Retourner au contenu associé (entrée de forum : LDAP over TLS - unsupported extended operation)
Posté par Nono (site web personnel) le 12 septembre 2014 à 09:05. En réponse au message LDAP over TLS - unsupported extended operation. Évalué à 1.
Hum, on recommence, j'avais fait de la merde sur les droits de lecture de mon certificat ..
L'erreur :
root@DB:/etc/ldap# ldapsearch -ZZ ldap_start_tls: Connect error (-11) additional info: A TLS packet with unexpected length was received.
le ldapsearch "normal" fonctionne :
root@DB:/etc/ldap# ldapsearch SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1
Le retour de openssl (qui n'est plus utile, suite au certtool, si j'ai bien compris ?!)
root@DB:/etc/ldap# openssl s_client -connect db.m0le.net:636 -state -showcerts -CAfile /etc/ldap/cacert.pem [39/1905] CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:unknown state SSL_connect:SSLv3 read server hello A depth=0 C = FR, ST = Some-State, O = Internet Widgits Pty Ltd, CN = db.m0le.net, emailAddress = root@m0le.net verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:failed in SSLv3 read finished A 140293130380968:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- Certificate chain 0 s:/C=FR/ST=Some-State/O=Internet Widgits Pty Ltd/CN=db.m0le.net/emailAddress=root@m0le.net i:/C=FR/ST=Some-State/O=Internet Widgits Pty Ltd/CN=db.m0le.net/emailAddress=root@m0le.net -----BEGIN CERTIFICATE----- MIIDxTCCAq2gAwIBAgIJAIcFtqHXlSAbMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV [...] E/8TpVehfOI8wC3lyQ8qCQWipzAQDy5wLx9nhaBTVDNybsmTKYiNKg7rPIZH2TGu 2qsVRp0pJ5S7 -----END CERTIFICATE----- --- Server certificate subject=/C=FR/ST=Some-State/O=Internet Widgits Pty Ltd/CN=db.m0le.net/emailAddress=root@m0le.net issuer=/C=FR/ST=Some-State/O=Internet Widgits Pty Ltd/CN=db.m0le.net/emailAddress=root@m0le.net --- No client certificate CA names sent --- SSL handshake has read 1079 bytes and written 358 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-SHA256 Session-ID: D93xxx14E5DC66D8F Session-ID-ctx: Master-Key: 93Cxxx65E6583473 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1410505118 Timeout : 300 (sec) Verify return code: 0 (ok) ---
Enfin l'erreur avec gnutls-cli :
root@DB:/etc/ldap# gnutls-cli --x509cafile /etc/ldap/cacert.pem --x509keyfile /etc/ldap/db_key.pem --x509certfile /etc/ldap/db_crt.pem -d 5 -p 636 db.m0le.net [61/1997] Processed 1 CA certificate(s). Processed 1 client certificates... Processed 1 client X.509 certificates... Resolving 'db.m0le.net'... Connecting to '10.0.0.4:636'... |<4>| REC[0x1816d00]: Allocating epoch #0 |<2>| ASSERT: gnutls_constate.c:695 |<4>| REC[0x1816d00]: Allocating epoch #1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_ARCFOUR_MD5 |<2>| EXT[0x1816d00]: Sending extension SERVER NAME (16 bytes) |<2>| EXT[0x1816d00]: Sending extension SAFE RENEGOTIATION (1 bytes) |<2>| EXT[0x1816d00]: Sending extension SESSION TICKET (0 bytes) |<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256 |<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256 |<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1 |<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1 |<2>| EXT[0x1816d00]: Sending extension SIGNATURE ALGORITHMS (10 bytes) |<3>| HSK[0x1816d00]: CLIENT HELLO was sent [136 bytes] |<4>| REC[0x1816d00]: Sending Packet[0] Handshake(22) with