reŁş Problem on freeradius+openldap+tls

tnt at kalik.co.yu tnt at kalik.co.yu
Mon Jun 25 15:28:17 CEST 2007


You are looking in the wrong place. Your problem is not with the server
but client (certificate).

Ivan Kalik
Kalik Informatika ISP


Dana 25/6/2007, "Hangjun He" <elmerhe at yahoo.com.cn> piše:

>when I use ldapsearch -H ldaps://localhost/..I can get correct record.
>
>  debug info:
>  connection_get(11): got connid=12
>connection_read(11): checking for input on id=12
>TLS trace: SSL_accept:before/accept initialization
>TLS trace: SSL_accept:SSLv3 read client hello A
>TLS trace: SSL_accept:SSLv3 write server hello A
>TLS trace: SSL_accept:SSLv3 write certificate A
>TLS trace: SSL_accept:SSLv3 write server done A
>TLS trace: SSL_accept:SSLv3 flush data
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>connection_get(11): got connid=12
>connection_read(11): checking for input on id=12
>TLS trace: SSL_accept:SSLv3 read client key exchange A
>TLS trace: SSL_accept:SSLv3 read finished A
>TLS trace: SSL_accept:SSLv3 write change cipher spec A
>TLS trace: SSL_accept:SSLv3 write finished A
>TLS trace: SSL_accept:SSLv3 flush data
>connection_read(11): unable to get TLS client DN, error=49 id=12
>connection_get(11): got connid=12
>connection_read(11): checking for input on id=12
>ber_get_next
>ber_get_next: tag 0x30 len 45 contents:
>ber_get_next
>do_bind
>ber_scanf fmt ({imt) ber:
>ber_scanf fmt (m}) ber:
>>>> dnPrettyNormal: <cn=admin,dc=aehve,dc=com>
><<< dnPrettyNormal: <cn=admin,dc=aehve,dc=com>, <cn=admin,dc=aehve,dc=com>do_bind: version=3 dn="cn=admin,dc=aehve,dc=com" method=128
>do_bind: v3 bind: "cn=admin,dc=aehve,dc=com" to "cn=admin,dc=aehve,dc=com"send_ldap_result: conn=12 op=0 p=3
>send_ldap_response: msgid=1 tag=97 err=0
>ber_flush: 14 bytes to sd 11
>connection_get(11): got connid=12
>connection_read(11): checking for input on id=12
>ber_get_next
>ber_get_next: tag 0x30 len 73 contents:
>ber_get_next
>do_search
>ber_scanf fmt ({miiiib) ber:
>>>> dnPrettyNormal: <cn=hlin,ou=People,dc=aehve,dc=com>
><<< dnPrettyNormal: <cn=hlin,ou=People,dc=aehve,dc=com>, <cn=hlin,ou=people,dc=aehve,dc=com>
>ber_scanf fmt (m) ber:
>ber_scanf fmt ({M}}) ber:
>=> bdb_search
>bdb_dn2entry("cn=hlin,ou=people,dc=aehve,dc=com")
>search_candidates: base="cn=hlin,ou=people,dc=aehve,dc=com" (0x0000000b) scope=2
>=> bdb_dn2idl("cn=hlin,ou=people,dc=aehve,dc=com")
><= bdb_dn2idl: id=1 first=11 last=11
>=> bdb_presence_candidates (objectClass)
>bdb_search_candidates: id=1 first=11 last=11
>=> send_search_entry: conn 12 dn="cn=hlin,ou=People,dc=aehve,dc=com"
>ber_flush: 188 bytes to sd 11
><= send_search_entry: conn 12 exit.
>send_ldap_result: conn=12 op=1 p=3
>send_ldap_response: msgid=2 tag=101 err=0
>ber_flush: 14 bytes to sd 11
>connection_get(11): got connid=12
>connection_read(11): checking for input on id=12
>ber_get_next
>ber_get_next: tag 0x30 len 5 contents:
>ber_get_next
>do_unbind
>connection_closing: readying conn=12 sd=11 for close
>connection_resched: attempting closing conn=12 sd=11
>connection_close: conn=12 sd=11
>TLS trace: SSL3 alert write:warning:close notify
>
>
>  when I use freeradius in the same host:
>  do_extended
>ber_scanf fmt ({m) ber:
>send_ldap_extended: err=0 oid= len=0
>send_ldap_response: msgid=1 tag=120 err=0
>ber_flush: 14 bytes to sd 11
>connection_get(11): got connid=11
>connection_read(11): checking for input on id=11
>TLS trace: SSL_accept:before/accept initialization
>TLS trace: SSL_accept:SSLv3 read client hello A
>TLS trace: SSL_accept:SSLv3 write server hello A
>TLS trace: SSL_accept:SSLv3 write certificate A
>TLS trace: SSL_accept:SSLv3 write server done A
>TLS trace: SSL_accept:SSLv3 flush data
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>connection_get(11): got connid=11
>connection_read(11): checking for input on id=11
>TLS trace: SSL_accept:SSLv3 read client key exchange A
>TLS trace: SSL_accept:SSLv3 read finished A
>TLS trace: SSL_accept:SSLv3 write change cipher spec A
>TLS trace: SSL_accept:SSLv3 write finished A
>TLS trace: SSL_accept:SSLv3 flush data
>connection_read(11): unable to get TLS client DN, error=49 id=11
>connection_get(11): got connid=11
>connection_read(11): checking for input on id=11
>ber_get_next
>ber_get_next: tag 0x30 len 5 contents:
>ber_get_next
>TLS trace: SSL3 alert read:warning:close notify
