Quantcast

No client certificate CA names sent

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

No client certificate CA names sent

[Yatta]-2
I've been struggling with this for sometime.... please  point me in
the right direction.

I'm trying to add SSL to my LDAP.. I;ve created the certs and signed them.
i run ldapsearch with -Z and - ZZ i get a response.
When i look run slapd in debug mode:
/usr/sbin/slapd -h 'ldap://minime.enigmatic.lan/
ldaps://minime.enigmatic.lan/' -d 65535 or even
/usr/sbin/slapd -h 'ldap:/// ldaps:///' -d 65535
 i see...
----snip----
LS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=0
----snip-----

Why is that???

I also run:
 openssl s_client -connect 192.168.1.5:636 -state -CAfile
/etc/ldap/tls/cacert.pem -cert /etc/ldap/tls/servercert.pem  -key
/etc/ldap/tls/serverkey.pem

CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=JM/ST=Kingston/L=Jamaica/O=Enigmatic Ltd/OU=Mi
Yard/CN=minime.enigmatic.lan/emailAddress=[hidden email]
verify return:1
depth=0 /C=JM/ST=Kingston/L=Jamaica/O=Enigmatic Ltd/OU=Mi
Yard/CN=minime.enigmatic.lan/emailAddress=[hidden email]
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=JM/ST=Kingston/L=Jamaica/O=Enigmatic Ltd/OU=Mi
Yard/CN=minime.enigmatic.lan/emailAddress=[hidden email]
   i:/C=JM/ST=Kingston/L=Jamaica/O=Enigmatic Ltd/OU=Mi
Yard/CN=minime.enigmatic.lan/emailAddress=[hidden email]
---
Server certificate
---snip ------
subject=/C=JM/ST=Kingston/L=Jamaica/O=Enigmatic Ltd/OU=Mi
Yard/CN=minime.enigmatic.lan/emailAddress=[hidden email]
issuer=/C=JM/ST=Kingston/L=Jamaica/O=Enigmatic Ltd/OU=Mi
Yard/CN=minime.enigmatic.lan/emailAddress=[hidden email]
---
No client certificate CA names sent
---
SSL handshake has read 1172 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
------snip --------
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)


Shouldn't i see something like:

Acceptable client certificate CA names

instead of

No client certificate CA names sent

when i run that particular command???


Once again ANY help will be greatly appriceited....
for soem reason i think it may besomethign fundamental that i'm missing.
TIA


--
The limits you are living with right now, in every aspect of your
existence, have been created by your mind. They are perceptions.
And they are holding you back.
You are capable of far more than you think you are.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: No client certificate CA names sent

Victor Duchovni
On Fri, Jun 09, 2006 at 07:18:30AM -0500, [Yatta] wrote:

> ----snip----
> LS trace: SSL_accept:SSLv3 flush data
> connection_read(12): unable to get TLS client DN, error=49 id=0
> ----snip-----
>
> Why is that???
>
> ---
> No client certificate CA names sent

The server is not asking for client certificates. You need to
configure it to do that and give it a non-empty CAfile.

> Shouldn't i see something like:
>
> Acceptable client certificate CA names
>
> instead of
>
> No client certificate CA names sent
>
> when i run that particular command???

Only when the server is configured to ask for client certs and has
a non-empty CAfile.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: No client certificate CA names sent

Marek.Marcola
In reply to this post by [Yatta]-2
Hello,

>  i see...
> ----snip----
> LS trace: SSL_accept:SSLv3 flush data
> connection_read(12): unable to get TLS client DN, error=49 id=0
> ----snip-----
Can you send ~20 lines before first -snip- ?

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: No client certificate CA names sent

[Yatta]-2
Here is the stuff prior to the snip.....

 openssl s_client -connect 192.168.1.5:636 -state -CAfile
/etc/ldap/tls/cacert.pem -cert /etc/ldap/tls/servercert.pem  -key
/etc/ldap/tls/serverkey.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=JM/ST=Kingston/L=Jamaica/O=Enigmatic Ltd/OU=Mi
Yard/CN=minime.enigmatic.lan/emailAddress=[hidden email]
verify return:1
depth=0 /C=JM/ST=Kingston/L=Jamaica/O=Enigmatic Ltd/OU=Mi
Yard/CN=minime.enigmatic.lan/emailAddress=[hidden email]
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
---
Certificate chain
 0 s:/C=JM/ST=Kingston/L=Jamaica/O=Enigmatic Ltd/OU=Mi
Yard/CN=minime.enigmatic.lan/emailAddress=[hidden email]
   i:/C=JM/ST=Kingston/L=Jamaica/O=Enigmatic Ltd/OU=Mi
Yard/CN=minime.enigmatic.lan/emailAddress=[hidden email]
---
Server certificate
-----BEGIN CERTIFICATE-----
------snip-------- (don't think u really need that\this)
-----END CERTIFICATE-----
subject=/C=JM/ST=Kingston/L=Jamaica/O=Enigmatic Ltd/OU=Mi
Yard/CN=minime.enigmatic.lan/emailAddress=[hidden email]
issuer=/C=JM/ST=Kingston/L=Jamaica/O=Enigmatic Ltd/OU=Mi
Yard/CN=minime.enigmatic.lan/emailAddress=[hidden email]
---
No client certificate CA names sent
---
SSL handshake has read 1172 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: ************ (omitted)
    Session-ID-ctx:
    Master-Key: ************ (omitted)
    Key-Arg   : None
    Start Time: 1149891444
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

