re: Problem on freeradius+openldap+tls
Hangjun He
elmerhe at yahoo.com.cn
Mon Jun 25 13:51:29 CEST 2007
freeradius version 1.1.6
openldap version 2.3.23
opensll verson 0.9.7g
Hangjun He <elmerhe at yahoo.com.cn> 写道:
hi,
freeradis with openldap is OK when use cleartext communication.
Now I want to use tls.
openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is correct.
But when I use freeradis with tls, errors pup up:
freeradius error:
rlm_ldap: - authorize
rlm_ldap: performing user authorization for hwang
radius_xlat: '(uid=hwang)'
radius_xlat: 'ou=People,dc=aerohive,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: setting TLS CACert File to /usr/local/etc/openldap/ssl/cacert.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: ldap_start_tls_s()
rlm_ldap: could not start TLS Connect error
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
openldap error:
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=902, written=902 ......
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 2a .*
TLS trace: SSL3 alert read:fatal:bad certificate
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1052
connection_read(11): TLS accept failure error=-1 id=5, closing
connection_closing: readying conn=5 sd=11 for close
connection_close: conn=5 sd=11
daemon: removing 11
When I use freeradius in the same host with openldap, There are other errors:
connection_get(10)
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(10)
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(10): unable to get TLS client DN, error=49 id=11
connection_get(10)
connection_get(10): got connid=11
connection_read(10): checking for input on id=11
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
partly configuration in slapd.conf:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/ssl/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/serverkey.pem
TLSVerifyClient try
Can anyone tell me why it is? Anything wrong with my configure file.
Thanks!
John
---------------------------------
抢注雅虎免费邮箱3.5G容量,20M附件!
---------------------------------
抢注雅虎免费邮箱-3.5G容量,20M附件!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070625/b59c077d/attachment.html>
More information about the Freeradius-Users
mailing list