TLS or SSL problems.

[Danny Carroll]

I am at a loss trying to figure out why my perl script wont talk TLS or SSL.

Firstly the versions.

openldap 2-1.25
Net::LDAP: 0.26
IO:Socket:SSL 1.26
Perl v5.6.1

Secondly, the code.

----------------------------------------------------------------------------
-------
# Setup the LDAP connection.
$ldap = Net::LDAP->new ( "$ldap_server",
    port => '389',
    version => 3 ) or gracefuldie("$@");

$ldap->debug(15);

$ldap_mesg = $ldap->start_tls (verify => 'none',
    sslversion=>'sslv3');
if ($ldap_mesg->code)
{
 # There was an LDAP error.
 logprint (0, "Error trying to enable TLS.\n");
 logprint (0, "code: " . $ldap_mesg->code . "\n");
 logprint (0, "done: " . $ldap_mesg->done . "\n");
 logprint (0, "error: " . $ldap_mesg->error . "\n");
 logprint (0, "is_error: " . $ldap_mesg->is_error . "\n");
 gracefuldie ("(" . $ldap_mesg->code . "): " . $ldap_mesg->error);
}

$ldap_mesg = $ldap->bind ( $ldap_bind,
    password => $ldap_pass,
    version => 3 );      # use for changes/edits


if ($ldap_mesg->code)
{
 # There was an LDAP error.
 logprint (0, "Error trying to bind.\n");
 logprint (0, "code: " . $ldap_mesg->code . "\n");
 logprint (0, "done: " . $ldap_mesg->done . "\n");
 logprint (0, "error: " . $ldap_mesg->error . "\n");
 logprint (0, "is_error: " . $ldap_mesg->is_error . "\n");
 gracefuldie ("(" . $ldap_mesg->code . "): " . $ldap_mesg->error);
}
----------------------------------------------------------------------------
-------

I have told openldap to force TLS with the "security tls = 56"  line in
slapd.conf
Here is the output form the script.

----------------------------------------------------------------------------
-------
Net::LDAP=HASH(0x80fbb3c) sending:

30 1D 02 01 01 77 18 80 16 31 2E 33 2E 36 2E 31 0....w...1.3.6.1
2E 34 2E 31 2E 31 34 36 36 2E 32 30 30 33 37 __ .4.1.1466.20037

0000   29: SEQUENCE {
0002    1:   INTEGER = 1
0005   24:   [APPLICATION 23] {
0007   22:     [CONTEXT 0]
0009     :       31 2E 33 2E 36 2E 31 2E 34 2E 31 2E 31 34 36 36
1.3.6.1.4.1.1466
0019     :       2E 32 30 30 33 37 __ __ __ __ __ __ __ __ __ __ .20037
001F     :   }
001F     : }
Net::LDAP=HASH(0x80fbb3c) received:

30 0C 02 01 01 78 07 0A 01 00 04 00 04 00 __ __ 0....x........

0000   12: SEQUENCE {
0002    1:   INTEGER = 1
0005    7:   [APPLICATION 24] {
0007    1:     ENUM = 0
000A    0:     STRING = ''
000C    0:     STRING = ''
000E     :   }
000E     : }
0: (Wed Mar 31 10:58:16 2004) Error trying to enable TLS.
0: (Wed Mar 31 10:58:16 2004) code: 1
0: (Wed Mar 31 10:58:16 2004) done: 1
0: (Wed Mar 31 10:58:16 2004) error: Operations error
0: (Wed Mar 31 10:58:16 2004) is_error: 1
FATAL ERROR: (1): Operations error
----------------------------------------------------------------------------
-------

It seems to be failing at the start_tls call, but I cant understand why.

ldapsearch -ZZ -x -D <my bind> -h <my fqdn> -w <my pass> -b <my basedn>
"(ObjectClass=*)" "description"

This call works fine so I know the TLS is working ok.
I could try SSL but I think there is something wrong with the IO:Socket:SSL
package, since it does not work either.

I really dont know what else to try, I hope that someone has an idea.
-D