|

»

»

SSL Problem: TLS negotiation failure

View: New views

4 Messages — Rating Filter: Alert me

	SSL Problem: TLS negotiation failure by Neil Levine :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I've seen this discussed in the archives but none of the solutions (or admissions of error by the original poster) seem to apply: I am running an Ubuntu OpenLDAP server and have a Debian client machine with pam_ldap/libnss-ldap The server binds to ldap:// and ldaps:// The slapd.conf file contains the following: TLSVerifyClient allow TLSCACertificateFile /etc/ldap/foo.org.pem TLSCertificateFile /etc/ldap/foo.org.pem TLSCertificateKeyFile /etc/ldap/foo.org.pem The client works fine when configured to connect to ldap:// with the following config files for both /etc/pam_ldap.conf and /etc/libnss-ldap.conf: base dc=foo,dc=org uri ldap://foo.org/ ldap_version 3 Subsequently, I change the uri to point to ldaps://foo.org/ and add the following lines to /etc/pam_ldap.conf and /etc/libnss-ldap.conf: ssl on sslpath /etc/ssl/certs tls_cacertdir /etc/ssl/certs tls_checkpeer no Running ldapsearch -x with the following /etc/ldap/ldap.conf file works fine: BASE dc=foo,dc=org URI ldaps://foo.org TLS_REQCERT allow TLS_CACERTDIR /etc/ssl/certs So, I restart nscd to be sure and attempt to login via ssh. However, I get the following in the syslog of the server: Oct 7 22:36:16 jem slapd[25824]: conn=10 fd=23 ACCEPT from IP=192.168.0.111:46515 (IP=0.0.0.0:636) Oct 7 22:36:23 jem slapd[25824]: conn=10 fd=23 closed (TLS negotiation failure) Running strace -f /usr/sbin/sshd -d seems to show lots of open calls to the files in /etc/ssl/certs. I look forward to receiving any assistance. regards Neil
	Re: SSL Problem: TLS negotiation failure by Neil Levine :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Tue, Oct 07, 2008 at 10:43:23PM +0100, Neil Levine said: > > TLSCACertificateFile /etc/ldap/foo.org.pem This line was obviously wrong. I corrected it to: TLSCACertificatePath /etc/ssl/certs/ > Running strace -f /usr/sbin/sshd -d seems to show lots of open calls to > the files in /etc/ssl/certs. So after looking at the strace more closely, I discovered that there was an open call to /etc/pam_ldap.conf and /etc/libnss-pam.conf as expected but there was ALSO an open call to /etc/ldap/ldap.conf. I was under the impression that /etc/ldap/ldap.conf was only read my the openldap tools (ldapsearch etc) and was not looked at by the pam/libnss libraries. I tried commenting out both of these lines: TLS_CACERTDIR /etc/ssl/certs TLS_REQCERT allow and pam-ldap/ssl worked, however, ldapsearch did not. So, I changed TLS_REQCERT to never and consequently both ldapsearch and pam-ldap worked. So my questions: 1. Why are pamldap/libnss looking at /etc/ldap/ldap.conf? 2. Why doesn't ldapsearch work without TLS_REQCERT never? Neil
	Re: Re: SSL Problem: TLS negotiation failure by Andrew Morgan :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Wed, 8 Oct 2008, Neil Levine wrote: > On Tue, Oct 07, 2008 at 10:43:23PM +0100, Neil Levine said: >> >> TLSCACertificateFile /etc/ldap/foo.org.pem > > This line was obviously wrong. I corrected it to: > > TLSCACertificatePath /etc/ssl/certs/ > >> Running strace -f /usr/sbin/sshd -d seems to show lots of open calls to >> the files in /etc/ssl/certs. > > So after looking at the strace more closely, I discovered that there was > an open call to /etc/pam_ldap.conf and /etc/libnss-pam.conf as expected > but there was ALSO an open call to /etc/ldap/ldap.conf. > > I was under the impression that /etc/ldap/ldap.conf was only read my the > openldap tools (ldapsearch etc) and was not looked at by the pam/libnss > libraries. I tried commenting out both of these lines: > > TLS_CACERTDIR /etc/ssl/certs > TLS_REQCERT allow > > and pam-ldap/ssl worked, however, ldapsearch did not. > > So, I changed TLS_REQCERT to never and consequently both ldapsearch and > pam-ldap worked. > > So my questions: > > 1. Why are pamldap/libnss looking at /etc/ldap/ldap.conf? Both of those use the openldap library (libldap.so), so it is probably the openldap library that is consulting ldap.conf. My understanding is that options set in pam_ldap.conf override the settings in ldap.conf. > 2. Why doesn't ldapsearch work without TLS_REQCERT never? I don't know... To me, that setting only makes sense from the server-side (allow client certificates). Andy
	Re: SSL Problem: TLS negotiation failure by jlintz :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I ran into a similar problem, the issue ended up being that my certificate in /etc/openldap/cacerts was not readable by all. Check the permissions on your certs and see if that helps Neil Levine wrote: I've seen this discussed in the archives but none of the solutions (or admissions of error by the original poster) seem to apply: I am running an Ubuntu OpenLDAP server and have a Debian client machine with pam_ldap/libnss-ldap The server binds to ldap:// and ldaps:// The slapd.conf file contains the following: TLSVerifyClient allow TLSCACertificateFile /etc/ldap/foo.org.pem TLSCertificateFile /etc/ldap/foo.org.pem TLSCertificateKeyFile /etc/ldap/foo.org.pem The client works fine when configured to connect to ldap:// with the following config files for both /etc/pam_ldap.conf and /etc/libnss-ldap.conf: base dc=foo,dc=org uri ldap://foo.org/ ldap_version 3 Subsequently, I change the uri to point to ldaps://foo.org/ and add the following lines to /etc/pam_ldap.conf and /etc/libnss-ldap.conf: ssl on sslpath /etc/ssl/certs tls_cacertdir /etc/ssl/certs tls_checkpeer no Running ldapsearch -x with the following /etc/ldap/ldap.conf file works fine: BASE dc=foo,dc=org URI ldaps://foo.org TLS_REQCERT allow TLS_CACERTDIR /etc/ssl/certs So, I restart nscd to be sure and attempt to login via ssh. However, I get the following in the syslog of the server: Oct 7 22:36:16 jem slapd[25824]: conn=10 fd=23 ACCEPT from IP=192.168.0.111:46515 (IP=0.0.0.0:636) Oct 7 22:36:23 jem slapd[25824]: conn=10 fd=23 closed (TLS negotiation failure) Running strace -f /usr/sbin/sshd -d seems to show lots of open calls to the files in /etc/ssl/certs. I look forward to receiving any assistance. regards Neil