd-crt.pem
CA.sh -sign
/etc/openldap/cacert.pem
/etc/openldap/slapd-cert.pem
/etc/openldap/slapd-key.pem
/etc/ldap/slapd.conf
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd-cert.pem
TLSCertificateKeyFile /etc/openldap/slapd-key.pem
/etc/openldap/ldap.conf
TLS_CACERT /etc/openldap/cacert.pem
TLS_REQCERT demand
/etc/ldap.conf
TLS_CACERT /etc/openldap/cacert.pem
TLS_REQCERT demand
--
View this message in context:
http://www.nabble.com/--client-Apache-2.2.3---%3E-FAILED-%28tls_read%3A-want%3D11%2C-got%3D0--TLS%3A-can%27t-accept.%29-tp16467510p16467510.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
