• [^] # Re: As-tu bien fait la conf ?

    Posté par (site web personnel) . En réponse au message LDAP over TLS - unsupported extended operation. Évalué à 1.

    Hum, on recommence, j'avais fait de la merde sur les droits de lecture de mon certificat ..

    L'erreur :

    root@DB:/etc/ldap# ldapsearch -ZZ
    ldap_start_tls: Connect error (-11)
     additional info: A TLS packet with unexpected length was received.

    le ldapsearch "normal" fonctionne :

    root@DB:/etc/ldap# ldapsearch
    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    # extended LDIF
    #
    # LDAPv3
    # base <> (default) with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #
    # search result
    search: 2
    result: 32 No such object
    # numResponses: 1

    Le retour de openssl (qui n'est plus utile, suite au certtool, si j'ai bien compris ?!)

    root@DB:/etc/ldap# openssl s_client -connect db.m0le.net:636 -state -showcerts -CAfile /etc/ldap/cacert.pem [39/1905]
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:unknown state
    SSL_connect:SSLv3 read server hello A
    depth=0 C = FR, ST = Some-State, O = Internet Widgits Pty Ltd, CN = db.m0le.net, emailAddress = root@m0le.net
    verify return:1
    SSL_connect:SSLv3 read server certificate A
    SSL_connect:SSLv3 read server done A
    SSL_connect:SSLv3 write client key exchange A
    SSL_connect:SSLv3 write change cipher spec A
    SSL_connect:SSLv3 write finished A
    SSL_connect:SSLv3 flush data
    SSL_connect:failed in SSLv3 read finished A
    140293130380968:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
    ---
    Certificate chain
     0 s:/C=FR/ST=Some-State/O=Internet Widgits Pty Ltd/CN=db.m0le.net/emailAddress=root@m0le.net
     i:/C=FR/ST=Some-State/O=Internet Widgits Pty Ltd/CN=db.m0le.net/emailAddress=root@m0le.net
    -----BEGIN CERTIFICATE-----
    MIIDxTCCAq2gAwIBAgIJAIcFtqHXlSAbMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV
    [...]
    E/8TpVehfOI8wC3lyQ8qCQWipzAQDy5wLx9nhaBTVDNybsmTKYiNKg7rPIZH2TGu
    2qsVRp0pJ5S7
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/C=FR/ST=Some-State/O=Internet Widgits Pty Ltd/CN=db.m0le.net/emailAddress=root@m0le.net
    issuer=/C=FR/ST=Some-State/O=Internet Widgits Pty Ltd/CN=db.m0le.net/emailAddress=root@m0le.net
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1079 bytes and written 358 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES256-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
     Protocol : TLSv1.2
     Cipher : AES256-SHA256
     Session-ID: D93xxx14E5DC66D8F
     Session-ID-ctx:
     Master-Key: 93Cxxx65E6583473
     Key-Arg : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1410505118
     Timeout : 300 (sec)
     Verify return code: 0 (ok)
    ---

    Enfin l'erreur avec gnutls-cli :

