RE: [EXT] Re: Getting details for "TLS trace: SSL3 alert read:fatal:unsupported certificate"

Windl, Ulrich Wed, 05 Mar 2025 23:42:24 -0800

Jeffrey,

thanks! Actually that's what I did: Comparing the data of the certificate that 
worked with that which does not.
I could not find any relevant difference.


I also wondered whether the objectclass might make a difference:
The object that works has:
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: shadowAccount

and the object that doesn't has
objectClass: account
objectClass: simpleSecurityObject

Both objects are in the same DIT (database), but have a different context. 
However I adjusted the olcAuthzRegexp:
olcAuthzRegexp: {0} "^cn=uid\\3Dsyncrepl,...,c=DE$" "dn: 
uid=syncrepl,ou=system,....,dc=de"
olcAuthzRegexp: {1} "^cn=uid\\3D([^,]+),...,c=DE$" "dn: 
uid=$1,ou=people,...dc=de"

The "..." is an ellipsid (redacted some details).
The second regex is the one that works...

Kind regards,
Ulrich Windl

> -----Original Message-----
> From: Jeffrey Walton <[email protected]>
> Sent: Wednesday, March 5, 2025 4:17 PM
> To: Windl, Ulrich <[email protected]>
> Cc: [email protected]
> Subject: [EXT] Re: Getting details for "TLS trace: SSL3 alert
> read:fatal:unsupported certificate"
> 
> On Wed, Mar 5, 2025 at 9:53 AM Windl, Ulrich <[email protected]> wrote:
> >
> >
> > After „playing“ significant time with certificate authentication, I managed 
> > to
> authenticate one user. However when I tried to authenticate a different user
> with a similar certificate, I see a
> >
> >
> >
> > TLS trace: SSL3 alert read:fatal:unsupported certificate
> >
> >
> >
> > Error. Can I can some details about the “usupportedness” of my certificate?
> The only thing I could think if is that uid of the newer certificate has a CN 
> that
> is three characters longer than the one that worked.
> >
> 
> Have a look at the cert using OpenSSL and the x509 subcommand:
> 
> $ openssl x509 -in .../rsyslog/contrib/gnutls/ca.pem -inform PEM -text -
> noout
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 1 (0x1)
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C = DE, O = rsyslog test root CA, OU = CA, CN =
> rsyslog-test-root-ca
>         Validity
>             Not Before: May 20 12:58:12 2008 GMT
>             Not After : May 18 12:58:24 2018 GMT
>         Subject: C = DE, O = rsyslog test root CA, OU = CA, CN =
> rsyslog-test-root-ca
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (1024 bit)
>                 Modulus:
>                     00:c3:6b:3e:57:e5:82:2b:b8:f1:f4:c2:e9:0c:3e:
>                     29:3b:c4:82:aa:ae:90:9c:af:c1:a6:db:ca:33:e6:
>                     1e:06:b5:7d:b9:dd:e5:ab:a6:20:6e:93:66:bf:7f:
>                     f0:8a:0e:37:ae:aa:68:96:a9:3b:3d:d0:f1:4d:6f:
>                     e6:75:73:e6:33:bd:a8:2a:bf:cd:15:cd:9c:03:23:
>                     84:5c:af:09:4d:68:aa:c1:cf:ff:57:8a:8c:02:72:
>                     85:7c:b3:b1:af:57:6b:ed:64:43:d2:4e:13:73:cf:
>                     81:58:93:10:8c:bd:b3:98:65:e2:48:61:05:61:66:
>                     08:14:72:e6:9d:7e:19:83:23
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Basic Constraints: critical
>                 CA:TRUE
>             X509v3 Key Usage: critical
>                 Certificate Sign, CRL Sign
>             X509v3 Subject Key Identifier:
>                 33:61:04:20:52:6D:18:2C:D7:5A:AC:99:DC:D9:CD:4B:C5:85:42:94
>     Signature Algorithm: sha1WithRSAEncryption
