On 31/3/04 2:15 pm, Danny Carroll <[EMAIL PROTECTED]> wrote:
>> On 31 Mar 2004, at 11:12, Danny Carroll wrote:
>>> I am at a loss trying to figure out why my perl script wont talk TLS
>>> or SSL.
>>>
>>> I have told openldap to force TLS with the "security tls = 56" line in
>>> slapd.conf
>>> Here is the output form the script.
>>
>> Do you have access to the openldap server logs ? there may be something
>> helpful in there.
>>
>
> I tried it on another server and it works ok, but unfortunatly I need to get
> it working on this server.
> Could it be the old openSSL? (0.9.6)
> I turned up debugging for slapd (-d -1)
> This is when I did the call with Net::LDAPS->new
>
> ------------------------------------------------------
> daemon: activity on 1 descriptors
> daemon: new connection on 12
> ldap_pvt_gethostbyname_a: host=<myserver fqdn>, r=0
> str2filter "(objectclass=*)"
> put_filter: "(objectclass=*)"
> put_filter: simple
> put_simple_filter: "objectclass=*"
> begin get_filter
> PRESENT
> ber_scanf fmt (m) ber:
> ber_dump: buf=0x08275958 ptr=0x08275958 end=0x08275965 len=13
> 0000: 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 ..objectclass
> end get_filter 0
> conn=0 fd=12 ACCEPT from IP=127.0.0.1:36524 (IP=0.0.0.0:636)
> daemon: added 12r
> daemon: activity on:
> daemon: select: listen=6 active_threads=1 tvp=NULL
> daemon: select: listen=7 active_threads=1 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 12r
> daemon: read activity on 12
> connection_get(12)
> connection_get(12): got connid=0
> connection_read(12): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> tls_read: want=11, got=11
> 0000: 80 7f 01 03 01 00 66 00 00 00 10 ......f....
> tls_read: want=118, got=118
> 0000: 00 00 66 00 00 65 00 00 64 00 00 63 00 00 62 00 ..f..e..d..c..b.
> 0010: 00 61 00 00 60 00 00 16 00 00 15 00 00 14 00 00 .a..`...........
> 0020: 13 00 00 12 00 00 11 00 00 0a 00 00 09 00 00 08 ................
> 0030: 00 00 07 00 00 06 00 00 05 00 00 04 00 00 03 00 ................
> 0040: 00 1b 00 00 1a 00 00 19 00 00 18 00 00 17 08 00 ................
> 0050: 80 07 00 c0 06 00 40 05 00 80 03 00 80 04 00 80 [EMAIL PROTECTED]
> 0060: 01 00 80 02 00 80 3e 7b 27 38 1d 3e 82 1e 97 8f ......>{'8.>....
> 0070: 9c 27 20 f0 9a 25 .' ..%
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> tls_write: want=915, written=915
> 0000: 16 03 01 00 4a 02 00 00 46 03 01 40 6a b4 16 c9 [EMAIL PROTECTED]
> <SNIP!!!!!!>
> 0380: ad f2 bc c0 10 d9 8f 23 ec 3d 16 03 01 00 04 0e .......#.=......
> 0390: 00 00 00 ...
> TLS trace: SSL_accept:SSLv3 flush data
> tls_read: want=5 error=Resource temporarily unavailable
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> daemon: select: listen=6 active_threads=1 tvp=NULL
> daemon: select: listen=7 active_threads=1 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 12r
> daemon: read activity on 12
> connection_get(12)
> connection_get(12): got connid=0
> connection_read(12): checking for input on id=0
> tls_read: want=5, got=5
> 0000: 15 03 01 00 02 .....
> tls_read: want=2, got=2
> 0000: 02 28 .(
> TLS trace: SSL3 alert read:fatal:handshake failure
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> TLS: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure s3_pkt.c:1046
> connection_read(12): TLS accept error error=-1 id=0, closing
> connection_closing: readying conn=0 sd=12 for close
> connection_close: conn=0 sd=12
> daemon: removing 12
> conn=0 fd=12 closed
> daemon: select: listen=6 active_threads=1 tvp=NULL
> daemon: select: listen=7 active_threads=1 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: select: listen=6 active_threads=1 tvp=NULL
> daemon: select: listen=7 active_threads=1 tvp=NULL
> --------------------------------------------------------------------
>
> This is what happend when I did:
> $ldap=Net::Ldap->new....
