Forum Linux.général LDAP over TLS - unsupported extended operation

Posté par (page perso) . Licence CC by-sa.
0
10
sept.
2014

Bonjour,

J'ai suivi la création du certificat depuis la page d'openldap (ici: http://www.openldap.org/faq/data/cache/185.html )
J'ai aussi générer un certificat cacert et j'obtient le même résultat.

Lorsque je fais un

root@DB:/etc/ldap# ldapsearch -ZZ
    ldap_start_tls: Protocol error (2)
            additional info: unsupported extended operation

alors qu'un :

root@DB:~# ldapsearch
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    # extended LDIF
    #
    # LDAPv3
    # base <> (default) with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #

    # search result
    search: 2
    result: 32 No such object

    # numResponses: 1

Quelques logs additionnel :

root@DB:~# netstat -tan
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN
    tcp6       0      0 :::636                  :::*                    LISTEN
    tcp6       0      0 :::389                  :::*                    LISTEN
root@DB:~# cgrep /etc/default/slapd
    SLAPD_CONF=
    SLAPD_USER="openldap"
    SLAPD_GROUP="openldap"
    SLAPD_PIDFILE=
    SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
    SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
    SLAPD_OPTIONS=""
root@DB:/etc/ldap# l
    total 48K
    -rw-r--r-- 1 root     root     4.4K Sep 10 17:20 cacert.pem
    drwxr-xr-x 2 root     root     4.0K Sep 10 17:19 cert_old
    -rw-r--r-- 1 root     root        0 Sep 10 17:17 db_crt.pem
    -rw------- 1 root     root     2.7K Sep 10 17:17 db_key.pem
    -rw-r--r-- 1 root     root      183 Sep  4 15:49 init.ldif
    -rw-r--r-- 1 root     root      178 Sep  4 16:14 olcAccess.ldif
    -rw-r--r-- 1 root     root      463 Sep  4 16:12 olcDbIndex.ldif
    -rw-r--r-- 1 root     root      250 Sep  4 17:16 olcSSL.ldif
    drwxr-xr-x 2 root     root     4.0K Apr 23  2013 sasl2
    drwxr-xr-x 2 root     root     4.0K Sep  4 15:27 schema
    drwxr-xr-x 3 openldap openldap 4.0K Sep  5 16:33 slapd.d
    -rw-r--r-- 1 root     root       88 Sep  4 15:50 ssl.ldif

Premier signe d'erreur, mais que je n'arrive pas à comprendre/debugger :

root@DB:/etc/ldap# openssl s_client -connect db.m0le.net:389 -state -showcerts -CAfile /etc/ldap/cacert.pem
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:unknown state
    139821511227048:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 308 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    ---
root@DB:/etc/ldap/cert_old# gnutls-cli --x509cafile /etc/ldap/cacert.pem --x509keyfile /etc/ldap/db_key.pem --x509certfile /etc/ldap/db_crt.pem -d 5 -p 636 db.m0le.net
    Processed 1 CA certificate(s).
    Processed 1 client certificates...
    |<2>| ASSERT: x509_b64.c:453
    |<2>| Could not find '-----BEGIN RSA PRIVATE KEY'
    |<2>| ASSERT: x509_b64.c:453
    |<2>| Could not find '-----BEGIN DSA PRIVATE KEY'
    |<2>| ASSERT: privkey.c:387
    |<2>| Falling back to PKCS #8 key decoding
    Processed 1 client X.509 certificates...
    Resolving 'db.m0le.net'...
    Connecting to '10.0.0.4:636'...
    |<4>| REC[0xc65a70]: Allocating epoch #0
    |<2>| ASSERT: gnutls_constate.c:695
    |<4>| REC[0xc65a70]: Allocating epoch #1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
    |<3>| HSK[0xc65a70]: Keeping ciphersuite: RSA_ARCFOUR_MD5
    |<2>| EXT[0xc65a70]: Sending extension SERVER NAME (16 bytes)
    |<2>| EXT[0xc65a70]: Sending extension SAFE RENEGOTIATION (1 bytes)
    |<2>| EXT[0xc65a70]: Sending extension SESSION TICKET (0 bytes)
    |<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
    |<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
    |<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
    |<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
    |<2>| EXT[0xc65a70]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
    |<3>| HSK[0xc65a70]: CLIENT HELLO was sent [136 bytes]
    |<4>| REC[0xc65a70]: Sending Packet[0] Handshake(22) with length: 136
    |<4>| REC[0xc65a70]: Sent Packet[1] Handshake(22) with length: 141
    |<2>| ASSERT: gnutls_buffers.c:640
    |<2>| ASSERT: gnutls_record.c:969
    |<2>| ASSERT: gnutls_handshake.c:2762
    *** Fatal error: A TLS packet with unexpected length was received.
    |<4>| REC: Sending Alert[2|22] - Record overflow
    |<4>| REC[0xc65a70]: Sending Packet[1] Alert(21) with length: 2
    |<2>| errno: 32
    |<2>| ASSERT: gnutls_buffers.c:431
    |<2>| ASSERT: gnutls_buffers.c:755
    |<2>| ASSERT: gnutls_record.c:491
    *** Handshake has failed
    GnuTLS error: A TLS packet with unexpected length was received.
    |<4>| REC[0xc65a70]: Epoch #0 freed
    |<4>| REC[0xc65a70]: Epoch #1 freed

