openldap-technical
[Arriba] [Todas las Listas]

Re: SSL handshake fracaso

To: Bryce Powell <Bryce.Powell@xxxxxxxxx>
Subject: Re: SSL handshake fracaso
From: Rich Megginson <rich.megginson@xxxxxxxxx>
Date: Thu, 23 Feb 2012 14:00:06 -0700
Authentication-results: mr.google.com; spf=pass (google.com: domain of rich.megginson@xxxxxxxxx designates 10.229.76.208 as permitted sender) smtp.mail=rich.megginson@xxxxxxxxx; dkim=pass header.i=rich.megginson@xxxxxxxxx
Cc: "openldap-technical@xxxxxxxxxxxx" <openldap-technical@xxxxxxxxxxxx>
Delivery-date: Thu, 23 Feb 2012 16:03:57 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=QvYraf0hPw/teVCvNhOEUzEnQhxcjGs4m5+62r73aCU=; b=bPnv/XoqN1LXhvDy3enWEaICuucFcltO3KLennyseMeWYEuCpUIdSgOxzPteyPDT4s /oBqErw39OOOcJgDQ1h+NS9E01IYyWymbJY/exBeKIckC9XEFPMuOy1JRoeYM/11RAHV gY2dj6MiAzzue5l8P5m6kCILpvHAfILbbEVHM=
Envelope-to: traductor@xxxxxxxxxxx
In-reply-to: <8F1ABAA31FF0374287B2983E3E43167728A14FB95E@WP41072.corp.ads>
List-archive: <http://www.openldap.org/lists/openldap-technical>
List-help: <mailto:openldap-technical-request@openldap.org?subject=help>
List-id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-post: <mailto:openldap-technical@openldap.org>
List-subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>, <mailto:openldap-technical-request@openldap.org?subject=subscribe>
List-unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>, <mailto:openldap-technical-request@openldap.org?subject=unsubscribe>
References: <8F1ABAA31FF0374287B2983E3E43167728A14FB95E@WP41072.corp.ads>
Reply-to: richm@xxxxxxxxxxxxxxxxxx
Sender: openldap-technical-bounces@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.26) Gecko/20120215 Red Hat/3.1.18-2.el6_2 Lightning/1.0b3pre Thunderbird/3.1.18
En 02/23/2012 01:34 PM, Bryce *Powell escribió:
*Hi,
no puedo conseguir *slapd a *respond con éxito a TLS o conexiones de SSL que utilizan un RSA PEM de 2048 bits certificado:
$ *ldapsearch -*x -*ZZ -*d1 -*H *ldap://*FQDNhostname
TLS: archivo de certificado de CA cargado /*etc/*openldap/*cacerts/*FQDNhostname.*cacert.*pem.
TLS: error: *tlsm_PR_*Recv regresó 0 - error 21:Es un TLS
de directorio: error: conecta - fuerza *handshake fracaso: *errno 21 - *moznss error -5938
TLS: no puede conectar: error de TLS -5938:fin Encontrado de archivo.
*ldap_*err2cadena
*ldap_inicio_*tls: Conecta error (-11)
        adicional *info: error de TLS -5938:fin Encontrado de archivo
$ *openssl *s_cliente -conectar *FQDNhostname:636 -*CAfile /*etc/*openldap/*cacerts/*FQDNhostname.*cacert.*pem
CONECTADO(00000003)
140457427965768:error:140790*E5:rutinas de SSL:SSL23_ESCRIBE:*ssl *handshake fracaso:*s23_*lib.*c:184:
---
ningún *peer el certificado disponible
---
#Ninguno nombres de CA de certificado de cliente enviados
---
SSL *handshake ha leído 0 *bytes y escrito 113 *bytes
---
Nuevo, (NINGUNO), *Cipher es (NINGUNO)
Seguro *Renegotiation NO ES Compresión
apoyada: NINGUNO
Expansión: NINGUNO
---
El siguiendo los paquetes son instalados en *CentOS 6.2:
*openldap-*servers-2.4.23-20.*el6.*x86_64
*openldap-2.4.23-20.*el6.*x86_64
*openldap-clientes-2.4.23-20.*el6.*x86_64
*openssl-1.0.0-20.*el6_2.1.*x86_64
*openssl-*devel-1.0.0-20.*el6_2.1.*x86_64
*gnutls-2.8.5-4.*el6.*x86_64
*gnutls-*devel-2.8.5-4.*el6.*x86_64
*nss-*pam-*ldapd-0.7.5-14.*el6_2.1.*x86_64
El /*etc/*openldap/*ldap.*conf El Archivo contiene:
TLS_*CACERT /*etc/*openldap/*cacerts/*FQDNhostname.*cacert.*pem
, El cual contiene una cadena de tres certificados (CA de raíz, intermedio/funcional, y emitiendo).
El /*etc/*openldap/*slapd.*conf El Archivo contiene:
*TLSCipherSuite ALTO:+*SSLv3
*TLSCertificateFile      /*etc/*openldap/*FQDNhostname.*cert.*pem
*TLSCertificateKeyFile   /*etc/*openldap/*FQDNhostname.Llave.*pem
El *server está actuando como *proxy a un Directorio Activo, y por lo tanto sólo tengo un *LDAP *database definió. Mi intención es para utilizar *LDAPS para comunicación entre el cliente y *LDAP *proxy *servers:
*database                *ldap
sufijo                      "*dc=*abc,*dc=local"
*rebind-tan-usuario
*uri "*ldap://*IPaddress1/ *ldap://*IPaddress2/ *ldap://*IPaddress3/ *ldap://*IPaddress4/&*quot;
persecución-*referrals    sí
*noundeffilter       sí
uso-provisional-*conn      sí
El certificado y la llave privada son localizados en /*etc/*openldap/, con el siguiendo permisos :
-*r--*r-----. 1 *ldap *ldap 2076 *Feb 21 15:30 *FQDNhostname.*cert.*pem
-*r--*r-----. 1 *ldap *ldap 1675 *Feb 21 15:35 *FQDNhostname.*sdi.Llave.*pem
El CN del certificado empareja el *FQDN nombre anfitrión del *LDAP *server.
La llave privada no es la contraseña protegió.
Todo comprueba *OK por probar el certificado que utiliza *openssl:
$ *openssl *verify -propósito *sslserver -*CAfile /*etc/*openldap/*cacerts/*FQDNhostname.*cacert.*pem /*etc/*openldap/*FQDNhostname.*cert.*pem
/*etc/*openldap/*FQDNhostname.*cert.*pem: *OK
*OpenSSL Cliente/*server las conexiones trabajan bien demasiado:
*openssl *s_*server -*cert /*etc/*openldap/*FQDNhostname.*cert.*pem -Llave /*etc/*openldap/*FQDNhostname.Llave.*pem -*cipher 'ALTO:+*SSLv3 *openssl *s_cliente -conectar *FQDNhostname:4433 -*CAfile /*etc/*openldap/*cacerts/*FQDNhostname.*cacert.*pem
*Bryce *Powell*
trabaja si especificas *TLSCACertificateFile /*etc/*openldap/*cacerts/*FQDNhostname.*cacert.*pem En vuestro *slapd.*conf? Puede consigues el -*d 1 depura producción del *server cuándo intentas para conectar del cliente?