There goes everything
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: No client certificate CA names sent

Kenyatta Senior
In reply to this post by Victor Duchovni
On 6/9/06, Victor Duchovni <[hidden email]> wrote:

> On Fri, Jun 09, 2006 at 07:18:30AM -0500, [Yatta] wrote:
>
> > ----snip----
> > LS trace: SSL_accept:SSLv3 flush data
> > connection_read(12): unable to get TLS client DN, error=49 id=0
> > ----snip-----
> >
> > Why is that???
> >
> > ---
> > No client certificate CA names sent
>
> The server is not asking for client certificates. You need to
> configure it to do that and give it a non-empty CAfile.
>
> > Shouldn't i see something like:
> >
> > Acceptable client certificate CA names
> >
> > instead of
> >
> > No client certificate CA names sent
> >
> > when i run that particular command???
>
> Only when the server is configured to ask for client certs and has
> a non-empty CAfile.
>
> --
>         Viktor.
>


Victor :
please bear with my ignorace BUT  I thouht placing
TLSCACertificateFile    /etc/ldap/tls/cacert.pem
TLSCertificateFile      /etc/ldap/tls/servercert.pem
TLSCertificateKeyFile   /etc/ldap/tls/serverkey.pem
TLSVerifyClient         demand

This in my slapd.conf and in my ldap.conf
TLS_CACERT      /etc/ssl/certs/cacert.pem
TLS_REQCERT     demand

Would send a Client Certificate.
Wel l if that isn't the way how can i send it? Even if u don't feel
liek giving me the 'fish' can u please point me in the right
direction??

TIA
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: No client certificate CA names sent

Marek.Marcola
In reply to this post by [Yatta]-2
Hello,

> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client key exchange A
..
..
> ---
> No client certificate CA names sent
> ---
This message means that server did not sent to client DN's of
acceptable CA's (for client authentication).
This DN names are sent in certificate_request handshake packet
from server but as you see server did not sent this packet
(this means that server is not requesting client authentication)
All this looks ok and this message is informational.

And one more information, even when server sends certificate_request,
this packet may have no CA DN's - they are optional and only to help
client to choice proper certificate.
So you may see this message when server is requesting client
authentication and this is not error.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: No client certificate CA names sent

Kenyatta Senior
On 6/9/06, Marek Marcola <[hidden email]> wrote:

> Hello,
>
> > SSL_connect:before/connect initialization
> > SSL_connect:SSLv2/v3 write client hello A
> > SSL_connect:SSLv3 read server hello A
> > SSL_connect:SSLv3 read server certificate A
> > SSL_connect:SSLv3 read server done A
> > SSL_connect:SSLv3 write client key exchange A
> ..
> ..
> > ---
> > No client certificate CA names sent
> > ---
> This message means that server did not sent to client DN's of
> acceptable CA's (for client authentication).
> This DN names are sent in certificate_request handshake packet
> from server but as you see server did not sent this packet
> (this means that server is not requesting client authentication)
> All this looks ok and this message is informational.
>
> And one more information, even when server sends certificate_request,
> this packet may have no CA DN's - they are optional and only to help
> client to choice proper certificate.
> So you may see this message when server is requesting client
> authentication and this is not error.
>
> Best regards,
> --
> Marek Marcola <[hidden email]>
>

I thought it had soemthign to do with THIS error message
connection_read(11): unable to get TLS client DN, error=49 id=0

What would be the casue of this then?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: No client certificate CA names sent

Kenyatta Senior
Marek,
Thanks for ur help....
Like i was saying earlier I keep seeing that error message
connection_read(11): unable to get TLS client DN, error=49 id=0

and when i look at teh debug info none of my information is being encrypted....
Sorry if i seem dumb in this whole process, want to get a better
understanding of what is going on.

On 6/9/06, Kenyatta Senior <[hidden email]> wrote:

> On 6/9/06, Marek Marcola <[hidden email]> wrote:
> > Hello,
> >
> > > SSL_connect:before/connect initialization
> > > SSL_connect:SSLv2/v3 write client hello A
> > > SSL_connect:SSLv3 read server hello A
> > > SSL_connect:SSLv3 read server certificate A
> > > SSL_connect:SSLv3 read server done A
> > > SSL_connect:SSLv3 write client key exchange A
> > ..
> > ..
> > > ---
> > > No client certificate CA names sent
> > > ---
> > This message means that server did not sent to client DN's of
> > acceptable CA's (for client authentication).
> > This DN names are sent in certificate_request handshake packet
> > from server but as you see server did not sent this packet
> > (this means that server is not requesting client authentication)
> > All this looks ok and this message is informational.
> >
> > And one more information, even when server sends certificate_request,
> > this packet may have no CA DN's - they are optional and only to help
> > client to choice proper certificate.
> > So you may see this message when server is requesting client
> > authentication and this is not error.
> >
> > Best regards,
> > --
> > Marek Marcola <[hidden email]>
> >
>
> I thought it had soemthign to do with THIS error message
> connection_read(11): unable to get TLS client DN, error=49 id=0
>
> What would be the casue of this then?
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: No client certificate CA names sent