Si il faut d'autres informations, n'hésitez pas, moi, je suis perdu :(

  • # Debug handshake

    Posté par (page perso) . Évalué à 1.

    On m'a posé la question du handshake, mais la commande openssl en utilisant -prexit ou -msg ou même en spécifiant -tls1 ou -ssl3, rien n'y fait/ne m'aide.

    root@DB:/etc/ldap/cert_old# openssl s_client -msg -connect db.m0le.net:636 -state                           [7/1449]
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
        TLS 1.2 Handshake [length 012f], ClientHello
        01 00 01 2b 03 03 54 11 5b 69 88 a4 ed 83 60 e6
        c3 0e ef 18 e7 24 70 b1 b6 cf 97 12 dd 80 dd 91
        8c cb 65 15 f3 52 00 00 92 c0 30 c0 2c c0 28 c0
        24 c0 14 c0 0a 00 a3 00 9f 00 6b 00 6a 00 39 00
        38 00 88 00 87 c0 32 c0 2e c0 2a c0 26 c0 0f c0
        05 00 9d 00 3d 00 35 00 84 c0 12 c0 08 00 16 00
        13 c0 0d c0 03 00 0a c0 2f c0 2b c0 27 c0 23 c0
        13 c0 09 00 a2 00 9e 00 67 00 40 00 33 00 32 00
        9a 00 99 00 45 00 44 c0 31 c0 2d c0 29 c0 25 c0
        0e c0 04 00 9c 00 3c 00 2f 00 96 00 41 c0 11 c0
        07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00
        14 00 11 00 08 00 06 00 03 00 ff 02 01 00 00 6f
        00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 0e
        00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16
        00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05
        00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11
        00 23 00 00 00 0d 00 22 00 20 06 01 06 02 06 03
        05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02
        03 03 02 01 02 02 02 03 01 01 00 0f 00 01 01
    SSL_connect:unknown state
    140182464599720:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 308 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    ---

    de même

    root@DB:/etc/ldap/cert_old# openssl s_client -prexit -connect db.m0le.net:636 -state
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:unknown state
    140642600560296:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 308 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    ---
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 308 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    ---
    root@DB:/etc/ldap/cert_old# openssl s_client -tls1 -connect db.m0le.net:636 -state                         [32/1540]
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:SSLv3 write client hello A
    SSL_connect:failed in SSLv3 read server hello A
    140083957143208:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 0 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1410423787
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
    ---
    root@DB:/etc/ldap/cert_old# openssl s_client -ssl3 -connect db.m0le.net:636 -state                          [1/1540]
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:SSLv3 write client hello A
    SSL_connect:failed in SSLv3 read server hello A
    140624822658728:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 0 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : SSLv3
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1410423801
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
    ---

    Donc, pas vraiment d'idée :/

  • # As-tu bien fait la conf ?

