> On 31 Mar 2004, at 11:12, Danny Carroll wrote:
> > I am at a loss trying to figure out why my perl script wont talk TLS
> > or SSL.
> >
> > I have told openldap to force TLS with the "security tls = 56" line in
> > slapd.conf
> > Here is the output form the script.
>
> Do you have access to the openldap server logs ? there may be something
> helpful in there.
>
I tried it on another server and it works ok, but unfortunatly I need to get
it working on this server.
Could it be the old openSSL? (0.9.6)
I turned up debugging for slapd (-d -1)
This is when I did the call with Net::LDAPS->new
------------------------------------------------------
daemon: activity on 1 descriptors
daemon: new connection on 12
ldap_pvt_gethostbyname_a: host=<myserver fqdn>, r=0
str2filter "(objectclass=*)"
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
begin get_filter
PRESENT
ber_scanf fmt (m) ber:
ber_dump: buf=0x08275958 ptr=0x08275958 end=0x08275965 len=13
0000: 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 ..objectclass
end get_filter 0
conn=0 fd=12 ACCEPT from IP=127.0.0.1:36524 (IP=0.0.0.0:636)
daemon: added 12r
daemon: activity on:
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 12r
daemon: read activity on 12
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 7f 01 03 01 00 66 00 00 00 10 ......f....
tls_read: want=118, got=118
0000: 00 00 66 00 00 65 00 00 64 00 00 63 00 00 62 00 ..f..e..d..c..b.
0010: 00 61 00 00 60 00 00 16 00 00 15 00 00 14 00 00 .a..`...........
0020: 13 00 00 12 00 00 11 00 00 0a 00 00 09 00 00 08 ................
0030: 00 00 07 00 00 06 00 00 05 00 00 04 00 00 03 00 ................
0040: 00 1b 00 00 1a 00 00 19 00 00 18 00 00 17 08 00 ................
0050: 80 07 00 c0 06 00 40 05 00 80 03 00 80 04 00 80 [EMAIL PROTECTED]
0060: 01 00 80 02 00 80 3e 7b 27 38 1d 3e 82 1e 97 8f ......>{'8.>....
0070: 9c 27 20 f0 9a 25 .' ..%
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=915, written=915
0000: 16 03 01 00 4a 02 00 00 46 03 01 40 6a b4 16 c9 [EMAIL PROTECTED]
<SNIP!!!!!!>
0380: ad f2 bc c0 10 d9 8f 23 ec 3d 16 03 01 00 04 0e .......#.=......
0390: 00 00 00 ...
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 12r
daemon: read activity on 12
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 28 .(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure s3_pkt.c:1046
connection_read(12): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12
daemon: removing 12
conn=0 fd=12 closed
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
--------------------------------------------------------------------
This is what happend when I did:
$ldap=Net::Ldap->new....
$ldap->start-tls....
--------------------------------------------------------------------
daemon: activity on 1 descriptors
daemon: new connection on 12
conn=3 fd=12 ACCEPT from IP=<my server IP>:36527 (IP=0.0.0.0:389)
daemon: added 12r
daemon: activity on:
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 12r
daemon: read activity on 12
connection_get(12)
connection_get(12): got connid=3
connection_read(12): checking for input on id=3
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_dump: buf=0x08276bc8 ptr=0x08276bc8 end=0x08276be5 len=29
0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4
0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037
ber_get_next
do_extended
ber_scanf fmt ({m) ber:
ber_dump: buf=0x08276bc8 ptr=0x08276bcb end=0x08276be5 len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
do_extended: oid=1.3.6.1.4.1.1466.20037
ldap_read: want=8 error=Resource temporarily unavailable
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 12
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 12r
daemon: read activity on 12
connection_get(12)
connection_get(12): got connid=3
connection_read(12): checking for input on id=3
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 16 03 00 00 5f 01 00 00 5b 03 00 ...._...[..
tls_read: want=89, got=89
0000: 40 6a b5 1c 27 25 22 a8 10 2a 19 00 8e c4 7f a0 @j..'%"..*......
0010: 1b 09 fb 22 e9 ef ab ad b5 c4 38 2b 84 8d 4b e0 ..."......8+..K.
0020: 00 00 34 00 66 00 65 00 64 00 63 00 62 00 61 00 ..4.f.e.d.c.b.a.
0030: 60 00 16 00 15 00 14 00 13 00 12 00 11 00 0a 00 `...............
0040: 09 00 08 00 07 00 06 00 05 00 04 00 03 00 1b 00 ................
0050: 1a 00 19 00 18 00 17 01 00 .........
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=915, written=915
0000: 16 03 00 00 4a 02 00 00 46 03 00 40 6a b5 1c 31 [EMAIL PROTECTED]
<SNIP!!!!>
0380: ad f2 bc c0 10 d9 8f 23 ec 3d 16 03 00 00 04 0e .......#.=......
0390: 00 00 00 ...
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
0000: 15 03 00 00 02 .....
tls_read: want=2, got=2
0000: 02 28 .(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure s3_pkt.c:1046
connection_read(12): TLS accept error error=-1 id=3, closing
connection_closing: readying conn=3 sd=12 for close
connection_close: conn=3 sd=12
daemon: removing 12
conn=3 fd=12 closed
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
