[Fedora-directory-users] cleint problems with ssl and tls

Marco Strullato marco.strullato at gmail.com
Fri Sep 7 14:37:34 UTC 2007 

Thanks!
changing the uri from ldaps to ldap it works!

Marco



2007/9/7, Richard Megginson <rmeggins at redhat.com>:
>
> Marco Strullato wrote:
> > Hello, I'm using ldapsearch provided by openldap-clients-2.3.27-5.
> >
> > Marco
> >
> > 2007/9/7, Satish Chetty <satish at suburbia.org.au
> > <mailto:satish at suburbia.org.au>>:
> >
> >     Marco,
> >             Which ldapsearch are you using? OL's or the one that comes
> >     with FDS?
> >
> >     -Satish.
> >
> >     Marco Strullato wrote:
> >     > Hi all!
> >     > I have a problem with ldap and ssl:
> >     > I set up the fedora directory server with ssl following this link:
> >     > http://directory.fedoraproject.org/wiki/Howto:SSL
> >     > <http://directory.fedoraproject.org/wiki/Howto:SSL>
> >     >
> >     > The problem is client authentication: I mean when I do an
> >     ldapsearch I
> >     > get "SSL connection already established" but I don't have any
> other
> >     > connection to between client and server (check with netstat).
> >     >
> >     > What do you suggest me?
> >     >
> >     > Thanks
> >     >
> >     > Marco
> >     >
> >     > logs from the FDS server are:
> >     > [07/Sep/2007:10:04:09 +0200] conn=10 fd=68 slot=68 SSL
> >     connection from
> >     > <ip_src> to <ip_dst>
> >     > [07/Sep/2007:10:04:09 +0200] conn=10 SSL 256-bit AES
> >     > [07/Sep/2007:10:04:09 +0200] conn=10 op=0 EXT
> >     > oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> >     > [07/Sep/2007:10:04:09 +0200] conn=10 op=0 RESULT err=1 tag=120
> >     > nentries=0 etime=0
> >     > [07/Sep/2007:10:04:09 +0200] conn=10 op=-1 fd=68 closed - B1
> >
>
> The problem is that you are attempting to use startTLS on a connection
> that you have already started TLS/SSL on.  The original connection is
> already a SSL connection: "conn=10 fd=68 slot=68 SSL connection".  Then
> there is an attempt to startTLS on this connection: "conn=10 op=0 EXT
> > oid="1.3.6.1.4.1.1466.20037" name="startTLS"".  If you want to use
> startTLS, you must do so on a non-encrypted connection.
> >
> >     >
> >     > from client:
> >     > ldap_create
> >     > ldap_extended_operation_s
> >     > ldap_extended_operation
> >     > ldap_send_initial_request
> >     > ldap_new_connection 1 1 0
> >     > ldap_int_open_connection
> >     > ldap_connect_to_host: TCP ldaps_vm02_admin:636
> >     > ldap_new_socket: 3
> >     > ldap_prepare_socket: 3
> >     > ldap_connect_to_host: Trying <ip_server>:636
> >     > ldap_connect_timeout: fd: 3 tm: -1 async: 0
> >     > TLS trace: SSL_connect:before/connect initialization
> >     > TLS trace: SSL_connect:SSLv2/v3 write client hello A
> >     > TLS trace: SSL_connect:SSLv3 read server hello A
> >     > TLS certificate verification: depth: 1, err: 0, subject:
> >     /C=IT/O=<......>
> >     > TLS certificate verification: depth: 0, err: 0, subject:
> >     /C=IT/O=<......>
> >     > TLS trace: SSL_connect:SSLv3 read server certificate A
> >     > TLS trace: SSL_connect:SSLv3 read server certificate request A
> >     > TLS trace: SSL_connect:SSLv3 read server done A
> >     > TLS trace: SSL_connect:SSLv3 write client certificate A
> >     > TLS trace: SSL_connect:SSLv3 write client key exchange A
> >     > TLS trace: SSL_connect:SSLv3 write change cipher spec A
> >     > TLS trace: SSL_connect:SSLv3 write finished A
> >     > TLS trace: SSL_connect:SSLv3 flush data
> >     > TLS trace: SSL_connect:SSLv3 read finished A
> >     > ldap_open_defconn: successful
> >     > ldap_send_server_request
> >     > ber_scanf fmt ({it) ber:
> >     > ber_scanf fmt ({) ber:
> >     > ber_flush: 31 bytes to sd 3
> >     > ldap_result ld 0x80bc048 msgid 1
> >     > ldap_chkResponseList ld 0x80bc048 msgid 1 all 1
> >     > ldap_chkResponseList returns ld 0x80bc048 NULL
> >     > wait4msg ld 0x80bc048 msgid 1 (infinite timeout)
> >     > wait4msg continue ld 0x80bc048 msgid 1 all 1
> >     > ** ld 0x80bc048 Connections:
> >     > * host: ldaps_vm02_admin  port: 636  (default)
> >     >   refcnt: 2  status: Connected
> >     >   last used: Fri Sep  7 10:05:20 2007
> >     >
> >     > ** ld 0x80bc048 Outstanding Requests:
> >     >  * msgid 1,  origid 1, status InProgress
> >     >    outstanding referrals 0, parent count 0
> >     > ** ld 0x80bc048 Response Queue:
> >     >    Empty
> >     > ldap_chkResponseList ld 0x80bc048 msgid 1 all 1
> >     > ldap_chkResponseList returns ld 0x80bc048 NULL
> >     > ldap_int_select
> >     > read1msg: ld 0x80bc048 msgid 1 all 1
> >     > ber_get_next
> >     > ber_get_next: tag 0x30 len 71 contents:
> >     > read1msg: ld 0x80bc048 msgid 1 message type extended-result
> >     > ber_scanf fmt ({eaa) ber:
> >     > read1msg: ld 0x80bc048 0 new referrals
> >     > read1msg:  mark request completed, ld 0x80bc048 msgid 1
> >     > request done: ld 0x80bc048 msgid 1
> >     > res_errno: 0, res_error: <>, res_matched: <>
> >     > ldap_free_request (origid 1, msgid 1)
> >     > ldap_free_connection 0 1
> >     > ldap_free_connection: refcnt 1
> >     > ldap_parse_extended_result
> >     > ber_scanf fmt ({eaa) ber:
> >     > ber_scanf fmt (a) ber:
> >     > ldap_parse_result
> >     > ber_scanf fmt ({iaa) ber:
> >     > ber_scanf fmt (x) ber:
> >     > ber_scanf fmt (}) ber:
> >     > ldap_msgfree
> >     > ldap_perror
> >     > ldap_start_tls: Operations error (1)
> >     >         additional info: SSL connection already established
> >     >
> >     >
> >     >
> >
> ------------------------------------------------------------------------
> >
> >     >
> >     > --
> >     > Fedora-directory-users mailing list
> >     > Fedora-directory-users at redhat.com
> >     <mailto:Fedora-directory-users at redhat.com>
> >     > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >     --
> >     Fedora-directory-users mailing list
> >     Fedora-directory-users at redhat.com
> >     <mailto:Fedora-directory-users at redhat.com>
> >     https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> > ------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070907/4adbf178/attachment.htm>

More information about the Fedora-directory-users mailing list