> $ldap->start-tls....
> --------------------------------------------------------------------
> daemon: activity on 1 descriptors
> daemon: new connection on 12
> conn=3 fd=12 ACCEPT from IP=<my server IP>:36527 (IP=0.0.0.0:389)
> daemon: added 12r
> daemon: activity on:
> daemon: select: listen=6 active_threads=1 tvp=NULL
> daemon: select: listen=7 active_threads=1 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 12r
> daemon: read activity on 12
> connection_get(12)
> connection_get(12): got connid=3
> connection_read(12): checking for input on id=3
> ber_get_next
> ldap_read: want=8, got=8
> 0000: 30 1d 02 01 01 77 18 80 0....w..
> ldap_read: want=23, got=23
> 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
> 0010: 36 2e 32 30 30 33 37 6.20037
> ber_get_next: tag 0x30 len 29 contents:
> ber_dump: buf=0x08276bc8 ptr=0x08276bc8 end=0x08276be5 len=29
> 0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4
> 0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037
> ber_get_next
> do_extended
> ber_scanf fmt ({m) ber:
> ber_dump: buf=0x08276bc8 ptr=0x08276bcb end=0x08276be5 len=26
> 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
> 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
> do_extended: oid=1.3.6.1.4.1.1466.20037
> ldap_read: want=8 error=Resource temporarily unavailable
> ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
> send_ldap_extended: err=0 oid= len=0
> send_ldap_response: msgid=1 tag=120 err=0
> ber_flush: 14 bytes to sd 12
> 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
> ldap_write: want=14, written=14
> 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
> daemon: select: listen=6 active_threads=1 tvp=NULL
> daemon: select: listen=7 active_threads=1 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 12r
> daemon: read activity on 12
> connection_get(12)
> connection_get(12): got connid=3
> connection_read(12): checking for input on id=3
> TLS trace: SSL_accept:before/accept initialization
> tls_read: want=11, got=11
> 0000: 16 03 00 00 5f 01 00 00 5b 03 00 ...._...[..
> tls_read: want=89, got=89
> 0000: 40 6a b5 1c 27 25 22 a8 10 2a 19 00 8e c4 7f a0 @j..'%"..*......
> 0010: 1b 09 fb 22 e9 ef ab ad b5 c4 38 2b 84 8d 4b e0 ..."......8+..K.
> 0020: 00 00 34 00 66 00 65 00 64 00 63 00 62 00 61 00 ..4.f.e.d.c.b.a.
> 0030: 60 00 16 00 15 00 14 00 13 00 12 00 11 00 0a 00 `...............
> 0040: 09 00 08 00 07 00 06 00 05 00 04 00 03 00 1b 00 ................
> 0050: 1a 00 19 00 18 00 17 01 00 .........
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> tls_write: want=915, written=915
> 0000: 16 03 00 00 4a 02 00 00 46 03 00 40 6a b5 1c 31 [EMAIL PROTECTED]
> <SNIP!!!!>
> 0380: ad f2 bc c0 10 d9 8f 23 ec 3d 16 03 00 00 04 0e .......#.=......
> 0390: 00 00 00 ...
> TLS trace: SSL_accept:SSLv3 flush data
> tls_read: want=5, got=5
> 0000: 15 03 00 00 02 .....
> tls_read: want=2, got=2
> 0000: 02 28 .(
> TLS trace: SSL3 alert read:fatal:handshake failure
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> TLS: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure s3_pkt.c:1046
This sounds like the basic problem. What cipher suites are supported by the
server, and what cipher suites are supported by the client library? There
seems to be a mismatch :-(
The 'openssl ciphers' program will dump out a list of cipher suites; firstly
check that binaries linked with both libssl/libcrypto libraries support an
intersecting set.
Another thing to try is the openssl command-line client against the LDAPS
port.
openssl s_client -connect hostname:636 -debug
Cheers,
Chris