On 02/23/2012 01:34 PM, Bryce Powell wrote:
Hi,
I can't get slapd to respond successfully to TLS or SSL connections using an RSA 2048-bit PEM certificate:
$ ldapsearch -x -ZZ -d1 -H ldap://FQDNhostname
TLS: loaded CA certificate file /etc/openldap/cacerts/FQDNhostname.cacert.pem.
TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory
TLS: error: connect - force handshake failure: errno 21 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: TLS error -5938:Encountered end of file
$ openssl s_client -connect FQDNhostname:636 -CAfile /etc/openldap/cacerts/FQDNhostname.cacert.pem
CONNECTED(00000003)
140457427965768:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 113 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
The following packages are installed on CentOS 6.2:
openldap-servers-2.4.23-20.el6.x86_64
openldap-2.4.23-20.el6.x86_64
openldap-clients-2.4.23-20.el6.x86_64
openssl-1.0.0-20.el6_2.1.x86_64
openssl-devel-1.0.0-20.el6_2.1.x86_64
gnutls-2.8.5-4.el6.x86_64
gnutls-devel-2.8.5-4.el6.x86_64
nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64
The /etc/openldap/ldap.conf file contains:
TLS_CACERT /etc/openldap/cacerts/FQDNhostname.cacert.pem
, which contains a chain of three certificates (root CA, intermediate/functional, and issuing).
The /etc/openldap/slapd.conf file contains:
TLSCipherSuite HIGH:+SSLv3
TLSCertificateFile      /etc/openldap/FQDNhostname.cert.pem
TLSCertificateKeyFile   /etc/openldap/FQDNhostname.key.pem
The server is acting as a proxy to an Active Directory, and therefore I only have one LDAP database defined. My intention is to use LDAPS for communication between the client and LDAP proxy servers:
database                ldap
suffix                      "dc=abc,dc=local"
rebind-as-user
uri "ldap://IPaddress1/ ldap://IPaddress2/ ldap://IPaddress3/ ldap://IPaddress4/";
chase-referrals    yes
noundeffilter       yes
use-temporary-conn      yes
The certificate and private key are located in /etc/openldap/, with the following permissions :
-r--r-----. 1 ldap ldap 2076 Feb 21 15:30 FQDNhostname.cert.pem
-r--r-----. 1 ldap ldap 1675 Feb 21 15:35 FQDNhostname.sdi.key.pem
The CN of the certificate matches the FQDN host name of the LDAP server.
The private key is not password protected.
Everything checks out OK by testing the certificate using openssl:
$ openssl verify -purpose sslserver -CAfile /etc/openldap/cacerts/FQDNhostname.cacert.pem /etc/openldap/FQDNhostname.cert.pem
/etc/openldap/FQDNhostname.cert.pem: OK
OpenSSL client/server connections work fine too:
openssl s_server -cert /etc/openldap/FQDNhostname.cert.pem -key /etc/openldap/FQDNhostname.key.pem -cipher 'HIGH:+SSLv3 openssl s_client -connect FQDNhostname:4433 -CAfile /etc/openldap/cacerts/FQDNhostname.cacert.pem
*Bryce Powell*
Does it work if you specify TLSCACertificateFile /etc/openldap/cacerts/FQDNhostname.cacert.pem in your slapd.conf? Can you get the -d 1 debug output from the server when you attempt to connect from the client?

<Anterior por Tema] Tema Actual [Siguiente por Tema>