    Posté par (page perso) . Évalué à 1.

    Dans ton fichier slapd.conf, tu dois avoir des lignes qui ressemble à un truc du genre si je regarde la doc :

    TLSCertificateFile /path/to/server-certificate.pem
    TLSCertificateKeyFile /path/to/private-key.pem
    TLSCACertificateFile /path/to/CA-certificates

    Peux-tu déjà vérifier cela ?

    • [^] # Re: As-tu bien fait la conf ?

      Posté par . Évalué à 2.

      Et à la sauce « configuration dans le LDAP », il faut utiliser un LDIF de ce style :
      dn: cn=config
      changetype: modify
      add: olcTLSCACertificateFile
      olcTLSCACertificateFile: /etc/ldap/cacert.pem
      -
      add: olcTLSCertificateKeyFile
      olcTLSCertificateKeyFile: /etc/ldap/db_key.pem
      -
      add: olcTLSCertificateFile
      olcTLSCertificateFile: /etc/ldap/db_crt.pem

      Si OpenLDAP utilise GnuTLS et que la clé privée a été générée par OpenSSL, il faut changer son format :
      certtool --key-info < clé_OpenSSL > clé_GnuTLS

      Sinon ton "openssl s_connect" ne fonctionnera pas sur le port 389 car OpenLDAP fait du STARTTLS sur ce port (en principe), et non du TLS direct.

      • [^] # Re: As-tu bien fait la conf ?

        Posté par (page perso) . Évalué à 1.

        Merci de vos réponses, je vais répondre aux deux directement :
        @Jean-Yves : Je n'utilise pas de slapd.conf (hormis celui dans /etc/default/) dont le contenu est déjà posté dans mon 1er post.

        @Bernez : Concernant le port, c'est une erreur de ma part, j'ai bien effectué le test sur le port 636, et j’obtiens le même résultat : (note : le STARTTLS sur le port 389 semble fonctionner correctement)

        root@DB:/etc/ldap# openssl s_client -connect db.m0le.net:636 -state -showcerts -CAfile /etc/ldap/cacert.pem
        CONNECTED(00000003)
        SSL_connect:before/connect initialization
        SSL_connect:unknown state
        140639336564392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
        ---
        no peer certificate available
        ---
        No client certificate CA names sent
        ---
        SSL handshake has read 0 bytes and written 308 bytes
        ---
        New, (NONE), Cipher is (NONE)
        Secure Renegotiation IS NOT supported
        Compression: NONE
        Expansion: NONE
        ---

        Concernant la modification pour le ssl, j'avais utilisé ton propre ldif (venant d'ici : http://linuxfr.org/forums/linux-debian-ubuntu/posts/besoin-d-aide-debian-squeeze-open-ldap-et-ssl )
        dont voici les deux appliqués :

        root@DB:/etc/ldap# cat ssl.ldif
        dn: olcDatabase={1}hdb,cn=config
        changetype: modify
        add: olcSecurity
        olcSecurity: tls=1
        root@DB:/etc/ldap# cat olcSSL.ldif
        dn: cn=config
        add: olcTLSCACertificateFile
        olcTLSCACertificateFile: /etc/ldap/cacert.pem
        -
        add: olcTLSCertificateKeyFile
        olcTLSCertificateKeyFile: /etc/ldap/db_key.pem
        -
        add: olcTLSCertificateFile
        olcTLSCertificateFile: /etc/ldap/db_crt.pem

        Et effectivement, le certtool était/semble nécessaire, un ldd $(which slapd) m'indique bien du gnutls.

        Mais, pas d'amélioration :(

        Note : J'ai essayé d'enlever "olcSSL.ldif" (en remplacant les "add" par des "remove"), et là, au moins, je peux lancer mon deamon slapd correctement (pas d'erreur : main: TLS init def ctx failed: -1 )

        • [^] # Re: As-tu bien fait la conf ?

          Posté par (page perso) . Évalué à 1.

          Hum, on recommence, j'avais fait de la merde sur les droits de lecture de mon certificat ..

