From: Luke A. K. <lu...@ma...> - 2001-11-20 16:05:47
|
Hi all, I'm trying to get start_tls to work, since all of the docs recommend that instead of Net::LDAPS, but it always hangs on the call to start_tls. Here's my code: $ldap = Net::LDAP->new( "sycamore", "port" => 636, 'version' => 3, ); $result = $ldap->start_tls( 'verify' => 'require', "cafile" => '/home/kaniela/ssl/f73e89fd.0', ); I've tried it on port 389, but that immediately gives me a protocol error. Every other attempt just freezes at the call to start_tls, for as long as I let it sit there. The server shows an SSL connection, but I think that's just because of the port number, and it shows an EOF when I eventually cancel the connection. I've tried pointing the cafile to my cert7.db, or to an extracted text version of cert7.db, or individually to every Verisign cert from cert7.db, all named using the openssl command mentioned in the man pages for Net::LDAPS and Net::LDAP. I've also tried pointing capath to a directory with each individual file from the cert7.db, again named using the openssl command. I know all of the documentation says to connect on 389 for TLS and then convert the connection to TLS, but does that mean my server has to listen on that port for secure connections? That is, to get this to work do I have to set up my server other than 389-ldap/636-ldaps? If anyone has any ideas, example code, or how to get the certs and everything working, I would really appreciate it. I can probably get Net::LDAPS to work easier (I think I actually got it to work already, but I don't trust that result because I am sure I didn't have the certs set up correctly), but this is apparently the direction to head so I figured I'd try it. Thanks preemptively for any help, Luke -- Automatic door locks are good for... a. security b. convenience c. messing with the heads of people trying to get in |
From: Chris R. <chr...@me...> - 2001-11-20 16:33:29
|
"Luke A. Kanies" <lu...@ma...> wrote: > I know all of the documentation says to connect on 389 for TLS and then > convert the connection to TLS, but does that mean my server has to listen > on that port for secure connections? That is, to get this to work do I > have to set up my server other than 389-ldap/636-ldaps? No, and no. If server has been configured to listen to plain old LDAP on port 389, then that is the port that you should connect to and then do the start_tls() on. Ignore the LDAPS port. Have you looked at the manpage for Net::LDAP::Security? It is probably too 'chatty', but it might explain things better. Do you know if your server supports the StartTLS extended operation? If it does, it should say so by including its OID in the root DSE. Something like the following untested code will check for this: my $can_do_start_tls = 0; my $r = $ldap->root_dse(); foreach (@{$r->get_value("supportedExtension")}) { $can_do_start_tls = 1 if $_ eq "1.3.6.1.4.1.1466.20037"; } > If anyone has any ideas, example code, or how to get the certs and > everything working, I would really appreciate it. I can probably get > Net::LDAPS to work easier (I think I actually got it to work already, but > I don't trust that result because I am sure I didn't have the certs set up > correctly), but this is apparently the direction to head so I figured I'd > try it. I think your cafile value of '/home/kaniela/ssl/f73e89fd.0' is right, assuming that's a PEM file. Cheers, Chris |
From: Luke A. K. <lu...@ma...> - 2001-11-20 19:04:28
|
On Tue, 20 Nov 2001, Chris Ridd wrote: > "Luke A. Kanies" <lu...@ma...> wrote: > > I know all of the documentation says to connect on 389 for TLS and then > > convert the connection to TLS, but does that mean my server has to listen > > on that port for secure connections? That is, to get this to work do I > > have to set up my server other than 389-ldap/636-ldaps? > > No, and no. > > If server has been configured to listen to plain old LDAP on port 389, then > that is the port that you should connect to and then do the start_tls() on. > > Ignore the LDAPS port. That's what I thought; thanks. > Have you looked at the manpage for Net::LDAP::Security? It is probably too > 'chatty', but it might explain things better. I didn't know it existed, so thanks for that, too. > Do you know if your server supports the StartTLS extended operation? If it > does, it should say so by including its OID in the root DSE. Something like > the following untested code will check for this: > > my $can_do_start_tls = 0; > my $r = $ldap->root_dse(); > foreach (@{$r->get_value("supportedExtension")}) { > $can_do_start_tls = 1 if $_ eq "1.3.6.1.4.1.1466.20037"; > } Huh, I did that (had to remove the @{}), and apparently iPlanet Directory servers don't support TLS? Weird. The 4.x version doesn't even return any supported Extensions, and 5.0SP1 doesn't return the specified one. All the docs online claim that the servers support it just fine, even specifically mentioning the StartTLS operation, but I don't see it. I'm actually testing SSL on a 4.x server, I just happen to have a 5.x server running for other testing; if 5 supports TLS (which the root DSE seems to deny), then I can probably switch to that eventually and use LDAPS in the short term. Do most servers support TLS these days? I've found some people mentioning it with OpenLDAP, so I assume it does. I figured if anything did then iPlanet would, but apparently not. > > If anyone has any ideas, example code, or how to get the certs and > > everything working, I would really appreciate it. I can probably get > > Net::LDAPS to work easier (I think I actually got it to work already, but > > I don't trust that result because I am sure I didn't have the certs set up > > correctly), but this is apparently the direction to head so I figured I'd > > try it. > > I think your cafile value of '/home/kaniela/ssl/f73e89fd.0' is right, > assuming that's a PEM file. It is, assuming PEM is a text file with the ---START CERTIFICATE--- and all. Thanks. -- The easiest way to figure the cost of living is to take your income and add ten percent. |
From: Chris R. <chr...@me...> - 2001-11-21 08:41:14
|
"Luke A. Kanies" <lu...@ma...> wrote: > Huh, I did that (had to remove the @{}), and apparently iPlanet Directory > servers don't support TLS? Weird. The 4.x version doesn't even return > any supported Extensions, and 5.0SP1 doesn't return the specified one. All > the docs online claim that the servers support it just fine, even > specifically mentioning the StartTLS operation, but I don't see it. Supporting TLS is different from supporting the StartTLS extended operation. TLS is really just a cleaned up version of SSL like you'd use in HTTPS or something. StartTLS is a way to switch an existing 'plain' connection into a secure one, so you can see how you'd be able to support TLS but not StartTLS. > I'm actually testing SSL on a 4.x server, I just happen to have a 5.x > server running for other testing; if 5 supports TLS (which the root DSE > seems to deny), then I can probably switch to that eventually and use > LDAPS in the short term. > > Do most servers support TLS these days? I've found some people mentioning > it with OpenLDAP, so I assume it does. I figured if anything did then > iPlanet would, but apparently not. I've heard that only the most recent iPlanet directory (5.1?) supports StartTLS. Our own server's supported StartTLS for a couple of years. Cheers, Chris |