Before , I want thank at everybody for answer my questions. I have trying start service ldap with tls / ssl but when I start sldapd (slapd -d127 -h "ldaps:///") show this message down
TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=0 *TLS: can't accept.* *connection_read(12): TLS accept failure error=-1 id=4, closing* *connection_closing: readying conn=4 sd=12 for close* *connection_close: conn=4 sd=12* *daemon: removing 12* daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: >>> slap_listener(ldaps:///) daemon: listen=8, new connection on 12 daemon: added 12r (active) listener=(nil) daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 12r daemon: read active on 12 connection_get(12) connection_get(12): got connid=5 connection_read(12): checking for input on id=5 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=0 I done test for SSL connection openssl s_client -connect localhost:636 -state -CAfile /etc/openldap/chaves/cacert.pem -key /etc/openldap/chaves/serverkey.pem -cert /etc/openldap/chaves/servercrt.pem *Result * CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= [email protected] verify return:1 depth=0 /C=BR/ST=DF/L=Brasilia/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= [email protected] verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=BR/ST=DF/L=Brasilia/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= [email protected] i:/C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= [email protected] 1 s:/C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= [email protected] i:/C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= [email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIC7TCCAlagAwIBAgIBATANBgkqhkiG9w0BAQUFADB0MQswCQYDVQQGEwJCUjEL MAkGA1UECBMCRGYxDzANBgNVBAoTBkFpbmZyYTEPMA0GA1UECxMGQWluZnJhMRUw EwYDVQQDEwxMaW51eERlZmF1bHQxHzAdBgkqhkiG9w0BCQEWEGJydW5vQGFpbmZy YS5uZXQwHhcNMDkxMjExMTE0NTA3WhcNMTAxMjExMTE0NTA3WjCBhzELMAkGA1UE BhMCQlIxCzAJBgNVBAgTAkRGMREwDwYDVQQHEwhCcmFzaWxpYTEPMA0GA1UEChMG QWluZnJhMQ8wDQYDVQQLEwZBaW5mcmExFTATBgNVBAMTDExpbnV4RGVmYXVsdDEf MB0GCSqGSIb3DQEJARYQYnJ1bm9AYWluZnJhLm5ldDCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAuZc4XzZD2yNKKtbzSsFZETNsKGKWxNfJ2R/Qz85vTkvmRHk3 kbfsqEiFnHVZFehg5BOyaa9HKQO4MkrI5HgjLitDg2Lb38B6Ol0ENSClUF/0BcoQ rgWDc14qANkA5zMaT90FF18GkcuY26lV15HEsJVOymroKZ460YmhwlFzT40CAwEA AaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0 ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFNhWyiIOJR9bIJB1bM5tgPYu9EAFMB8G A1UdIwQYMBaAFCmQRsAs/UNo/7VQUGnRXp6GRi1SMA0GCSqGSIb3DQEBBQUAA4GB AMJqfAQK/gbRMqiDm+Gm+iNUO4N93JdtT4eDcErEapd7lC4IMzjxCO8L9QYAjY9h NBXF5MN61ZlTPA++FX2eCbU6pdOw4gL9RnSyxWjUSVv0wTz57J87mMaPTNHHb5mP cqPjqEu7Gpe6is04qOQsI3HCwFWYcY96PHqtrlgHeQDT -----END CERTIFICATE----- subject=/C=BR/ST=DF/L=Brasilia/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= [email protected] issuer=/C=BR/ST=Df/O=Ainfra/OU=Ainfra/CN=LinuxDefault/emailAddress= [email protected] --- No client certificate CA names sent --- SSL handshake has read 1651 bytes and written 331 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: BC50DC3AD20A932A59FF109F33C6703632CDBB32A4BFF29C3A716119083B8044 Session-ID-ctx: Master-Key: DC38E06060E9473E21B043743718B690EFA4CA50AEE53CA6C7026741F2C026C5058366CF0DC7798DA395D47BCD7E747B Key-Arg : None Krb5 Principal: None Start Time: 1260541294 Timeout : 300 (sec) Verify return code: 0 (ok) --- For me this ok !!! How I should resolve this problem ? 2009/12/10 Michael Ströder <[email protected]> > Dieter Kluenter wrote: > > Bruno Steven <[email protected]> writes: > >> I am trying configure openldap work with tls , but I have two question > about this, first > >> when I use tls openldap use port 389 and ssl port 639 , is this correct > ? > >> Second How I can test connection between client and server, cryptography > is working ? > > > > There is no ssl port! SSL (Secure Socket Layer) is a proprietary, > > licence based protocol, owned by Netscape? I don't know whether the > > IPR of this protocol have been part of the Netscape/AOL deal. OpenLDAP, > > and most other network based applications, have implemented Transport > > Layer Security (TLS), RFC 2246. As a LPI certified professional you > > should be aware of this. > > Sorry Dieter, don't mess up things. Your comment is at least strongly > misleading: E.g. OpenSSL (also libnss) certainly implements SSLv3 (and even > insecure SSLv2) and you can use that to connect to 3rd party LDAP servers > with > the OpenLDAP client libs or connect to OpenLDAP servers. > > > OpenLDAP uses port 639, > > nb2:~ # grep ldaps /etc/services > ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) > ldaps 636/udp # ldap protocol over TLS/SSL (was sldap) > > > You may test your TLS session with: > > openssl s_client -connect localhost:639 -CAfile <file> > ^ > 636, if slapd was started with -h "ldaps://" > > Ciao, Michael. > > -- Bruno Steven - Administrador de sistemas. LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4 https://www.lpi.org/caf/Xamman/certification MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100 https://mcp.microsoft.com/authenticate/validatemcp.aspx P Antes de imprimir pense em sua responsabilidade e comprometimento com o Meio Ambiente. Before printing this message, think about your ecologic responsability and environment commitment.
