You are looking in the wrong place. Your problem is not with the server but client (certificate). Ivan Kalik Kalik Informatika ISP Dana 25/6/2007, "Hangjun He" <elmerhe@yahoo.com.cn> piše:
when I use ldapsearch -H ldaps://localhost/..I can get correct record.
debug info: connection_get(11): got connid=12 connection_read(11): checking for input on id=12 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=12 connection_read(11): checking for input on id=12 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=12 connection_get(11): got connid=12 connection_read(11): checking for input on id=12 ber_get_next ber_get_next: tag 0x30 len 45 contents: ber_get_next do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber:
dnPrettyNormal: <cn=admin,dc=aehve,dc=com> <<< dnPrettyNormal: <cn=admin,dc=aehve,dc=com>, <cn=admin,dc=aehve,dc=com>do_bind: version=3 dn="cn=admin,dc=aehve,dc=com" method=128 do_bind: v3 bind: "cn=admin,dc=aehve,dc=com" to "cn=admin,dc=aehve,dc=com"send_ldap_result: conn=12 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 11 connection_get(11): got connid=12 connection_read(11): checking for input on id=12 ber_get_next ber_get_next: tag 0x30 len 73 contents: ber_get_next do_search ber_scanf fmt ({miiiib) ber: dnPrettyNormal: <cn=hlin,ou=People,dc=aehve,dc=com> <<< dnPrettyNormal: <cn=hlin,ou=People,dc=aehve,dc=com>, <cn=hlin,ou=people,dc=aehve,dc=com> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => bdb_search bdb_dn2entry("cn=hlin,ou=people,dc=aehve,dc=com") search_candidates: base="cn=hlin,ou=people,dc=aehve,dc=com" (0x0000000b) scope=2 => bdb_dn2idl("cn=hlin,ou=people,dc=aehve,dc=com") <= bdb_dn2idl: id=1 first=11 last=11 => bdb_presence_candidates (objectClass) bdb_search_candidates: id=1 first=11 last=11 => send_search_entry: conn 12 dn="cn=hlin,ou=People,dc=aehve,dc=com" ber_flush: 188 bytes to sd 11 <= send_search_entry: conn 12 exit. send_ldap_result: conn=12 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=0 ber_flush: 14 bytes to sd 11 connection_get(11): got connid=12 connection_read(11): checking for input on id=12 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next do_unbind connection_closing: readying conn=12 sd=11 for close connection_resched: attempting closing conn=12 sd=11 connection_close: conn=12 sd=11 TLS trace: SSL3 alert write:warning:close notify
when I use freeradius in the same host: do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 11 connection_get(11): got connid=11 connection_read(11): checking for input on id=11 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=11 connection_read(11): checking for input on id=11 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=11 connection_get(11): got connid=11 connection_read(11): checking for input on id=11 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 11 failed errno=0 (Success) connection_closing: readying conn=11 sd=11 for close connection_close: deferring conn=11 sd=11 do_unbind connection_resched: attempting closing conn=11 sd=11 connection_close: conn=11 sd=11 TLS trace: SSL3 alert write:warning:close notify
Hangjun He <elmerhe@yahoo.com.cn> Đ´ľŔŁş freeradius version 1.1.6 openldap version 2.3.23 opensll verson 0.9.7g
Hangjun He <elmerhe@yahoo.com.cn> Đ´ľŔŁş hi, freeradis with openldap is OK when use cleartext communication. Now I want to use tls.
openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is correct.
But when I use freeradis with tls, errors pup up:
freeradius error: rlm_ldap: - authorize rlm_ldap: performing user authorization for hwang radius_xlat: '(uid=hwang)' radius_xlat: 'ou=People,dc=aerohive,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/etc/openldap/ssl/cacert.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Connect error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0
openldap error: TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=902, written=902 ...... TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 0000: 15 03 01 00 02 ..... tls_read: want=2, got=2 0000: 02 2a .* TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1052 connection_read(11): TLS accept failure error=-1 id=5, closing connection_closing: readying conn=5 sd=11 for close connection_close: conn=5 sd=11 daemon: removing 11
When I use freeradius in the same host with openldap, There are other errors: connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 TLS trace: SSL_accept:SSLv3 read client certificate A TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(10): unable to get TLS client DN, error=49 id=11 connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next TLS trace: SSL3 alert read:warning:close notify
partly configuration in slapd.conf: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem TLSCertificateFile /usr/local/etc/openldap/ssl/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/serverkey.pem TLSVerifyClient try
Can anyone tell me why it is? Anything wrong with my configure file.
Thanks! John
--------------------------------- ÇŔעŃĹť˘ĂâˇŃÓĘĎä3.5GČÝÁżŁŹ20M¸˝źţŁĄ
--------------------------------- ÇŔעŃĹť˘ĂâˇŃÓĘĎä-3.5GČÝÁżŁŹ20M¸˝źţŁĄ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--------------------------------- ŃĹť˘ĂâˇŃÓĘĎä-3.5GČÝÁżŁŹ20M¸˝źţ