openldap 2.4: olcTLSVerifyClient demand

I am running openLDAP 2.4.41 and trying to achieve client TLS certificate checking. I've configured TLS at server side as the following.

olcTLSCACertificateFile: /etc/pki/trust/anchors/rootCA.pem olcTLSCertificateKeyFile: /etc/openldap/openldap.key olcTLSCertificateFile: /etc/openldap/openldap.crt 

TLS connection works well when olcTLSVerifyClient is set to try.

My client ldap.conf is the following (for testing simplicity I use the same cert both for the server and the client):

TLS_CACERT /etc/pki/trust/anchors/rootCA.pem TLS_CACERTDIR /var/lib/ca-certificates/pem/ TLS_CERT /etc/openldap/openldap.crt TLS_KEY /etc/openldap/openldap.key 

Now, I am setting olcTLSVerifyClient: demand.

> ldapsearch -d 1 -H ldaps:/// -v -x -D 'mydn' -w mysecret -b 'cn=log' -s base ldap_url_parse_ext(ldaps:///) ldap_initialize( ldaps://:636/??base ) ldap_create ldap_url_parse_ext(ldaps://:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect:  connect success TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: [SKIPPED] TLS certificate verification: depth: 0, err: 0, subject: [SKIPPED] TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:failed in SSLv3 read server session     ticket A TLS: can't connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) 

In the server logs I see the following:

slap_listener_activate(8): >>> slap_listener(ldaps:///) connection_get(11): got connid=1021 connection_read(11): checking for input on id=1021 connection_get(11): got connid=1021 connection_read(11): checking for input on id=1021 connection_read(11): TLS accept failure error=-1 id=1021, closing connection_close: conn=1021 sd=11 

How could I debug why client certificate checking doesn't work?

Replay

Category: openldap Time: 2016-07-31 Views: 0
Tags: openldap

Related post

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development

search

Front-end development

Database

development tools

Open Platform

Javascript development

.NET development

cloud computing

server

Copyright (C) avrocks.com, All Rights Reserved.

processed in 0.236 (s). 12 q(s)