>     Signature Value:
>         b8:65:ad:1f:b2:64:a5:ad:27:fe:2c:ea:43:97:5d:0d:03:ff:
>         2d:3e:ad:6a:2b:c2:c2:5a:44:60:45:3d:6a:e9:a9:40:f5:96:
>         c6:d6:32:c0:a6:8f:45:f3:35:25:33:0b:02:26:1d:f0:c4:bb:
>         4c:9f:13:61:1b:ef:47:7d:98:d3:66:3e:3a:15:e7:d7:5c:44:
>         46:45:af:05:3d:8c:f7:2c:ea:5f:a8:43:7d:1b:9e:37:b4:53:
>         7c:f5:ac:7e:6f:cd:05:35:68:8f:38:da:10:27:13:15:e9:d9:
>         89:de:cf:0b:92:62:15:b7:14:e8:f4:94:31:9e:3d:fc:93:e1:
>         c4:0a
> 
> > A more complete trace for ldapwhoami woul look like this:
> >
> > …
> >
> > ldap_parse_result
> >
> > ber_scanf fmt ({iAA) ber:
> >
> > ber_scanf fmt (}) ber:
> >
> > ldap_msgfree
> >
> > TLS trace: SSL_connect:before SSL initialization
> >
> > TLS trace: SSL_connect:SSLv3/TLS write client hello
> >
> > TLS trace: SSL_connect:SSLv3/TLS write client hello
> >
> > TLS trace: SSL_connect:SSLv3/TLS read server hello
> >
> > TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
> >
> > TLS trace: SSL_connect:SSLv3/TLS read server certificate request
> >
> > TLS certificate verification: depth: 2, err: 0, subject: /…. Root-CA (2018),
> issuer: /… Root-CA (2018)
> >
> > TLS certificate verification: depth: 1, err: 0, subject: /… Host-CA (2018),
> issuer: /… Root-CA (2018)
> >
> > TLS certificate verification: depth: 0, err: 0, subject: /… FQHN, issuer: /…
> Host-CA (2018)
> >
> > TLS trace: SSL_connect:SSLv3/TLS read server certificate
> >
> > TLS trace: SSL_connect:TLSv1.3 read server certificate verify
> >
> > TLS trace: SSL_connect:SSLv3/TLS read finished
> >
> > TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
> >
> > TLS trace: SSL_connect:SSLv3/TLS write client certificate
> >
> > TLS trace: SSL_connect:SSLv3/TLS write certificate verify
> >
> > TLS trace: SSL_connect:SSLv3/TLS write finished
> >
> > ldap_sasl_interactive_bind: user selected: EXTERNAL
> >
> > ldap_int_sasl_bind: EXTERNAL
> >
> > ldap_int_sasl_open: host=FQHN
> >
> > SASL/EXTERNAL authentication started
> >
> > ldap_sasl_bind
> >
> > ldap_send_initial_request
> >
> > ldap_send_server_request
> >
> > ber_scanf fmt ({it) ber:
> >
> > ber_scanf fmt ({i) ber:
> >
> > ber_flush2: 26 bytes to sd 3
> >
> > ldap_msgfree
> >
> > ldap_result ld 0x56432476ac30 msgid 2
> >
> > wait4msg ld 0x56432476ac30 msgid 2 (infinite timeout)
> >
> > wait4msg continue ld 0x56432476ac30 msgid 2 all 1
> >
> > ** ld 0x56432476ac30 Connections:
> >
> > * host: FQHN  port: 389  (default)
> >
> > * from: IP=172.20.16.36:57868
> >
> >   refcnt: 2  status: Connected
> >
> >   last used: Wed Mar  5 15:42:03 2025
> >
> >
> >
> >
> >
> > ** ld 0x56432476ac30 Outstanding Requests:
> >
> > * msgid 2,  origid 2, status InProgress
> >
> >    outstanding referrals 0, parent count 0
> >
> >   ld 0x56432476ac30 request count 1 (abandoned 0)
> >
> > ** ld 0x56432476ac30 Response Queue:
> >
> >    Empty
> >
> >   ld 0x56432476ac30 response count 0
> >
> > ldap_chkResponseList ld 0x56432476ac30 msgid 2 all 1
> >
> > ldap_chkResponseList returns ld 0x56432476ac30 NULL
> >
> > ldap_int_select
> >
> > read1msg: ld 0x56432476ac30 msgid 2 all 1
> >
> > ber_get_next
> >
> > TLS trace: SSL3 alert read:fatal:unsupported certificate
> >
> > ber_get_next failed, errno=0.
> >
> > ldap_err2string
> >
> > ldap_sasl_interactive_bind: Can't contact LDAP server (-1)
> >
> > …
> 
> Jeff

RE: [EXT] Re: Getting details for "TLS trace: SSL3 alert read:fatal:unsupported certificate"

Reply via email to