I'have download and compiled some versions of gnutls and this is the result: gnutls-2.8.5: works gnutls-2.12.19: fail gnutls-3.0.19: fail
this must affect distributions in which ldaps connections are based in gnutls (I only know debian and ubuntu).
the problem can be tested with this command: gnutls-cli -d 4 -p 636 freeipaserver.linux.gva.esin you have a problematic gnutls version the command would end with these lines:
... |<3>| HSK[0x9bb40d0]: CLIENT HELLO was sent [151 bytes] |<4>| REC[0x9bb40d0]: Sending Packet[0] Handshake(22) with length: 151 |<4>| REC[0x9bb40d0]: Sent Packet[1] Handshake(22) with length: 156 |<2>| ASSERT: gnutls_buffers.c:640 |<2>| ASSERT: gnutls_record.c:969 |<2>| ASSERT: gnutls_handshake.c:2762 *** Fatal error: A TLS packet with unexpected length was received. |<4>| REC: Sending Alert[2|22] - Record overflow |<4>| REC[0x9bb40d0]: Sending Packet[1] Alert(21) with length: 2 |<4>| REC[0x9bb40d0]: Sent Packet[2] Alert(21) with length: 7 *** Handshake has failed GnuTLS error: A TLS packet with unexpected length was received. |<4>| REC[0x9bb40d0]: Epoch #0 freed |<4>| REC[0x9bb40d0]: Epoch #1 freed pasqual@ubuntuprovesfreeipa:~/gnutls-2.12.19$ any idea in how to make this work? Al 11/05/12 13:16, En/na pasqual milvaques ha escrit:
I'm trying to join an ubuntu 12.04 machine to freeipa domain installed in a centos 6.2 machine and it seems there is some problem with the tls negotiacion. ubuntu 12.04 uses gnutls instead of openssl so the problem could be there but I don't know how to solve it. with the ldapsearch command I can also reproduce the failI have opened this ubuntu bug as freeipa now has a native client package: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990any idea? this is the log of the operation:pasqual@ubuntuprovesfreeipa:~$ sudo ipa-client-install -d --enable-dns-updates[sudo] password for pasqual:root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended': None, 'principal': None}root : DEBUG missing options might be asked for interactively laterroot : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'root : DEBUG [ipadnssearchldap(linux.gva.es)] root : DEBUG [ipadnssearchldap(gva.es)] root : DEBUG [ipadnssearchldap(es)] root : DEBUG [ipadnssearchldap(linux.gva.es)] root : DEBUG [ipadnssearchldap(gva.es)] root : DEBUG [ipadnssearchldap(es)] root : DEBUG Domain not found DNS discovery failed to determine your DNS domainProvide the domain name of your IPA server (ex: example.com): linux.gva.esroot : DEBUG will use domain: linux.gva.es root : DEBUG [ipadnssearchldap] root : DEBUG IPA Server not found DNS discovery failed to find the IPA ServerProvide your IPA server name (ex: ipa.example.com): freeipaserver.linux.gva.esroot : DEBUG will use server: freeipaserver.linux.gva.es root : DEBUG [ipadnssearchkrb] root : DEBUG [ipacheckldap]root : DEBUG args=/usr/bin/wget -O /tmp/tmpWptXwb/ca.crt -T 15 -t 2 http://freeipaserver.linux.gva.es/ipa/config/ca.crtroot : DEBUG stdout=root : DEBUG stderr=--2012-05-11 12:06:09-- http://freeipaserver.linux.gva.es/ipa/config/ca.crt Resolent freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)... 192.168.222.99 S'està connectant a freeipaserver.linux.gva.es (freeipaserver.linux.gva.es)|192.168.222.99|:80... conectat.HTTP: Petició enviada, esperant resposta... 200 OK Longitud: 1325 (1.3K) [application/x-x509-ca-cert] S'està desant a: «/tmp/tmpWptXwb/ca.crt» 0K . 100% 38.4M=0s2012-05-11 12:06:09 (38.4 MB/s) - s'ha desat «/tmp/tmpWptXwb/ca.crt» [1325/1325]root : DEBUG Init ldap with: ldap://freeipaserver.linux.gva.es:389root : ERROR LDAP Error: Connect error: A TLS packet with unexpected length was received.Failed to verify that freeipaserver.linux.gva.es is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Installation failed. Rolling back changes. IPA client is not configured on this system. pasqual@ubuntuprovesfreeipa:~$ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
<<attachment: milvaques_pas.vcf>>
smime.p7s
Description: Signatura criptogràfica S/MIME
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
