openLDAP ssl/tls Centos 6.3

Katerina Bubenickova katerina.bubenickova na plbohnice.cz
Pátek Březen 14 14:07:11 CET 2014 

Tady je část a konec výpisu gdb při krokování



ber_strdup_x (s=0x7fac42f9c430
"/etc/openldap/certs/ldap-server-cert.pem", ctx=<value optimized out>)
at ../../../libraries/liblber/memory.c:646
646	}

---

TLS_CACERTDIR /etc/openldap/certs
TLS_CACERT /etc/openldap/certs/ldap-server-cert.pem -
tohle mám teď v ldap.conf, je to jeden z pokusů, zda třeba klient
nepotřebuje TLS_CACERT, výsledek je ale v obou případech stejný.

Při odkomentování TLS_CACERT ale přibude řádek

# ldapsearch -x -d 1 -ZZ -H ldaps://test-LDAP.bohnice.cz
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: loaded CA certificate
file /etc/openldap/certs/ldap-server-cert.pem.                  <==tady
TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory
TLS: error: connect - force handshake failure: errno 21 - moznss error
-5938
TLS: can't connect: TLS error -5938:Encountered end of file.
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
	additional info: TLS error -5938:Encountered end of file

------
(gdb) next
[New Thread 0x7fac237fe700 (LWP 12973)]
1804				if (initctx != NULL) {
Missing separate debuginfos, use: debuginfo-install
sqlite-3.6.20-1.el6.x86_64
----
alloc_handle (ctx_arg=<value optimized out>, is_server=<value optimized
out>) at tls2.c:297
297		if ( ssl == NULL ) {
(gdb) 
296		ssl = tls_imp->ti_session_new( ctx, is_server );
(gdb) 
297		if ( ssl == NULL ) {
(gdb) 
298			Debug( LDAP_DEBUG_ANY,"TLS: can't create ssl
handle.\n",0,0,0);
(gdb) 
302	}
(gdb) 
ldap_pvt_tls_accept (sb=0x7fac1c0008c0, ctx_arg=0x0) at tls2.c:423
423			if ( ssl == NULL ) return -1;
(gdb) echo ssl
ssl(gdb) 
ssl(gdb) 
ssl(gdb) next
459	}
(gdb) 
connection_read (ctx=0x7fac23ffeb70, argv=0xe)
at ../../../servers/slapd/connection.c:1327
1327			if ( rc < 0 ) {                
(gdb) 
1326			rc = ldap_pvt_tls_accept( c->c_sb, slap_tls_ctx
);
(gdb) 
1327			if ( rc < 0 ) {
(gdb) 
1328				Debug( LDAP_DEBUG_TRACE,
(gdb) 
1335				connection_closing( c, "TLS negotiation
failure" );
(gdb) 
1333				c->c_needs_tls_accept = 0;
(gdb) 
1335				connection_closing( c, "TLS negotiation
failure" );
(gdb) 
1336				connection_close( c );
(gdb) 
1337				connection_return( c );
(gdb) 
connection_read_thread (ctx=0x7fac23ffeb70, argv=<value optimized out>)
at ../../../servers/slapd/connection.c:1247
1247			rc = (long)cri.func( ctx, cri.arg );
(gdb) print PR_GetError()
$7 = -12285
(gdb) print rc
$8 = <value optimized out>
(gdb) 


----
Dopadlo to, jak jsem čekala, tj. nejsem z toho moudrá.
Zkoušela jsem to krokovat několikrát, následuje místo, kde už je jasné,
že došlo k problému se spojením..
 



(gdb) 
connection_read (ctx=0x7fac237fdb70, argv=0xe) at
../../../servers/slapd/connection.c:1327
1327			if ( rc < 0 ) {
(gdb) print rc
$38 = 0
(gdb) nexti
1326			rc = ldap_pvt_tls_accept( c->c_sb, slap_tls_ctx
);
(gdb) print rc
$39 = 0
(gdb) nexti
1327			if ( rc < 0 ) {
(gdb) print rc
$40 = -1
(gdb) print PR_GetError()
$41 = -5925


a ještě jednou podrobněji


> connection_read (ctx=0x7fac237fdb70, argv=0xe) at
../../../servers/slapd/connection.c:1327
> 1327			if ( rc < 0 ) {
> (gdb) print rc
> $48 = 0
> (gdb) list
> 1322			s, c->c_connid, 0 );
> 1323	
> 1324	#ifdef HAVE_TLS
> 1325		if ( c->c_is_tls && c->c_needs_tls_accept ) {
> 1326			rc = ldap_pvt_tls_accept( c->c_sb, slap_tls_ctx
);
> 1327			if ( rc < 0 ) {
> 1328				Debug( LDAP_DEBUG_TRACE,
> 1329					"connection_read(%d): TLS accept
failure "
> 1330					"error=%d id=%lu, closing\n",
> 1331					s, rc, c->c_connid );
> (gdb) print rc
> $49 = 0
> (gdb) nexti
> 1326			rc = ldap_pvt_tls_accept( c->c_sb, slap_tls_ctx
);
> (gdb) print rc
> $50 = 0
> (gdb) print slap_tls_ctx
> $51 = (void *) 0x0
> (gdb) print c
> $52 = (Connection *) 0x7fac4309be60
> (gdb) nexti
> 1327			if ( rc < 0 ) {
> (gdb) print rc
> $53 = -1
> (gdb) print ldap_pvt_tls_accept( c->c_sb, slap_tls_ctx )
> 
> Breakpoint 1, ldap_pvt_tls_accept (sb=0x7fac140008f0, ctx_arg=0x0) at
tls2.c:415
> 415	{
> The program being debugged stopped while in a function called from
GDB.
> Evaluation of the expression containing the function
> (ldap_pvt_tls_accept) will be abandoned.
> When the function is done executing, GDB will silently stop.
> (gdb) print PR_GetError()
> $54 = -5925


Zdá se, že při prvním pokusu o ldapsearch je 
PR_GetError() = -12285
při opakovaném ldapsearch pak 
PR_GetError() = -5925

Děkuju,
K.

Další informace o konferenci Linux