Estou executando o openLDLD 2.4.41 e tentando obter a verificação do certificado TLS do cliente. Eu configurei o TLS no lado do servidor como o seguinte.
olcTLSCACertificateFile: /etc/pki/trust/anchors/rootCA.pem
olcTLSCertificateKeyFile: /etc/openldap/openldap.key
olcTLSCertificateFile: /etc/openldap/openldap.crt
A conexão TLS funciona bem quando olcTLSVerifyClient está definido como try .
Meu cliente ldap.conf é o seguinte (para testar a simplicidade, uso o mesmo certificado para o servidor e para o cliente):
TLS_CACERT /etc/pki/trust/anchors/rootCA.pem
TLS_CACERTDIR /var/lib/ca-certificates/pem/
TLS_CERT /etc/openldap/openldap.crt
TLS_KEY /etc/openldap/openldap.key
Agora, estou definindo olcTLSVerifyClient: demand .
> ldapsearch -d 1 -H ldaps:/// -v -x -D 'mydn' -w mysecret -b 'cn=log' -s base
ldap_url_parse_ext(ldaps:///)
ldap_initialize( ldaps://:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: [SKIPPED]
TLS certificate verification: depth: 0, err: 0, subject: [SKIPPED]
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read server session ticket A
TLS: can't connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Nos logs do servidor, vejo o seguinte:
slap_listener_activate(8):
>>> slap_listener(ldaps:///)
connection_get(11): got connid=1021
connection_read(11): checking for input on id=1021
connection_get(11): got connid=1021
connection_read(11): checking for input on id=1021
connection_read(11): TLS accept failure error=-1 id=1021, closing
connection_close: conn=1021 sd=11
Como eu poderia depurar por que a verificação de certificado de cliente não funciona?
upd: Quando uso openssl s_server , há um tipo de contradição.
# openssl s_server -accept 636 -cert /etc/openldap/openldap.crt -key /etc/openldap/openldap.key -CAfile /etc/pki/trust/anchors/rootCA.pem -Verify 0
verify depth is 0, must return a certificate
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
ERROR
139864715617936:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:3309:
shutting down SSL
CONNECTION CLOSED
ACCEPT
Mas o ldapsearch ainda diz
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
upd2 : eu uso o OpenSSL 1.0.1i
normalmente quando o olcTLSVerifyClient está definido para tentar e funciona mas se olcTLSVerifyClient estiver definido para procura que não trabalho, isso significa que o servidor não reconhece o certificado do cliente (rootCA que assinou o certificado do lado do cliente não é considerado confiável CA no servidor).
Tags openldap