length: 136 |<4>| REC[0x1816d00]: Sent Packet[1] Handshake(22) with length: 141 |<4>| REC[0x1816d00]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[0x1816d00]: Received Packet[0] Handshake(22) with length: 81 |<4>| REC[0x1816d00]: Decrypted Packet[0] Handshake(22) with length: 81 |<3>| HSK[0x1816d00]: SERVER HELLO was received [81 bytes] |<3>| HSK[0x1816d00]: Server's version: 3.3 |<3>| HSK[0x1816d00]: SessionID length: 32 |<3>| HSK[0x1816d00]: SessionID: d2817e9768ce745d8ddcf4b02bd9e34ad4463c0a33448c254613d09cb3e4e446 |<3>| HSK[0x1816d00]: Selected cipher suite: RSA_AES_128_CBC_SHA1 |<2>| EXT[0x1816d00]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes) |<3>| HSK[0x1816d00]: Safe renegotiation succeeded |<4>| REC[0x1816d00]: Expected Packet[1] Handshake(22) with length: 1 |<4>| REC[0x1816d00]: Received Packet[1] Handshake(22) with length: 979 |<4>| REC[0x1816d00]: Decrypted Packet[1] Handshake(22) with length: 979 |<3>| HSK[0x1816d00]: CERTIFICATE was received [979 bytes] |<2>| ASSERT: ext_signature.c:393 |<4>| REC[0x1816d00]: Expected Packet[2] Handshake(22) with length: 1 |<4>| REC[0x1816d00]: Received Packet[2] Handshake(22) with length: 4 |<4>| REC[0x1816d00]: Decrypted Packet[2] Handshake(22) with length: 4 |<3>| HSK[0x1816d00]: SERVER HELLO DONE was received [4 bytes] |<2>| ASSERT: gnutls_handshake.c:1369 |<3>| HSK[0x1816d00]: CLIENT KEY EXCHANGE was sent [262 bytes] |<4>| REC[0x1816d00]: Sending Packet[1] Handshake(22) with length: 262 |<4>| REC[0x1816d00]: Sent Packet[2] Handshake(22) with length: 267 |<3>| REC[0x1816d00]: Sent ChangeCipherSpec |<4>| REC[0x1816d00]: Sending Packet[2] Change Cipher Spec(20) with length: 1 |<4>| REC[0x1816d00]: Sent Packet[3] Change Cipher Spec(20) with length: 6 |<4>| REC[0x1816d00]: Initializing epoch #1 |<4>| REC[0x1816d00]: Epoch #1 ready |<3>| HSK[0x1816d00]: Cipher Suite: RSA_AES_128_CBC_SHA1 |<3>| HSK[0x1816d00]: Initializing internal [write] cipher sessions |<4>| REC[0x1816d00]: Start of epoch cleanup |<4>| REC[0x1816d00]: End of epoch cleanup |<3>| HSK[0x1816d00]: recording tls-unique CB (send) |<3>| HSK[0x1816d00]: FINISHED was sent [16 bytes] |<4>| REC[0x1816d00]: Sending Packet[0] Handshake(22) with length: 16 |<4>| REC[0x1816d00]: Sent Packet[1] Handshake(22) with length: 85 |<2>| ASSERT: gnutls_buffers.c:640 |<2>| ASSERT: gnutls_record.c:969 |<2>| ASSERT: gnutls_handshake.c:2933 |<2>| ASSERT: gnutls_handshake.c:3139 *** Fatal error: A TLS packet with unexpected length was received. |<4>| REC: Sending Alert[2|22] - Record overflow |<4>| REC[0x1816d00]: Sending Packet[1] Alert(21) with length: 2 |<4>| REC[0x1816d00]: Sent Packet[2] Alert(21) with length: 229 *** Handshake has failed GnuTLS error: A TLS packet with unexpected length was received. |<4>| REC[0x1816d00]: Epoch #0 freed |<4>| REC[0x1816d00]: Epoch #1 freed
AltStyle によって変換されたページ (->オリジナル) / アドレス: モード: デフォルト 音声ブラウザ ルビ付き 配色反転 文字拡大 モバイル
[^] # Re: As-tu bien fait la conf ?
Posté par Nono (site web personnel) . En réponse au message LDAP over TLS - unsupported extended operation. Évalué à 1.
Hum, on recommence, j'avais fait de la merde sur les droits de lecture de mon certificat ..
L'erreur :
le ldapsearch "normal" fonctionne :
Le retour de openssl (qui n'est plus utile, suite au certtool, si j'ai bien compris ?!)
Enfin l'erreur avec gnutls-cli :