[Issue 9568] New: ldapsearch command not working with ECC certificates

Thu, 03 Jun 2021 02:42:45 -0700 

https://bugs.openldap.org/show_bug.cgi?id=9568

          Issue ID: 9568
           Summary: ldapsearch command not working with ECC certificates
           Product: OpenLDAP
           Version: 2.4.56
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: ---
         Component: client tools
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Hi,
ldap server is configured with ECC certificate.
ldap server certificates are generated using openssl command. 

mTLS is enabled on ldap server side. 

for ldap client ldapsearch purpose, we have tried client certs using RSA and
ECC. 
when server is configured with ECC certs, client is not able to connect to
server.


please let us know if openldap clients work with ECC certificates (prime256v1
curve). 

we tried below scenarios: both are not working 
1. openldap server and client with ECC certificates 
2. openldap server with ECC certificate and client with RSA certificate. 



we are getting below errors.  




--------client side details-----------------
----------------------------------------
$ cat  ~/.ldaprc
TLS_CACERT /tmp/ec_cacert.pem
TLS_CERT /tmp/rsa_client.pem
TLS_KEY /tmp/rsa_client.key
TLS_REQCERT never
TLS_PROTOCOL_MIN 3.2

--------------------------------------------------

## ldapsearch command is failing (with -Z and -ZZ)  
$ ldapsearch -x  -h 10.21.21.2  -p 389 -D "cn=admin" -w 'admin1' -b 
"uid=001,dc=test1" -Z -d 1
ldap_create
ldap_url_parse_ext(ldap://10.21.21.2:389)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.21.21.2:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.21.21.2:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7f94593a6210 msgid 1
wait4msg ld 0x7f94593a6210 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f94593a6210 msgid 1 all 1
** ld 0x7f94593a6210 Connections:
* host: 10.21.21.2  port: 389(default)
  refcnt: 2  status: Connected
  last used: Thu Jun  3 11:28:26 2021


** ld 0x7f94593a6210 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f94593a6210 request count 1 (abandoned 0)
** ld 0x7f94593a6210 Response Queue:
   Empty
  ld 0x7f94593a6210 response count 0
ldap_chkResponseList ld 0x7f94593a6210 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f94593a6210 NULL
ldap_int_select
read1msg: ld 0x7f94593a6210 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 38 contents:
read1msg: ld 0x7f94593a6210 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f94593a6210 0 new referrals
read1msg:  mark request completed, ld 0x7f94593a6210 msgid 1
request done: ld 0x7f94593a6210 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)'
certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: loaded CA certificate file /tmp/ec_cacert.pem.
TLS: error: the certificate '/tmp/rsa_client.pem' could not be found in the
database - error -8174:security library: bad database..
TLS: certificate '/tmp/rsa_client.pem' successfully loaded from PEM file.
TLS: no unlocked certificate for certificate
'CN=ldapclient,OU=test,O=example,L=Banaglore,ST=Karnataka,C=IN'.
TLS: certificate
[CN=ldapclient,OU=test,O=example,L=Banaglore,ST=Karnataka,C=IN] is valid
TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory
TLS: error: connect - force handshake failure: errno 21 - moznss error -5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: TLS error -5938:Encountered end of file
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 30 bytes to sd 3
ldap_result ld 0x7f94593a6210 msgid 2
wait4msg ld 0x7f94593a6210 msgid 2 (infinite timeout)
wait4msg continue ld 0x7f94593a6210 msgid 2 all 1
** ld 0x7f94593a6210 Connections:
* host: 10.21.21.2  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jun  3 11:28:26 2021


** ld 0x7f94593a6210 Outstanding Requests:
* msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f94593a6210 request count 1 (abandoned 0)
** ld 0x7f94593a6210 Response Queue:
   Empty
  ld 0x7f94593a6210 response count 0
ldap_chkResponseList ld 0x7f94593a6210 msgid 2 all 1
ldap_chkResponseList returns ld 0x7f94593a6210 NULL
ldap_int_select
read1msg: ld 0x7f94593a6210 msgid 2 all 1
ber_get_next
ldap_err2string
ldap_result: Can't contact LDAP server (-1)
ldap_free_request (origid 2, msgid 2)
ldap_free_connection 1 1
ldap_free_connection: actually freed
$


Thanks and regards,
Adishesh

-- 
You are receiving this mail because:
You are on the CC list for the issue.

Reply via email to