Package: ldap-utils
Version: 2.4.15-1.1
Severity: normal
I have the following configuration for ldap client:
BASE dc=truelite,dc=it
URI ldaps://ldap.fi.trl
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
tls_checkpeer no
TLS_CACERT /etc/ssl/certs/Truelite-cacert.pem
and similar for libnss-ldap.conf and pam_ldap.conf, but while NSS and
PAM are working using ldapsearch I got:
picca...@ellington:~$ ldapsearch -d 1 -x
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.fi.trl:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.2:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x102)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
configuration on the server did not change for a while and for TLS is:
TLSCertificateFile /etc/ssl/certs/ldap.fi.trl-cert.pem
TLSCertificateKeyFile /etc/ssl/private/ldap.fi.trl-key.pem
TLSCipherSuite HIGH
TLSCACertificateFile /etc/ssl/certs/Truelite-cacert.pem
running the server in debug mode I got:
[...]
slapd starting
>>> slap_listener(ldaps:///)ldap_pvt_gethostbyname_a: host=davis, r=0
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=0
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next on fd 12 failed errno=0 (Success)
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12
TLS trace: SSL3 alert write:warning:close notify
I tryed to check the certificates and using openssl I got:
ellington:/home/piccardi# openssl s_client -connect ldap.fi.trl:636 -CAfile
/etc/ssl/certs/New-Truelite-cacert.pem
CONNECTED(00000003)
depth=1 /C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
Authority/CN=Truelite Srl CA/emailaddress=i...@truelite.it
verify return:1
depth=0 /C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
Authority/CN=ldap.fi.trl/emailaddress=sist...@truelite.it
verify return:1
---
Certificate chain
0 s:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
Authority/CN=ldap.fi.trl/emailaddress=sist...@truelite.it
i:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
Authority/CN=Truelite Srl CA/emailaddress=i...@truelite.it
1 s:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
Authority/CN=Truelite Srl CA/emailaddress=i...@truelite.it
i:/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
Authority/CN=Truelite Srl CA/emailaddress=i...@truelite.it
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
Authority/CN=ldap.fi.trl/emailaddress=sist...@truelite.it
issuer=/C=IT/ST=FI/L=Firenze/O=Truelite Srl/OU=Certification
Authority/CN=Truelite Srl CA/emailaddress=i...@truelite.it
---
No client certificate CA names sent
---
SSL handshake has read 3578 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 716BE0C7C993AC4F72CD2D02A57718AF8D2E55FC62356AD00BB8FF17265F4814
Session-ID-ctx:
Master-Key:
D32B76AB62025227C6B3B8F210A7A544E10CD233056B59563DD2F3CBB07B94679315CDD9E9B3E88CFEC36DABEDF09930
Key-Arg : None
Start Time: 1244471759
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
while checking with gnutls-cli I got:
ellington:/home/piccardi# gnutls-cli -d 3 --x509cafile
/etc/ssl/certs/New-Truelite-cacert.pem -p 636 ldap.fi.trl
Processed 1 CA certificate(s).
Resolving 'ldap.fi.trl'...
Connecting to '192.168.1.2:636'...
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[9d4a140]: Keeping ciphersuite: PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1
|<3>| HSK[9d4a140]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1
|<2>| EXT[9d4a140]: Sending extension CERT_TYPE
|<2>| EXT[9d4a140]: Sending extension SERVER_NAME
|<3>| HSK[9d4a140]: CLIENT HELLO was send [124 bytes]
|<2>| ASSERT: gnutls_cipher.c:204
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| HSK[9d4a140]: SERVER HELLO was received [74 bytes]
|<3>| HSK[9d4a140]: Server's version: 3.1
|<3>| HSK[9d4a140]: SessionID length: 32
|<3>| HSK[9d4a140]: SessionID:
8a2dd5918d648cb0688cfa8a83b81b7355ca4c058215cf14c6d4e12c65c75235
|<3>| HSK[9d4a140]: Selected cipher suite: RSA_AES_128_CBC_SHA1
|<2>| ASSERT: gnutls_extensions.c:124
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| HSK[9d4a140]: CERTIFICATE was received [3426 bytes]
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| HSK[9d4a140]: SERVER HELLO DONE was received [4 bytes]
|<2>| ASSERT: gnutls_handshake.c:1123
|<3>| HSK[9d4a140]: CLIENT KEY EXCHANGE was send [134 bytes]
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| REC[9d4a140]: Sent ChangeCipherSpec
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| HSK[9d4a140]: Cipher Suite: RSA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Initializing internal [write] cipher sessions
|<3>| HSK[9d4a140]: FINISHED was send [16 bytes]
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| HSK[9d4a140]: Cipher Suite: RSA_AES_128_CBC_SHA1
|<3>| HSK[9d4a140]: Initializing internal [read] cipher sessions
|<3>| HSK[9d4a140]: FINISHED was received [16 bytes]
|<2>| ASSERT: ext_server_name.c:257
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
# The hostname in the certificate does NOT match 'ldap.fi.trl'.
so it seems something related to gnutls.
(I checked using ldapsearch form an Ubuntu 9.4 and there it works).
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.29-2-686 (SMP w/2 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages ldap-utils depends on:
ii libc6 2.9-13 GNU C Library: Shared libraries
ii libgnutls26 2.6.6-1 the GNU TLS library - runtime libr
ii libldap-2.4-2 2.4.15-1.1 OpenLDAP libraries
ii libsasl2-2 2.1.23.dfsg1-1 Cyrus SASL - authentication abstra
Versions of packages ldap-utils recommends:
ii libsasl2-modules 2.1.23.dfsg1-1 Cyrus SASL - pluggable authenticat
ldap-utils suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
