[Fedora-directory-users] cleint problems with ssl and tls

Fri Sep 7 12:34:31 UTC 2007

Marco,
	Which ldapsearch are you using? OL's or the one that comes with FDS?

-Satish.

Marco Strullato wrote:
> Hi all!
> I have a problem with ldap and ssl:
> I set up the fedora directory server with ssl following this link: 
> http://directory.fedoraproject.org/wiki/Howto:SSL 
> <http://directory.fedoraproject.org/wiki/Howto:SSL>
> 
> The problem is client authentication: I mean when I do an ldapsearch I 
> get "SSL connection already established" but I don't have any other 
> connection to between client and server (check with netstat).
> 
> What do you suggest me?
> 
> Thanks
> 
> Marco
> 
> logs from the FDS server are:
> [07/Sep/2007:10:04:09 +0200] conn=10 fd=68 slot=68 SSL connection from 
> <ip_src> to <ip_dst>
> [07/Sep/2007:10:04:09 +0200] conn=10 SSL 256-bit AES
> [07/Sep/2007:10:04:09 +0200] conn=10 op=0 EXT 
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [07/Sep/2007:10:04:09 +0200] conn=10 op=0 RESULT err=1 tag=120 
> nentries=0 etime=0
> [07/Sep/2007:10:04:09 +0200] conn=10 op=-1 fd=68 closed - B1
> 
> from client:
> ldap_create
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP ldaps_vm02_admin:636
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying <ip_server>:636
> ldap_connect_timeout: fd: 3 tm: -1 async: 0
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 0, subject: /C=IT/O=<......>
> TLS certificate verification: depth: 0, err: 0, subject: /C=IT/O=<......>
> TLS trace: SSL_connect:SSLv3 read server certificate A
> TLS trace: SSL_connect:SSLv3 read server certificate request A
> TLS trace: SSL_connect:SSLv3 read server done A
> TLS trace: SSL_connect:SSLv3 write client certificate A
> TLS trace: SSL_connect:SSLv3 write client key exchange A
> TLS trace: SSL_connect:SSLv3 write change cipher spec A
> TLS trace: SSL_connect:SSLv3 write finished A
> TLS trace: SSL_connect:SSLv3 flush data
> TLS trace: SSL_connect:SSLv3 read finished A
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush: 31 bytes to sd 3
> ldap_result ld 0x80bc048 msgid 1
> ldap_chkResponseList ld 0x80bc048 msgid 1 all 1
> ldap_chkResponseList returns ld 0x80bc048 NULL
> wait4msg ld 0x80bc048 msgid 1 (infinite timeout)
> wait4msg continue ld 0x80bc048 msgid 1 all 1
> ** ld 0x80bc048 Connections:
> * host: ldaps_vm02_admin  port: 636  (default)
>   refcnt: 2  status: Connected
>   last used: Fri Sep  7 10:05:20 2007
> 
> ** ld 0x80bc048 Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>    outstanding referrals 0, parent count 0
> ** ld 0x80bc048 Response Queue:
>    Empty
> ldap_chkResponseList ld 0x80bc048 msgid 1 all 1
> ldap_chkResponseList returns ld 0x80bc048 NULL
> ldap_int_select
> read1msg: ld 0x80bc048 msgid 1 all 1
> ber_get_next
> ber_get_next: tag 0x30 len 71 contents:
> read1msg: ld 0x80bc048 msgid 1 message type extended-result
> ber_scanf fmt ({eaa) ber:
> read1msg: ld 0x80bc048 0 new referrals
> read1msg:  mark request completed, ld 0x80bc048 msgid 1
> request done: ld 0x80bc048 msgid 1
> res_errno: 0, res_error: <>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_free_connection 0 1
> ldap_free_connection: refcnt 1
> ldap_parse_extended_result
> ber_scanf fmt ({eaa) ber:
> ber_scanf fmt (a) ber:
> ldap_parse_result
> ber_scanf fmt ({iaa) ber:
> ber_scanf fmt (x) ber:
> ber_scanf fmt (}) ber:
> ldap_msgfree
> ldap_perror
> ldap_start_tls: Operations error (1)
>         additional info: SSL connection already established
> 
> 
> ------------------------------------------------------------------------
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users