>ber_get_next on fd 11 failed errno=0 (Success)
>connection_closing: readying conn=11 sd=11 for close
>connection_close: deferring conn=11 sd=11
>do_unbind
>connection_resched: attempting closing conn=11 sd=11
>connection_close: conn=11 sd=11
>TLS trace: SSL3 alert write:warning:close notify
>
>
>
>Hangjun He <elmerhe at yahoo.com.cn> Đ´ľŔŁş
>      freeradius version 1.1.6
>   openldap version 2.3.23
>   opensll verson   0.9.7g
>
>Hangjun He <elmerhe at yahoo.com.cn> Đ´ľŔŁş
>    hi,
>        freeradis with openldap is OK when use cleartext communication.
>  Now I want to use tls.
>
>     openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /usr/local/etc/openldap/ssl/cacert.pem   show the  cacert /cert/key is correct.
>
>
>      But when I use freeradis with tls, errors pup up:
>
>  freeradius error:
>  rlm_ldap: - authorize
>rlm_ldap: performing user authorization for hwang
>radius_xlat:  '(uid=hwang)'
>radius_xlat:  'ou=People,dc=aerohive,dc=com'
>rlm_ldap: ldap_get_conn: Checking Id: 0
>rlm_ldap: ldap_get_conn: Got Id: 0
>rlm_ldap: attempting LDAP reconnection
>rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
>rlm_ldap: setting TLS CACert File to /usr/local/etc/openldap/ssl/cacert.pem
>rlm_ldap: setting TLS Require Cert to demand
>rlm_ldap: starting TLS
>rlm_ldap: ldap_start_tls_s()
>rlm_ldap: could not start TLS Connect error
>rlm_ldap: (re)connection attempt failed
>rlm_ldap: search failed
>rlm_ldap: ldap_release_conn: Release Id: 0
>
>
>  openldap error:
>  TLS trace: SSL_accept:SSLv3 read client hello A
>TLS trace: SSL_accept:SSLv3 write server hello A
>TLS trace: SSL_accept:SSLv3 write certificate A
>TLS trace: SSL_accept:SSLv3 write server done A
>tls_write: want=902, written=902                               ......
>TLS trace: SSL_accept:SSLv3 flush data
>tls_read: want=5, got=5
>  0000:  15 03 01 00 02                                     .....
>tls_read: want=2, got=2
>  0000:  02 2a                                              .*
>TLS trace: SSL3 alert read:fatal:bad certificate
>TLS trace: SSL_accept:failed in SSLv3 read client certificate A
>TLS: can't accept.
>TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1052
>connection_read(11): TLS accept failure error=-1 id=5, closing
>connection_closing: readying conn=5 sd=11 for close
>connection_close: conn=5 sd=11
>daemon: removing 11
>
>
>    When I use freeradius in the same host with openldap, There are other errors:
>  connection_get(10)
>connection_get(10): got connid=11
>connection_read(10): checking for input on id=11
>TLS trace: SSL_accept:before/accept initialization
>TLS trace: SSL_accept:SSLv3 read client hello A
>TLS trace: SSL_accept:SSLv3 write server hello A
>TLS trace: SSL_accept:SSLv3 write certificate A
>TLS trace: SSL_accept:SSLv3 write certificate request A
>TLS trace: SSL_accept:SSLv3 flush data
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>connection_get(10)
>connection_get(10): got connid=11
>connection_read(10): checking for input on id=11
>TLS trace: SSL_accept:SSLv3 read client certificate A
>TLS trace: SSL_accept:SSLv3 read client key exchange A
>TLS trace: SSL_accept:SSLv3 read finished A
>TLS trace: SSL_accept:SSLv3 write change cipher spec A
>TLS trace: SSL_accept:SSLv3 write finished A
>TLS trace: SSL_accept:SSLv3 flush data
>connection_read(10): unable to get TLS client DN, error=49 id=11
>connection_get(10)
>connection_get(10): got connid=11
>connection_read(10): checking for input on id=11
>ber_get_next
>ber_get_next: tag 0x30 len 5 contents:
>ber_get_next
>TLS trace: SSL3 alert read:warning:close notify
>
>
>  partly configuration in slapd.conf:
>  TLSCipherSuite HIGH:MEDIUM:+SSLv2
>TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem
>TLSCertificateFile /usr/local/etc/openldap/ssl/servercrt.pem
>TLSCertificateKeyFile /usr/local/etc/openldap/ssl/serverkey.pem
>TLSVerifyClient try
>
>  Can anyone tell me why it is? Anything wrong with my configure file.
>
>
>    Thanks!
>  John
>
>
>
>
>
>
>---------------------------------
>  ÇŔעŃĹť˘ĂâˇŃÓĘĎä3.5GČÝÁżŁŹ20M¸˝źţŁĄ
>
>
>---------------------------------
>  ÇŔעŃĹť˘ĂâˇŃÓĘĎä-3.5GČÝÁżŁŹ20M¸˝źţŁĄ -
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>---------------------------------
> ŃĹť˘ĂâˇŃÓĘĎä-3.5GČÝÁżŁŹ20M¸˝źţ
>




More information about the Freeradius-Users mailing list