I'have download and compiled some versions of gnutls and this is the result:
gnutls-2.8.5: works
gnutls-2.12.19: fail
gnutls-3.0.19: fail

this must affect distributions in which ldaps connections are based in gnutls (I only know debian and ubuntu).

the problem can be tested with this command:
gnutls-cli -d 4 -p 636 freeipaserver.linux.gva.es

in you have a problematic gnutls version the command would end with these lines:
...
|<3>| HSK[0x9bb40d0]: CLIENT HELLO was sent [151 bytes]
|<4>| REC[0x9bb40d0]: Sending Packet[0] Handshake(22) with length: 151
|<4>| REC[0x9bb40d0]: Sent Packet[1] Handshake(22) with length: 156
|<2>| ASSERT: gnutls_buffers.c:640
|<2>| ASSERT: gnutls_record.c:969
|<2>| ASSERT: gnutls_handshake.c:2762
*** Fatal error: A TLS packet with unexpected length was received.
|<4>| REC: Sending Alert[2|22] - Record overflow
|<4>| REC[0x9bb40d0]: Sending Packet[1] Alert(21) with length: 2
|<4>| REC[0x9bb40d0]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: A TLS packet with unexpected length was received.
|<4>| REC[0x9bb40d0]: Epoch #0 freed
|<4>| REC[0x9bb40d0]: Epoch #1 freed
pasqual@ubuntuprovesfreeipa:~/gnutls-2.12.19$

any idea in how to make this work?

Al 11/05/12 13:16, En/na pasqual milvaques ha escrit:
I'm trying to join an ubuntu 12.04 machine to freeipa domain installed in a centos 6.2 machine and it seems there is some problem with the tls negotiacion. ubuntu 12.04 uses gnutls instead of openssl so the problem could be there but I don't know how to solve it. with the ldapsearch command I can also reproduce the fail

I have opened this ubuntu bug as freeipa now has a native client package: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990

any idea?

this is the log of the operation:

pasqual@ubuntuprovesfreeipa:~$ sudo ipa-client-install -d --enable-dns-updates
[sudo] password for pasqual:
root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended': None, 'principal': None}
root : DEBUG missing options might be asked for interactively later

root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
root : DEBUG [ipadnssearchldap(linux.gva.es)]
root : DEBUG [ipadnssearchldap(gva.es)]
root : DEBUG [ipadnssearchldap(es)]
root : DEBUG [ipadnssearchldap(linux.gva.es)]
root : DEBUG [ipadnssearchldap(gva.es)]
root : DEBUG [ipadnssearchldap(es)]
root : DEBUG Domain not found
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): linux.gva.es
root : DEBUG will use domain: linux.gva.es

root : DEBUG [ipadnssearchldap]
root : DEBUG IPA Server not found
DNS discovery failed to find the IPA Server
Provide your IPA server name (ex: ipa.example.com): freeipaserver.linux.gva.es
root : DEBUG will use server: freeipaserver.linux.gva.es

root : DEBUG [ipadnssearchkrb]
root : DEBUG [ipacheckldap]
root : DEBUG args=/usr/bin/wget -O /tmp/tmpWptXwb/ca.crt -T 15 -t 2 http://freeipaserver.linux.gva.es/ipa/config/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=--2012-05-11 12:06:09-- http://freeipaserver.linux.gva.es/ipa/config/ca.crt Resolent freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)... 192.168.222.99 S'està connectant a freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)|192.168.222.99|:80... conectat.
HTTP: Petició enviada, esperant resposta... 200 OK
Longitud: 1325 (1.3K) [application/x-x509-ca-cert]
S'està desant a: «/tmp/tmpWptXwb/ca.crt»

     0K . 100% 38.4M=0s

2012-05-11 12:06:09 (38.4 MB/s) - s'ha desat «/tmp/tmpWptXwb/ca.crt» [1325/1325]

root : DEBUG Init ldap with: ldap://freeipaserver.linux.gva.es:389
root : ERROR LDAP Error: Connect error: A TLS packet with unexpected length was received.
Failed to verify that freeipaserver.linux.gva.es is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
pasqual@ubuntuprovesfreeipa:~$


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

<<attachment: milvaques_pas.vcf>>

Attachment: smime.p7s
Description: Signatura criptogràfica S/MIME

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to