Problem on freeradius+openldap+tls

Hangjun He elmerhe at yahoo.com.cn
Mon Jun 25 10:38:21 CEST 2007


hi,
        freeradis with openldap is OK when use cleartext communication.
  Now I want to use tls.
   
     openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /usr/local/etc/openldap/ssl/cacert.pem   show the  cacert /cert/key is correct.
   
   
      But when I use freeradis with tls, errors pup up:
   
  freeradius error:
  rlm_ldap: - authorize
rlm_ldap: performing user authorization for hwang
radius_xlat:  '(uid=hwang)'
radius_xlat:  'ou=People,dc=aerohive,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: setting TLS CACert File to /usr/local/etc/openldap/ssl/cacert.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Connect error
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
   
   
  openldap error:
  TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=902, written=902                               ......
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
  0000:  15 03 01 00 02                                     .....
tls_read: want=2, got=2
  0000:  02 2a                                              .*
TLS trace: SSL3 alert read:fatal:bad certificate
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1052
connection_read(11): TLS accept failure error=-1 id=5, closing
connection_closing: readying conn=5 sd=11 for close
connection_close: conn=5 sd=11
daemon: removing 11
   
   
    When I use freeradius in the same host with openldap, There are other errors:
  connection_get(10)
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(10)
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(10): unable to get TLS client DN, error=49 id=11
connection_get(10)
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
   
   
  partly configuration in slapd.conf:
  TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/ssl/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/serverkey.pem
TLSVerifyClient try
   
  Can anyone tell me why it is? Anything wrong with my configure file.
   
   
    Thanks!
  John
   
   
   
   
   

       
---------------------------------
抢注雅虎免费邮箱3.5G容量,20M附件! 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070625/68b83cf5/attachment.html>


More information about the Freeradius-Users mailing list