No appropriate error message ("rlm_ldap: could not start TLS Connect error")

Linus van Geuns vangeuns at atis.uka.de
Fri Sep 23 01:24:03 CEST 2005 

Hi!

I've tried to establish a TLS-secured connection between
freeradius-1.0.1-3 (Red Hat Enterprise Linux 4) and a openldap server. I
tried every combination of tls_mode, start_tls and tls_require_cert, but
I never got more than this error:

(/etc/raddb/radiusd.conf)
-------------------8<----------------------------------------
ldap {
	server = "MYLDAPSERVER.ira.uka.de"
	port = 389
	identity = "uid=MYUSERNAME, ou=MYUNIT, dc=ira, dc=uka, dc=de"
	password = MYPASSWORD
	basedn = "ou=MYUNIT,dc=ira,dc=uka,dc=de"
	filter = "(uid=MYPREFIX-%u)"
	start_tls = yes
 	tls_mode = no
	tls_cacertdir = /etc/raddb/cacerts/
	tls_require_cert = demand
	dictionary_mapping = ${raddbdir}/ldap.attrmap
	ldap_connections_number = 5
	timeout = 4
	timelimit = 3
	net_timeout = 1
	# No useful error msg w/o 0xffff
	ldap_debug = 0xffff
}
-------------------8<----------------------------------------


(/var/log/radius/radius.log)
-------------------8<----------------------------------------
Error: rlm_ldap: could not start TLS Connect error
Error: rlm_ldap: (re)connection attempt failed
-------------------8<----------------------------------------

The problem was:
(/usr/sbin/radiusd -X)
-------------------8<----------------------------------------
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS, Fakultaet
fuer Informatik/CN=MYCACERTIFICATE/emailAddress=MYCA at MYSERVER.PRI,
issuer: /C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS,
Fakultaet fuer Informatik/CN=MYCACERTIFICATE/emailAddress=MYCA at MYSERVER.PRI
TLS certificate verification: depth: 0, err: 0, subject:
/C=DE/ST=Germany/L=Karlsruhe/O=Universitaet
Karlsruhe/OU=ATIS/CN=MYLDAPSERVER.ira.uni-karlsruhe.de/emailAddress=MYMAIL at MYSERVER.PRI,
issuer: /C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS,
Fakultaet fuer
Informatik/CN=MYCACERTIFICATE/emailAddress=MYMAIL at MYSERVER.PRI
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (MYLDAPSERVER.ira.uka.de) does not match common name in
certificate (MYLDAPSERVER.ira.uni-karlsruhe.de).
rlm_ldap: ldap_start_tls_s()
ldap_err2string
rlm_ldap: could not start TLS Connect error
ldap_free_connection
ldap_send_unbind
ldap_free_connection: actually freed
TLS trace: SSL3 alert write:warning:close notify
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
-------------------8<----------------------------------------


The importent one is:
TLS: hostname (MYLDAPSERVER.ira.uka.de) does not match common name in
certificate (MYLDAPSERVER.ira.uni-karlsruhe.de).

MYLDAPSERVER.ira.uka.de is an alias for
MYLDAPSERVER.ira.uni-karlsruhe.de (hostname used in the certificate).
After I set
server = MYLDAPSERVER.ira.uni-karlsruhe.de
in my radiusd.conf the TLS connection worked without any problem.

Maybe this mail will save someone the amount of time I had to waste,
figuring it out.. :-/

_And_ maybe this mail inspires some of the developers to report the
appropriate error message instead of "rlm_ldap:  could not start TLS
Connect error".

Linus van Geuns.

PS:
Every certificate of an certificate authority in <tls_cacertdir> needs
to be accessable by it's openssl-hash as filename. This can be achieved
as follows:
In <tls_cacertdir> run: CERT=CACERTFILENAME;ln ${CERT} `openssl x509
-noout -hash -in ${CERT} `.0 -s

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050923/f888ce0a/attachment.pgp>

More information about the Freeradius-Users mailing list