Getting details for "TLS trace: SSL3 alert read:fatal:unsupported certificate"

Wed, 05 Mar 2025 07:12:07 -0800 

Hi!

After "playing" significant time with certificate authentication, I managed to 
authenticate one user. However when I tried to authenticate a different user 
with a similar certificate, I see a

TLS trace: SSL3 alert read:fatal:unsupported certificate

Error. Can I can some details about the "usupportedness" of my certificate? The 
only thing I could think if is that uid of the newer certificate has a CN that 
is three characters longer than the one that worked.

A more complete trace for ldapwhoami woul look like this:
...
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
TLS trace: SSL_connect:SSLv3/TLS read server certificate request
TLS certificate verification: depth: 2, err: 0, subject: /.... Root-CA (2018), 
issuer: /... Root-CA (2018)
TLS certificate verification: depth: 1, err: 0, subject: /... Host-CA (2018), 
issuer: /... Root-CA (2018)
TLS certificate verification: depth: 0, err: 0, subject: /... FQHN, issuer: 
/... Host-CA (2018)
TLS trace: SSL_connect:SSLv3/TLS read server certificate
TLS trace: SSL_connect:TLSv1.3 read server certificate verify
TLS trace: SSL_connect:SSLv3/TLS read finished
TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
TLS trace: SSL_connect:SSLv3/TLS write client certificate
TLS trace: SSL_connect:SSLv3/TLS write certificate verify
TLS trace: SSL_connect:SSLv3/TLS write finished
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_int_sasl_open: host=FQHN
SASL/EXTERNAL authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 26 bytes to sd 3
ldap_msgfree
ldap_result ld 0x56432476ac30 msgid 2
wait4msg ld 0x56432476ac30 msgid 2 (infinite timeout)
wait4msg continue ld 0x56432476ac30 msgid 2 all 1
** ld 0x56432476ac30 Connections:
* host: FQHN  port: 389  (default)
* from: IP=172.20.16.36:57868
  refcnt: 2  status: Connected
  last used: Wed Mar  5 15:42:03 2025


** ld 0x56432476ac30 Outstanding Requests:
* msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x56432476ac30 request count 1 (abandoned 0)
** ld 0x56432476ac30 Response Queue:
   Empty
  ld 0x56432476ac30 response count 0
ldap_chkResponseList ld 0x56432476ac30 msgid 2 all 1
ldap_chkResponseList returns ld 0x56432476ac30 NULL
ldap_int_select
read1msg: ld 0x56432476ac30 msgid 2 all 1
ber_get_next
TLS trace: SSL3 alert read:fatal:unsupported certificate
ber_get_next failed, errno=0.
ldap_err2string
ldap_sasl_interactive_bind: Can't contact LDAP server (-1)
...

Kind regards,
Ulrich Windl

Reply via email to