          L'erreur :

          root@DB:/etc/ldap# ldapsearch -ZZ
          ldap_start_tls: Connect error (-11)
                  additional info: A TLS packet with unexpected length was received.

          le ldapsearch "normal" fonctionne :

          root@DB:/etc/ldap# ldapsearch
          SASL/EXTERNAL authentication started
          SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
          SASL SSF: 0
          # extended LDIF
          #
          # LDAPv3
          # base <> (default) with scope subtree
          # filter: (objectclass=*)
          # requesting: ALL
          #
          
          # search result
          search: 2
          result: 32 No such object
          
          # numResponses: 1

          Le retour de openssl (qui n'est plus utile, suite au certtool, si j'ai bien compris ?!)

          root@DB:/etc/ldap# openssl s_client -connect db.m0le.net:636 -state -showcerts -CAfile /etc/ldap/cacert.pem                                                                                                                          [39/1905]
          CONNECTED(00000003)
          SSL_connect:before/connect initialization
          SSL_connect:unknown state
          SSL_connect:SSLv3 read server hello A
          depth=0 C = FR, ST = Some-State, O = Internet Widgits Pty Ltd, CN = db.m0le.net, emailAddress = root@m0le.net
          verify return:1
          SSL_connect:SSLv3 read server certificate A
          SSL_connect:SSLv3 read server done A
          SSL_connect:SSLv3 write client key exchange A
          SSL_connect:SSLv3 write change cipher spec A
          SSL_connect:SSLv3 write finished A
          SSL_connect:SSLv3 flush data
          SSL_connect:failed in SSLv3 read finished A
          140293130380968:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
          ---
          Certificate chain
           0 s:/C=FR/ST=Some-State/O=Internet Widgits Pty Ltd/CN=db.m0le.net/emailAddress=root@m0le.net
             i:/C=FR/ST=Some-State/O=Internet Widgits Pty Ltd/CN=db.m0le.net/emailAddress=root@m0le.net
          -----BEGIN CERTIFICATE-----
          MIIDxTCCAq2gAwIBAgIJAIcFtqHXlSAbMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV
          [...]
          E/8TpVehfOI8wC3lyQ8qCQWipzAQDy5wLx9nhaBTVDNybsmTKYiNKg7rPIZH2TGu
          2qsVRp0pJ5S7
          -----END CERTIFICATE-----
          ---
          Server certificate
          subject=/C=FR/ST=Some-State/O=Internet Widgits Pty Ltd/CN=db.m0le.net/emailAddress=root@m0le.net
          issuer=/C=FR/ST=Some-State/O=Internet Widgits Pty Ltd/CN=db.m0le.net/emailAddress=root@m0le.net
          ---
          No client certificate CA names sent
          ---
          SSL handshake has read 1079 bytes and written 358 bytes
          ---
          New, TLSv1/SSLv3, Cipher is AES256-SHA256
          Server public key is 2048 bit
          Secure Renegotiation IS supported
          Compression: NONE
          Expansion: NONE
          SSL-Session:
              Protocol  : TLSv1.2
              Cipher    : AES256-SHA256
              Session-ID: D93xxx14E5DC66D8F
              Session-ID-ctx:
              Master-Key: 93Cxxx65E6583473
              Key-Arg   : None
              PSK identity: None
              PSK identity hint: None
              SRP username: None
              Start Time: 1410505118
              Timeout   : 300 (sec)
              Verify return code: 0 (ok)
          ---

          Enfin l'erreur avec gnutls-cli :

