Re: start_tls error

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Ewa Skrenty <Ewa...@un...> wrote:
> Hello,
> Can anyone tell me how to setup perl-LDAP script to use TLS/SSL
> connection? 
> Since a few days I'm trying to start TLS connection in my perl-ldap
> scripts but without success. I use start_tls function like this
> ldap->start_tls(verify => "none", sslversion => "sslv3");
> First I won't to verify client certificates. 
> I use openldap 2.0.23 and start slapd on default 389 port (non-secure).
> In slapd.conf file I set 
> TLSCertificateKeyFile /usr/local/openldap2/etc/openldap/server.key
> TLSCertificateFile /usr/local/openldap2/etc/openldap/server.crt
> 
> When I use openldap's function ldapsearch with -Z option I have correct
> TLS/SSL connection and get correct search result, but when I run
> my perl-ldap script I get following error:
> ldap_start_tls: Error 1: Operations error.
> 
> In slapd's log I have lines:
> 
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> tls_read: want=5 error=Resource temporarily unavailable
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL3 alert read:fatal:bad certificate
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate s3_pkt.c:985
> connection_read(9): TLS accept error error=-1 id=28, closing
> 
> I try to use LDAPS instead LDAP/start_tls but also without success.
> Does anyone have any suggestions? 
> Ewa

It looks like the problem may be the format of the files containing your
client certificate and key.

Someone else recently was doing client auth with TLS and got it working,
but since I can't find their messages these are guesses:

1) make sure your cert and key are both in PEM format. OpenSSL has some
utilities to convert things into PEM format.

2) the private key has got to be unencrypted, because of the way Net::LDAP
uses the SSL code. (We should fix that by eg having a callback argument on
the SSL connect which returns the passphrase for the key. Doesn't look
hard..)

Cheers,

Chris