Cert authentication works on 2.4.44-r1 without any problem. I have now downloaded the source code, configured, compiled and installed it manually.
Configure options: ./configure --disable-bdb --disable-hdb --enable-accesslog --enable-auditlog --enable-deref --enable-memberof --enable-ppolicy --enable-proxycache --enable-syncprov --enable-valsort After compilation 'make test' completed successfully without any errors. Everything works fine with 2.4.44-r1, but there are still certificate problems with 2.4.45, complaining about self-signed certificates. Configurations with 2.4.44-r1 and 2.4.45 are identical, both are compiled with the same version of OpenSSL libraries (OpenSSL 1.0.2l 25 May 2017) and are using the same certificates. I have done strace: 2.4.44-r1: ======= ldap_create ldap_create ldap_url_parse_ext(ldaps://fw1.dannatu.ch:636) ldap_url_parse_ext(ldaps://fw0.dannatu.ch:636) ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fw1.dannatu.ch:636 ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fw0.dannatu.ch:636 ldap_new_socket: 13 ldap_prepare_socket: 13 ldap_connect_to_host: Trying 10.0.0.11:636 ldap_pvt_connect: fd: 13 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A ldap_new_socket: 14 ldap_prepare_socket: 14 ldap_connect_to_host: Trying 10.0.0.10:636 ldap_pvt_connect: fd: 14 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAdd [email protected], issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/[email protected] TLS certificate verification: depth: 0, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=dannatu.ch/emailAddres [email protected], issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/[email protected] TLS certificate verification: depth: 1, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAdd [email protected], issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/[email protected] TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS certificate verification: depth: 0, err: 0, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=dannatu.ch/emailAddres [email protected], issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/[email protected] TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read server session ticket A TLS trace: SSL_connect:SSLv3 read finished A ldap_open_defconn: successful ldap_send_server_request 2.4.45: ===== ldap_create ldap_url_parse_ext(ldaps://fw1.dannatu.ch:636) ldap_url_parse_ext(ldaps://fw0.dannatu.ch:636) ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fw0.dannatu.ch:636 ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP fw1.dannatu.ch:636 ldap_new_socket: 15 ldap_prepare_socket: 15 ldap_connect_to_host: Trying 10.0.0.10:636 ldap_pvt_connect: fd: 15 tm: -1 async: 0 attempting to connect: ldap_new_socket: 16 ldap_prepare_socket: 16 ldap_connect_to_host: Trying 10.0.0.11:636 ldap_pvt_connect: fd: 16 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization connect success TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAd [email protected], issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/[email protected] TLS certificate verification: Error, self signed certificate in certificate chain TLS certificate verification: depth: 1, err: 19, subject: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/emailAd [email protected], issuer: /C=CH/ST=Solothurn/L=Solothurn/O=Dannatu AG/OU=IT/CN=Dannatu AG CA/[email protected] TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in error TLS trace: SSL_connect:error in error TLS trace: SSL3 alert write:fatal:unknown CA TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in ce rtificate chain). 5950a07f slap_client_connect: URI=ldaps://fw1.dannatu.ch:636 DN="cn=manager,dc=dannatu,dc=ch" ldap_sasl_bind_s failed (-1) TLS trace: SSL_connect:error in error TLS trace: SSL_connect:error in error TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in ce rtificate chain). 5950a07f slap_client_connect: URI=ldaps://fw0.dannatu.ch:636 DN="cn=manager,dc=dannatu,dc=ch" ldap_sasl_bind_s failed (-1) 5950a07f do_syncrepl: rid=001 rc -1 retrying (4 retries left) 5950a07f do_syncrepl: rid=000 rc -1 retrying (4 retries left) Still can't find a cause for this behavior. Kind regards Juergen Sprenger -----Original Message----- From: Quanah Gibson-Mount [mailto:[email protected]] Sent: Friday, June 23, 2017 6:33 PM To: Sprenger Jürgen, INI-ON-CIS-SDI-HES <[email protected]>; [email protected] Subject: RE: syncrepl fails after upgrade to openldap 2.4.45 --On Friday, June 23, 2017 8:30 AM +0000 [email protected] wrote: > Have also added these entries to syncrepl now, but without any success: > > tls_cert=/etc/ssl/openldap/dannatu.ch.pem > tls_key=/etc/ssl/openldap/dannatu.ch.key > tls_cacert=/etc/ssl/certs/dannatuCA-cacert.pem This would indicate you want to do client cert authentication with the syncrepl client, which as far as I know, you are not using (based on your earlier configuration). You need to remove the tls_cert and tls_key lines. I've tested with OpenLDAP 2.4.45 and TLS works as expected with replication. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>