          root@DB:/etc/ldap# gnutls-cli --x509cafile /etc/ldap/cacert.pem --x509keyfile /etc/ldap/db_key.pem --x509certfile /etc/ldap/db_crt.pem -d 5 -p 636 db.m0le.net                                                                       [61/1997]
          Processed 1 CA certificate(s).
          Processed 1 client certificates...
          Processed 1 client X.509 certificates...
          Resolving 'db.m0le.net'...
          Connecting to '10.0.0.4:636'...
          |<4>| REC[0x1816d00]: Allocating epoch #0
          |<2>| ASSERT: gnutls_constate.c:695
          |<4>| REC[0x1816d00]: Allocating epoch #1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
          |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_ARCFOUR_MD5
          |<2>| EXT[0x1816d00]: Sending extension SERVER NAME (16 bytes)
          |<2>| EXT[0x1816d00]: Sending extension SAFE RENEGOTIATION (1 bytes)
          |<2>| EXT[0x1816d00]: Sending extension SESSION TICKET (0 bytes)
          |<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
          |<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
          |<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
          |<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
          |<2>| EXT[0x1816d00]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
          |<3>| HSK[0x1816d00]: CLIENT HELLO was sent [136 bytes]
          |<4>| REC[0x1816d00]: Sending Packet[0] Handshake(22) with length: 136
          |<4>| REC[0x1816d00]: Sent Packet[1] Handshake(22) with length: 141
          |<4>| REC[0x1816d00]: Expected Packet[0] Handshake(22) with length: 1
          |<4>| REC[0x1816d00]: Received Packet[0] Handshake(22) with length: 81
          |<4>| REC[0x1816d00]: Decrypted Packet[0] Handshake(22) with length: 81
          |<3>| HSK[0x1816d00]: SERVER HELLO was received [81 bytes]
          |<3>| HSK[0x1816d00]: Server's version: 3.3
          |<3>| HSK[0x1816d00]: SessionID length: 32
          |<3>| HSK[0x1816d00]: SessionID: d2817e9768ce745d8ddcf4b02bd9e34ad4463c0a33448c254613d09cb3e4e446
          |<3>| HSK[0x1816d00]: Selected cipher suite: RSA_AES_128_CBC_SHA1
          |<2>| EXT[0x1816d00]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
          |<3>| HSK[0x1816d00]: Safe renegotiation succeeded
          |<4>| REC[0x1816d00]: Expected Packet[1] Handshake(22) with length: 1
          |<4>| REC[0x1816d00]: Received Packet[1] Handshake(22) with length: 979
          |<4>| REC[0x1816d00]: Decrypted Packet[1] Handshake(22) with length: 979
          |<3>| HSK[0x1816d00]: CERTIFICATE was received [979 bytes]
          |<2>| ASSERT: ext_signature.c:393
          |<4>| REC[0x1816d00]: Expected Packet[2] Handshake(22) with length: 1
          |<4>| REC[0x1816d00]: Received Packet[2] Handshake(22) with length: 4
          |<4>| REC[0x1816d00]: Decrypted Packet[2] Handshake(22) with length: 4
          |<3>| HSK[0x1816d00]: SERVER HELLO DONE was received [4 bytes]
          |<2>| ASSERT: gnutls_handshake.c:1369
          |<3>| HSK[0x1816d00]: CLIENT KEY EXCHANGE was sent [262 bytes]
          |<4>| REC[0x1816d00]: Sending Packet[1] Handshake(22) with length: 262
          |<4>| REC[0x1816d00]: Sent Packet[2] Handshake(22) with length: 267
          |<3>| REC[0x1816d00]: Sent ChangeCipherSpec
          |<4>| REC[0x1816d00]: Sending Packet[2] Change Cipher Spec(20) with length: 1
          |<4>| REC[0x1816d00]: Sent Packet[3] Change Cipher Spec(20) with length: 6
          |<4>| REC[0x1816d00]: Initializing epoch #1
          |<4>| REC[0x1816d00]: Epoch #1 ready
          |<3>| HSK[0x1816d00]: Cipher Suite: RSA_AES_128_CBC_SHA1
          |<3>| HSK[0x1816d00]: Initializing internal [write] cipher sessions
          |<4>| REC[0x1816d00]: Start of epoch cleanup
          |<4>| REC[0x1816d00]: End of epoch cleanup
          |<3>| HSK[0x1816d00]: recording tls-unique CB (send)
          |<3>| HSK[0x1816d00]: FINISHED was sent [16 bytes]
          |<4>| REC[0x1816d00]: Sending Packet[0] Handshake(22) with length: 16
          |<4>| REC[0x1816d00]: Sent Packet[1] Handshake(22) with length: 85
          |<2>| ASSERT: gnutls_buffers.c:640
          |<2>| ASSERT: gnutls_record.c:969
          |<2>| ASSERT: gnutls_handshake.c:2933
          |<2>| ASSERT: gnutls_handshake.c:3139
          *** Fatal error: A TLS packet with unexpected length was received.
          |<4>| REC: Sending Alert[2|22] - Record overflow
          |<4>| REC[0x1816d00]: Sending Packet[1] Alert(21) with length: 2
          |<4>| REC[0x1816d00]: Sent Packet[2] Alert(21) with length: 229
          *** Handshake has failed
          GnuTLS error: A TLS packet with unexpected length was received.
          |<4>| REC[0x1816d00]: Epoch #0 freed
          |<4>| REC[0x1816d00]: Epoch #1 freed
  • # Piste suggérée précédemment...