    root@DB:/etc/ldap# gnutls-cli --x509cafile /etc/ldap/cacert.pem --x509keyfile /etc/ldap/db_key.pem --x509certfile /etc/ldap/db_crt.pem -d 5 -p 636 db.m0le.net [61/1997]
    Processed 1 CA certificate(s).
    Processed 1 client certificates...
    Processed 1 client X.509 certificates...
    Resolving 'db.m0le.net'...
    Connecting to '10.0.0.4:636'...
    |<4>| REC[0x1816d00]: Allocating epoch #0
    |<2>| ASSERT: gnutls_constate.c:695
    |<4>| REC[0x1816d00]: Allocating epoch #1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
    |<3>| HSK[0x1816d00]: Keeping ciphersuite: RSA_ARCFOUR_MD5
    |<2>| EXT[0x1816d00]: Sending extension SERVER NAME (16 bytes)
    |<2>| EXT[0x1816d00]: Sending extension SAFE RENEGOTIATION (1 bytes)
    |<2>| EXT[0x1816d00]: Sending extension SESSION TICKET (0 bytes)
    |<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
    |<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
    |<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
    |<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
    |<2>| EXT[0x1816d00]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
    |<3>| HSK[0x1816d00]: CLIENT HELLO was sent [136 bytes]
    |<4>| REC[0x1816d00]: Sending Packet[0] Handshake(22) with length: 136
    |<4>| REC[0x1816d00]: Sent Packet[1] Handshake(22) with length: 141
    |<4>| REC[0x1816d00]: Expected Packet[0] Handshake(22) with length: 1
    |<4>| REC[0x1816d00]: Received Packet[0] Handshake(22) with length: 81
    |<4>| REC[0x1816d00]: Decrypted Packet[0] Handshake(22) with length: 81
    |<3>| HSK[0x1816d00]: SERVER HELLO was received [81 bytes]
    |<3>| HSK[0x1816d00]: Server's version: 3.3
    |<3>| HSK[0x1816d00]: SessionID length: 32
    |<3>| HSK[0x1816d00]: SessionID: d2817e9768ce745d8ddcf4b02bd9e34ad4463c0a33448c254613d09cb3e4e446
    |<3>| HSK[0x1816d00]: Selected cipher suite: RSA_AES_128_CBC_SHA1
    |<2>| EXT[0x1816d00]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
    |<3>| HSK[0x1816d00]: Safe renegotiation succeeded
    |<4>| REC[0x1816d00]: Expected Packet[1] Handshake(22) with length: 1
    |<4>| REC[0x1816d00]: Received Packet[1] Handshake(22) with length: 979
    |<4>| REC[0x1816d00]: Decrypted Packet[1] Handshake(22) with length: 979
    |<3>| HSK[0x1816d00]: CERTIFICATE was received [979 bytes]
    |<2>| ASSERT: ext_signature.c:393
    |<4>| REC[0x1816d00]: Expected Packet[2] Handshake(22) with length: 1
    |<4>| REC[0x1816d00]: Received Packet[2] Handshake(22) with length: 4
    |<4>| REC[0x1816d00]: Decrypted Packet[2] Handshake(22) with length: 4
    |<3>| HSK[0x1816d00]: SERVER HELLO DONE was received [4 bytes]
    |<2>| ASSERT: gnutls_handshake.c:1369
    |<3>| HSK[0x1816d00]: CLIENT KEY EXCHANGE was sent [262 bytes]
    |<4>| REC[0x1816d00]: Sending Packet[1] Handshake(22) with length: 262
    |<4>| REC[0x1816d00]: Sent Packet[2] Handshake(22) with length: 267
    |<3>| REC[0x1816d00]: Sent ChangeCipherSpec
    |<4>| REC[0x1816d00]: Sending Packet[2] Change Cipher Spec(20) with length: 1
    |<4>| REC[0x1816d00]: Sent Packet[3] Change Cipher Spec(20) with length: 6
    |<4>| REC[0x1816d00]: Initializing epoch #1
    |<4>| REC[0x1816d00]: Epoch #1 ready
    |<3>| HSK[0x1816d00]: Cipher Suite: RSA_AES_128_CBC_SHA1
    |<3>| HSK[0x1816d00]: Initializing internal [write] cipher sessions
    |<4>| REC[0x1816d00]: Start of epoch cleanup
    |<4>| REC[0x1816d00]: End of epoch cleanup
    |<3>| HSK[0x1816d00]: recording tls-unique CB (send)
    |<3>| HSK[0x1816d00]: FINISHED was sent [16 bytes]
    |<4>| REC[0x1816d00]: Sending Packet[0] Handshake(22) with length: 16
    |<4>| REC[0x1816d00]: Sent Packet[1] Handshake(22) with length: 85
    |<2>| ASSERT: gnutls_buffers.c:640
    |<2>| ASSERT: gnutls_record.c:969
    |<2>| ASSERT: gnutls_handshake.c:2933
    |<2>| ASSERT: gnutls_handshake.c:3139
    *** Fatal error: A TLS packet with unexpected length was received.
    |<4>| REC: Sending Alert[2|22] - Record overflow
    |<4>| REC[0x1816d00]: Sending Packet[1] Alert(21) with length: 2
    |<4>| REC[0x1816d00]: Sent Packet[2] Alert(21) with length: 229
    *** Handshake has failed
    GnuTLS error: A TLS packet with unexpected length was received.
    |<4>| REC[0x1816d00]: Epoch #0 freed
    |<4>| REC[0x1816d00]: Epoch #1 freed