Hi,
I'm having difficulty making tools like ldapsearch accept SSL certificates
signed by a Windows domain controller, even when the trust chain seems good.
The problem extends to PHP, which uses openldap (PHP debug logging shows the
exact same errors).
We manually trusted the CA certifcate of the domain controller:
cp -v /tmp/PDC02CA.crt /usr/local/share/ca-certificates
update-ca-certificates
OpenSSL approves it (it doesn't aprove without the previous step):
# openssl verify -verify_hostname PDC01.city.cmpny.local
/tmp/PDC01.city.cmpny.local.crt
/tmp/PDC01.city.cmpny.local.crt: OK
And:
openssl s_client -verify_hostname PDC01.city.cmpny.local -connect
PDC01.city.cmpny.local:3269
CONNECTED(00000005)
depth=1 DC = local, DC = cmpny, DC = city, CN = city-PDC02-CA
verify return:1
depth=0
verify return:1
---
Certificate chain
0 s:
i:DC = local, DC = cmpny, DC = city, CN = city-PDC02-CA
But ldapsearch just will not approve it:
$ ldapsearch -d1 -H ldaps://PDC01.city.cmpny.local:3269
ldap_url_parse_ext(ldaps://PDC01.city.cmpny.local:3269)
ldap_create
ldap_url_parse_ext(ldaps://PDC01.city.cmpny.local:3269/??base)
[..snip...]
ldap_connect_to_host: TCP PDC01.city.cmpny.local:3269
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.105.10.10:3269
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: peer cert untrusted or revoked (0x102)
TLS: can't connect: (unknown error code).
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
Running 'strace' shows '/etc/ssl/certs/ca-certificates.crt' is properly read.
Doing all the standard tricks with 'LDAPTLS_CACERT, TLS_CACERT', pointing
directly to '/tmp/PDC02CA.crt', editing '/etc/ldap/ldap.conf' with all possible
permutations. Nothing works, except 'TLS_REQCERT never'.
Other certificates are accepted when testing public servers. They are just
https, but for SSL tests that doesn't matter. Like:
ldapsearch -d1 -H ldaps://www.google.com:443
Or
ldapsearch -d1 -H ldaps://www.amazon.co.uk:443
The latter only has the correct domain name in the 'subject alternate name',
not the common name. I theorized that maybe the SAN was a cause, but this test
result, and [1], show that should work fine.
If I deliberately try to create a hostname mismatch, it says: 'TLS: hostname
(blabla.com) does not match common name in certificate (www.amazon.co.uk)'.
Very different from my 'peer cert untrusted or revoked'.
Could this be a bug (in GnuTLS)?
Versions:
ldapsearch: @(#) $OpenLDAP: ldapsearch (Ubuntu) (Feb 18 2021 14:22:42)
Ubuntu: 18.04.5 LTS
libgnutls30: 3.5.18-1ubuntu1.4
Regards,
Wiebe
[1] https://www.openldap.org/lists/openldap-technical/201310/msg00167.html
