Paul, Check the permsissions ownership of your certificates and the directory containing them. Also check that there are no typos in your capath.
I'm using start_tls without a problem. Here's an example of my code in a subroutine. Since I don't know if the server(s) in @servers are ldap://host.example.com or ldaps://host.example.com, I check the scheme and then start_tls if the server is of the form ldap://host.example.com. Prentice sub ldap_connect { my $description = $_[0]; my $cacertfile = $_[1]; my $debug = $_[2]; my @servers = $_[3]; my $ldap; my $mesg; my $scheme; my $code; my $error; if ($debug) { print "Connecting to $description\n"; } $ldap = Net::LDAP->new(@servers); if ($ldap) { if ($debug) { print "Connected to $description\n"; } $scheme = $ldap->scheme; # If scheme != 'ldaps', Start TLS. Fail if we can't. if ($scheme ne 'ldaps') { $mesg = $ldap->start_tls(verify=>'require', cafile => $cacertfile); $code = $mesg->code; if ($code == 0) { if ($debug) { print "Started TLS on $description\n"; } } else { $error = $mesg->error; print "$error\n"; print "Error: Could not start TLS for $description\n"; $ldap->unbind; return(undef); } } else { if ($debug) { print "TLS already started for $description\n"; } } return($ldap); } else { print "Error: Could not connect to $description\n"; return(undef); } } Paul Liu wrote: > Hi, thanks for the info. I still have the same error with LDAPS instead of > TLS. The behaviour is the same too, it works if I don't require verification, > but fails if I do. > > -----Original Message----- > From: Dieter Kluenter [mailto:die...@dkluenter.de] > Sent: July-13-10 2:38 AM > To: perl-ldap@perl.org > Subject: Re: Having trouble with TLS and server verification > > Paul Liu <paul_...@kanetix.ca> writes: > >> Hi, >> >> I'm trying to use Net::LDAP to do LDAPS authentication against my Server >> 2008 Active Directory and I'm having a hard time getting server verification >> to work. >> >> So far, my (super simple) code works if I use verify => none in start_tls, >> but as soon as I set it to "require" or "optional", I get this error: >> >> SSL connect attempt failed with unknown error error:0D0C50A1:asn1 encoding >> routines:ASN1_item_verify:unknown message digest algorithm at ./ldap.pl line >> 23, line 522. >> >> When I test from the command line using Openssl s_client it works okay, so I >> don't think it's an OpenSSL problem. But I'm kind of a noob with Perl, so >> I'm not sure what else to debug next. >> >> Here's the relevant code snippet: >> >> #!/usr/bin/perl >> use Net::LDAP; >> >> $ldap = Net::LDAP->new('ho.mydomain.com', >> ) or die "LDAP error"; >> $mesg = $ldap->start_tls( >> sslversion => 'tlsv1', >> verify => 'require', >> capath => '/etc/ssl/certs/', >> ); >> die $mesg->error if $mesg->is_error; >> >> All the certs in the chain are signed with SHA512RSA. Also the CA Cert is >> 4096 bits and the server certs I am checking are all 2048 bits. I thought I >> might be missing a module or something, but I am pretty sure I have all the >> prerequisites installed, including Digest::SHA, Digest::HMAC and >> IO::Socket::SSL. I'm kind of stuck. Has anyone ever had this problem before? >> I'm working with Perl 5.10 on SLES 11 SP1. My OpenSSL version is 0.9.8h. > > start_tls is an extended operation on port 389 and ldap uri, use port > 636 and ldaps uri. > > -Dieter > -- Prentice Bisbal Linux Software Support Specialist/System Administrator School of Natural Sciences Institute for Advanced Study Princeton, NJ
