re: Problem on freeradius+openldap+tls

Hangjun He elmerhe at yahoo.com.cn
Mon Jun 25 14:48:52 CEST 2007


when I use ldapsearch -H ldaps://localhost/..I can get correct record.
   
  debug info:
  connection_get(11): got connid=12
connection_read(11): checking for input on id=12
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=12
connection_read(11): checking for input on id=12
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(11): unable to get TLS client DN, error=49 id=12
connection_get(11): got connid=12
connection_read(11): checking for input on id=12
ber_get_next
ber_get_next: tag 0x30 len 45 contents:
ber_get_next
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <cn=admin,dc=aehve,dc=com>
<<< dnPrettyNormal: <cn=admin,dc=aehve,dc=com>, <cn=admin,dc=aehve,dc=com>do_bind: version=3 dn="cn=admin,dc=aehve,dc=com" method=128
do_bind: v3 bind: "cn=admin,dc=aehve,dc=com" to "cn=admin,dc=aehve,dc=com"send_ldap_result: conn=12 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 11
connection_get(11): got connid=12
connection_read(11): checking for input on id=12
ber_get_next
ber_get_next: tag 0x30 len 73 contents:
ber_get_next
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <cn=hlin,ou=People,dc=aehve,dc=com>
<<< dnPrettyNormal: <cn=hlin,ou=People,dc=aehve,dc=com>, <cn=hlin,ou=people,dc=aehve,dc=com>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> bdb_search
bdb_dn2entry("cn=hlin,ou=people,dc=aehve,dc=com")
search_candidates: base="cn=hlin,ou=people,dc=aehve,dc=com" (0x0000000b) scope=2
=> bdb_dn2idl("cn=hlin,ou=people,dc=aehve,dc=com")
<= bdb_dn2idl: id=1 first=11 last=11
=> bdb_presence_candidates (objectClass)
bdb_search_candidates: id=1 first=11 last=11
=> send_search_entry: conn 12 dn="cn=hlin,ou=People,dc=aehve,dc=com"
ber_flush: 188 bytes to sd 11
<= send_search_entry: conn 12 exit.
send_ldap_result: conn=12 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 11
connection_get(11): got connid=12
connection_read(11): checking for input on id=12
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
do_unbind
connection_closing: readying conn=12 sd=11 for close
connection_resched: attempting closing conn=12 sd=11
connection_close: conn=12 sd=11
TLS trace: SSL3 alert write:warning:close notify
   
   
  when I use freeradius in the same host:
  do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 11
connection_get(11): got connid=11
connection_read(11): checking for input on id=11
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=11
connection_read(11): checking for input on id=11
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(11): unable to get TLS client DN, error=49 id=11
connection_get(11): got connid=11
connection_read(11): checking for input on id=11
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 11 failed errno=0 (Success)
connection_closing: readying conn=11 sd=11 for close
connection_close: deferring conn=11 sd=11
do_unbind
connection_resched: attempting closing conn=11 sd=11
connection_close: conn=11 sd=11
TLS trace: SSL3 alert write:warning:close notify
   
  

Hangjun He <elmerhe at yahoo.com.cn> 写道:
      freeradius version 1.1.6
   openldap version 2.3.23
   opensll verson   0.9.7g

Hangjun He <elmerhe at yahoo.com.cn> 写道:
    hi,
        freeradis with openldap is OK when use cleartext communication.
  Now I want to use tls.
   
     openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /usr/local/etc/openldap/ssl/cacert.pem   show the  cacert /cert/key is correct.
   
   
      But when I use freeradis with tls, errors pup up:
   
  freeradius error:
  rlm_ldap: - authorize
rlm_ldap: performing user authorization for hwang
radius_xlat:  '(uid=hwang)'
radius_xlat:  'ou=People,dc=aerohive,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: setting TLS CACert File to /usr/local/etc/openldap/ssl/cacert.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Connect error
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
   
   
  openldap error:
  TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=902, written=902                               ......
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
  0000:  15 03 01 00 02                                     .....
tls_read: want=2, got=2
  0000:  02 2a                                              .*
TLS trace: SSL3 alert read:fatal:bad certificate
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1052
connection_read(11): TLS accept failure error=-1 id=5, closing
connection_closing: readying conn=5 sd=11 for close
connection_close: conn=5 sd=11
daemon: removing 11
   
   
    When I use freeradius in the same host with openldap, There are other errors:
  connection_get(10)
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(10)
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(10): unable to get TLS client DN, error=49 id=11
connection_get(10)
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
   
   
  partly configuration in slapd.conf:
  TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/ssl/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/serverkey.pem
TLSVerifyClient try
   
  Can anyone tell me why it is? Anything wrong with my configure file.
   
   
    Thanks!
  John
   
   
   
   
   
    
---------------------------------
  抢注雅虎免费邮箱3.5G容量,20M附件! 

    
---------------------------------
  抢注雅虎免费邮箱-3.5G容量,20M附件! - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 		
---------------------------------
 雅虎免费邮箱-3.5G容量,20M附件
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070625/07a09030/attachment.html>


More information about the Freeradius-Users mailing list