[Yatta]-2
I got it... i understand what is going on,.... i guess my head was
gathering water why i never noticed it before.
Thanks Marek

On 6/9/06, Kenyatta Senior <[hidden email]> wrote:

> Marek,
> Thanks for ur help....
> Like i was saying earlier I keep seeing that error message
> connection_read(11): unable to get TLS client DN, error=49 id=0
>
> and when i look at teh debug info none of my information is being encrypted....
> Sorry if i seem dumb in this whole process, want to get a better
> understanding of what is going on.
>
> On 6/9/06, Kenyatta Senior <[hidden email]> wrote:
> > On 6/9/06, Marek Marcola <[hidden email]> wrote:
> > > Hello,
> > >
> > > > SSL_connect:before/connect initialization
> > > > SSL_connect:SSLv2/v3 write client hello A
> > > > SSL_connect:SSLv3 read server hello A
> > > > SSL_connect:SSLv3 read server certificate A
> > > > SSL_connect:SSLv3 read server done A
> > > > SSL_connect:SSLv3 write client key exchange A
> > > ..
> > > ..
> > > > ---
> > > > No client certificate CA names sent
> > > > ---
> > > This message means that server did not sent to client DN's of
> > > acceptable CA's (for client authentication).
> > > This DN names are sent in certificate_request handshake packet
> > > from server but as you see server did not sent this packet
> > > (this means that server is not requesting client authentication)
> > > All this looks ok and this message is informational.
> > >
> > > And one more information, even when server sends certificate_request,
> > > this packet may have no CA DN's - they are optional and only to help
> > > client to choice proper certificate.
> > > So you may see this message when server is requesting client
> > > authentication and this is not error.
> > >
> > > Best regards,
> > > --
> > > Marek Marcola <[hidden email]>
> > >
> >
> > I thought it had soemthign to do with THIS error message
> > connection_read(11): unable to get TLS client DN, error=49 id=0
> >
> > What would be the casue of this then?
> >
>


--
The limits you are living with right now, in every aspect of your
existence, have been created by your mind. They are perceptions.
And they are holding you back.
You are capable of far more than you think you are.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: No client certificate CA names sent

Marek.Marcola
In reply to this post by Kenyatta Senior
Hello,

> Like i was saying earlier I keep seeing that error message
> connection_read(11): unable to get TLS client DN, error=49 id=0
After looking in OpenLDAP code this seems that server tries to get
from client SSL object certificate DN name.
Of course client did not supply this certificate (because server
do not requested client authentication).
This error is printed at DEBUG_TRACE level so if LDAP operation
work good this may be interpreted as informational.
Such message may help if, for example, you will request from
client TLS authentication - this will may point to "incompatible"
client/sever CA's.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: No client certificate CA names sent

Victor Duchovni
In reply to this post by Kenyatta Senior
On Fri, Jun 09, 2006 at 05:25:59PM -0500, Kenyatta Senior wrote:

> >> No client certificate CA names sent
> >
> >The server is not asking for client certificates. You need to
> >configure it to do that and give it a non-empty CAfile.
> >
> >> Shouldn't i see something like:
> >>
> >> Acceptable client certificate CA names
> >>
> >> instead of
> >>
> >> No client certificate CA names sent
> >>
> >> when i run that particular command???
> >
> >Only when the server is configured to ask for client certs and has
> >a non-empty CAfile.
>
> Victor :
> please bear with my ignorace BUT  I thouht placing
> TLSCACertificateFile    /etc/ldap/tls/cacert.pem
> TLSCertificateFile      /etc/ldap/tls/servercert.pem
> TLSCertificateKeyFile   /etc/ldap/tls/serverkey.pem
> TLSVerifyClient         demand
>
> This in my slapd.conf and in my ldap.conf
> TLS_CACERT      /etc/ssl/certs/cacert.pem
> TLS_REQCERT     demand
>
> Would send a Client Certificate.

Who reads "ldap.conf", the server or the client? Check that "demand" is
an appropriate setting for "TLSVerifyClient" (yes/no makes more sense).
I know nothing about OpenLDAP with TLS, questions about how to configure
OpenLDAP belong on an LDAP list.

Clearly you current configuration does not result in the server requesting
client certificates. Until the server requests client certificates,
the client won't send any.

> Wel l if that isn't the way how can i send it? Even if u don't feel
> liek giving me the 'fish' can u please point me in the right
> direction??

This is the openssl-users list. We have identified the SSL issue (server
does not ask for certificates), now you an LDAP server configuration issue,
this is not the right forum for that.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Loading...