    Posté par (page perso) . Évalué à 2.

    As-tu bien fait l'étape certool parce que ton message "A TLS packet with unexpected length was received" fait quand même bien penser aux problèmes potentiels suggérés sur cette page :

    https://wiki.debian.org/LDAP/OpenLDAPSetup

    JY

    • [^] # Re: Piste suggérée précédemment...

      Posté par (page perso) . Évalué à 1.

      Effectivement, je n'avais pas vu passer ces lignes ?!
      J'ai donc recrée le certificat, modifié ma base comme demandé, et je me retrouve avec un beau :

      root@DB:/etc/ldap/slapd.d# ldapsearch -ZZ
      SASL/EXTERNAL authentication started
      ldap_sasl_interactive_bind_s: Authentication method not supported (7)
              additional info: SASL(-4): no mechanism available:
      root@DB:/etc/ldap# l
      total 40K
      -rw-r--r-- 1 root     root     1.4K Sep 12 16:08 ca-cert.pem
      -rw------- 1 openldap root     2.0K Sep 12 16:07 ca-key.pem
      -rw-r--r-- 1 root     root      183 Sep  4 15:49 init.ldif
      -rw-r--r-- 1 root     root      178 Sep  4 16:14 olcAccess.ldif
      -rw-r--r-- 1 root     root      463 Sep  4 16:12 olcDbIndex.ldif
      -rw-r--r-- 1 root     root      241 Sep 11 16:39 olcSSL.ldif
      -rw-r--r-- 1 root     root      283 Sep 13 18:47 olcSSL_gnu.ldif
      drwxr-xr-x 2 root     root     4.0K Apr 23  2013 sasl2
      drwxr-xr-x 2 root     root     4.0K Sep  4 15:27 schema
      drwxr-xr-x 3 openldap openldap 4.0K Sep 13 18:52 slapd.d
      root@DB:/etc/ldap# grep -r "TLS" slapd.d/*
      slapd.d/cn=config.ldif:olcTLSCertificateKeyFile: /etc/ldap/ca-key.pem
      slapd.d/cn=config.ldif:olcTLSCertificateFile: /etc/ldap/ca-cert.pem
      slapd.d/cn=config.ldif:olcTLSVerifyClient: never
  • # Distro ?

    Posté par (page perso) . Évalué à 1.

    Quelle est la distribution Linux utilisée et la version ?

    • [^] # Re: Distro ?

      Posté par (page perso) . Évalué à 1.

      root@DB:/etc/ldap# cat /proc/version
      Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.60-1+deb7u3
      
      root@DB:/etc/ldap# uname -a
      Linux DB 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 GNU/Linux
      
      root@DB:/etc/ldap# cat /etc/debian_version
      7.6
  • # Je ne sais pas si ca aide ...

    Posté par (page perso) . Évalué à 1.

    root@DB:~# ldapsearch -x -H ldapi:/// -b "" -LLL -s base supportedSASLMechanisms
    dn:
    supportedSASLMechanisms: DIGEST-MD5
    supportedSASLMechanisms: EXTERNAL
    supportedSASLMechanisms: NTLM
    supportedSASLMechanisms: CRAM-MD5
    supportedSASLMechanisms: LOGIN
    supportedSASLMechanisms: PLAIN

Suivre le flux des commentaires

Note : les commentaires appartiennent à ceux qui les ont postés. Nous n'en sommes pas responsables.