Kapetanakis Giannis wrote:
> On 23/10/2019 19:14, Predrag Punosevac wrote:
> > Hi Misc,
> >
> > I just upgraded a LDAP server from 6.5 to 6.6 running authorization and
> > authentication services for a 100 some member university research group.
> > It appears TLS handshake is broken. This worked perfectly on 6.5 and
> > earlier.
> >
> > titan# uname -a
> > OpenBSD titan.int.autonlab.org 6.6 GENERIC.MP#372 amd64
> >
> > I am using LDAP daemon from the base
> >
> > titan# more /etc/ldapd.conf
> > # $OpenBSD: ldapd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
> >
> > schema "/etc/ldap/core.schema"
> > schema "/etc/ldap/inetorgperson.schema"
> > schema "/etc/ldap/nis.schema"
> >
> > listen on lo0 tls certificate titan
> > listen on em0 tls certificate titan
> > listen on "/var/run/ldapi"
> >
> > namespace "dc=autonlab,dc=org" {
> > rootdn "cn=admin,dc=autonlab,dc=org"
> > rootpw "{SSHA}secret"
> > index sn
> > index givenName
> > index cn
> > index mail
> > }
> >
> >
> > Server certificate is regenerated and signed by my own certification of
> > authority which is on the different machine. I used easy-rsa just like
> > for one of my OpenBSD server.
> >
> >
> > This is the configuration of openldap-client on the LDAP server itself
> > which is used to modify database
> >
> > titan# pkg_info |grep openldap
> > openldap-client-2.4.48 open-source LDAP software (client)
> > openldap-server-2.4.48 open-source LDAP software (server)
> >
> > titan# more ldap.conf
> > BASE dc=autonlab,dc=org
> > URI ldap://titan.int.autonlab.org:389
> >
> > SIZELIMIT 12
> > TIMELIMIT 15
> > DEREF never
> >
> > SSL START_TLS
> > TLS_REQCERT demand
> >
> > TLS_CACERT /etc/ldap/certs/ca.crt
> > TLS_CERT /etc/ldap/certs/titan.crt
> > TLS_CACERTDIR /etc/ldap/certs
> > TLS_CIPHER_SUITE
> > ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL
> > TLS_PROTOCOL_MIN 3.3
> >
> > I didn't change DNS settings and I even have
> >
> > titan# more /etc/hosts
> > 127.0.0.1 localhost
> > ::1 localhost
> > 192.168.6.1 titan.int.autonlab.org titan
> >
> >
> > I would appreciate any clues.
> >
> > Cheers,
> > Predrag Punosevac
> >
> >
> >
>
> ldapsearch -d9 might give some hint.
>
> openssl s_client -connect titan.int.autonlab.org:389 -starttls ldap
>
> might also give something.
Thank you so much for this hints. This is what I have done. I have
rebuilt a LDAP server using 6.5
deimos# uname -a
OpenBSD deimos.int.autonlab.org 6.5 GENERIC.MP#5 amd64
with identical configuration to nonfunctional server
titan# uname -a
OpenBSD titan.int.autonlab.org 6.6 GENERIC.MP#372 amd64
on the fully functional server I see
deimos# ldapsearch -d9 -ZZ -D "cn=admin,dc=autonlab,dc=org" -W
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP deimos.int.autonlab.org:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.6.253:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0xea5c2f97080 msgid 1
wait4msg ld 0xea5c2f97080 msgid 1 (infinite timeout)
wait4msg continue ld 0xea5c2f97080 msgid 1 all 1
** ld 0xea5c2f97080 Connections:
* host: deimos.int.autonlab.org port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Oct 23 23:16:25 2019
** ld 0xea5c2f97080 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0xea5c2f97080 request count 1 (abandoned 0)
** ld 0xea5c2f97080 Response Queue:
Empty
ld 0xea5c2f97080 response count 0
ldap_chkResponseList ld 0xea5c2f97080 msgid 1 all 1
ldap_chkResponseList returns ld 0xea5c2f97080 NULL
ldap_int_select
read1msg: ld 0xea5c2f97080 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 36 contents:
read1msg: ld 0xea5c2f97080 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0xea5c2f97080 0 new referrals
read1msg: mark request completed, ld 0xea5c2f97080 msgid 1
request done: ld 0xea5c2f97080 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/C=US/ST=Pennsylvania/L=Pittsburgh/O=Carnegie Mellon University/OU=The
Auton Lab/CN=The Auton Lab CA/[email protected], issuer:
/C=US/ST=Pennsylvania/L=Pittsburgh/O=Carnegie Mellon University/OU=The
Auton Lab/CN=The Auton Lab CA/[email protected]
TLS certificate verification: depth: 0, err: 0, subject:
/C=US/ST=Pennsylvania/L=Pittsburgh/O=Carnegie Mellon University/OU=Auton
Lab/CN=deimos.int.autonlab.org/[email protected], issuer:
/C=US/ST=Pennsylvania/L=Pittsburgh/O=Carnegie Mellon University/OU=The
Auton Lab/CN=The Auton Lab CA/[email protected]
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server key exchange A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
Enter LDAP Password:
Running the same command on the broken server (yes I did adjust
openldap-client configuration files) I get
titan# ldapsearch -d9 -ZZ -D "cn=admin,dc=autonlab,dc=org" -W
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP titan.int.autonlab.org:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.6.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x205a81804c0 msgid 1
wait4msg ld 0x205a81804c0 msgid 1 (infinite timeout)
wait4msg continue ld 0x205a81804c0 msgid 1 all 1
** ld 0x205a81804c0 Connections:
* host: titan.int.autonlab.org port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Oct 23 23:17:35 2019
** ld 0x205a81804c0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x205a81804c0 request count 1 (abandoned 0)
** ld 0x205a81804c0 Response Queue:
Empty
ld 0x205a81804c0 response count 0
ldap_chkResponseList ld 0x205a81804c0 msgid 1 all 1
ldap_chkResponseList returns ld 0x205a81804c0 NULL
ldap_int_select
read1msg: ld 0x205a81804c0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 36 contents:
read1msg: ld 0x205a81804c0 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x205a81804c0 0 new referrals
read1msg: mark request completed, ld 0x205a81804c0 msgid 1
request done: ld 0x205a81804c0 msgid 1
res_errno: 2, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_start_tls: Protocol error (2)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
Unfortunatelly openssl s_client doesn't support -starttls prot ldap
-starttls prot - use the STARTTLS command before starting TLS
for those protocols that support it, where
'prot' defines which one to assume. Currently,
only "smtp", "lmtp", "pop3", "imap", "ftp" and "xmpp"
are supported.
but running on the non-functional server
titan# openssl s_client -connect titan.int.autonlab.org:389
I see
CONNECTED(00000003)
18657820038560:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl
handshake failure:/usr/src/lib/libssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1571887279
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
which tonight looks identical to the output of the same command on the
functional server
deimos# openssl s_client -connect deimos.int.autonlab.org:389
CONNECTED(00000003)
24422772542624:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl
handshake failure:/usr/src/lib/libssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1571887348
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
I am out of fuel to look more this tonight but I am 99% sure something
have changed on 6.6 which broke the things. Maybe my configuration was
wrong all along and in 6.6 few screws got tighten up which bit me for my
rear end. I would appreciate any further commend or suggestions how to
debug this. I would also appreciate any reports of fully working ldapd
on 6.6 release
Best,
Predrag
