| Subject: | start_tls returns error |
$ perl -v
This is perl, v5.6.1 built for i386-linux
$ldap->start_tls (verify => 'none') returns error and on the LDAP Server:
TLS trace: SSL3 alert read:fatal:unknown CA
See the attachment for detailed error description.
$ dpkg -l libnet-ldap-perl libio-socket-ssl-perl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==================-==================-====================================================
ii libnet-ldap-perl 0.25-2 A Client interface to LDAP servers.
ii libio-socket-ssl-p 0.81-1 Class implementing an object oriented interface to S
$
In my test perl script, the following line returns an error:
$mesg = $ldap->start_tls (verify => 'none');
On the LDAP Server in debug mode i can see:
a:~# slapd -d 1 -h "ldap:/// ldaps:///"
daemon_init: listen on ldap:///
daemon_init: listen on ldaps:///
daemon_init: 2 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: socket() failed errno=97 (Address family not supported by protocol)
daemon: initialized ldap:///
ldap_url_parse_ext(ldaps:///)
daemon: socket() failed errno=97 (Address family not supported by protocol)
daemon: initialized ldaps:///
daemon_init: 2 listeners opened
slapd init: initiated server.
slap_sasl_init: initialized!
slapd startup: initiated.
slapd starting
ldap_pvt_gethostbyname_a: host=S, r=0
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({a) ber:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:985
connection_read(10): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
With the this patch on SSL.pm
koala:/usr/share/perl5/IO/Socket# diff -u SSL.pm.orig SSL.pm
--- SSL.pm.orig Wed Jul 3 10:39:39 2002
+++ SSL.pm Wed Jul 3 10:39:45 2002
@@ -505,6 +505,7 @@
my $ssl = $ssl_obj->get_ssl_handle();
if ( ($r = Net::SSLeay::connect($ssl)) <= 0 ) { # ssl/s23_clnt.c
my $err_str = IO::Socket::SSL::_get_SSL_err_str();
+ print "Net::SSLeay::connect Error: $err_str\n";
return IO::Socket::SSL::_myerror($sock,"socketToSSL(): connect failed");
}
koala:/usr/share/perl5/IO/Socket#
The $mesg = $ldap->start_tls (verify => 'none');
prints out:
Net::SSLeay::connect Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
With the input from http://www.rosat.mpe-garching.mpg.de/mailing-lists/perl-ldap/2002-05/msg00037.html
I modified the LDAP.pm:
koala:/usr/share/perl5/Net# diff -u LDAP.pm.orig LDAP.pm
--- LDAP.pm.orig Wed Jul 3 11:03:50 2002
+++ LDAP.pm Wed Jul 3 11:04:00 2002
@@ -790,7 +790,7 @@
require Net::LDAPS;
$arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion};
IO::Socket::SSL::context_init( { Net::LDAPS::SSL_context_init_args($arg) } );
- (IO::Socket::SSL::socketToSSL($sock) and tie *{$sock}, 'IO::Socket::SSL', $sock)
+ (IO::Socket::SSL::socketToSSL($sock,{ Net::LDAPS::SSL_context_init_args($arg) } ))
? $mesg
: _error($ldap, $mesg, LDAP_OPERATIONS_ERROR, $@);
}
koala:/usr/share/perl5/Net#
and the start_tls returns success.
The TLS Messages from the LDAP:
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
[...]
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
TLS trace: SSL3 alert write:warning:close notify