perl-ldap-dev

FW: Net::LDAPS and verifying the CA certificate

[Christian G. <cgi...@ti...>]

[ Sorry for the initial, icomplete post ]

I've successfully queried an SSL-enabled LDAPv3 service with Net::LDAPS,
but the software continually dies when I attempt to verify the CA
certificate. I have followed the instructions for creating the hash-valued
symlink to the CA cert file.

lrwxrwxrwx   ce23b666.0 -> equifaxca2.crt
-r--r--r--   equifaxca2.crt

tomcat% more ce23b666.0
-----BEGIN CERTIFICATE-----
MIIC8DCCAlmgAwIBAgIBEDANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm
MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTkwNTI1
MDMwMDAwWhcNMDIwNjEwMDMwMDAwWjBTMQswCQYDVQQGEwJVUzEbMBkGA1UEChMS
RXF1aWZheCBTZWN1cmUgSW5jMScwJQYDVQQDEx5FcXVpZmF4IFNlY3VyZSBFLUJ1
c2luZXNzIENBLTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYna8GjS9mG
q4Cb8L0VwDBMZ+ztPI05urQb8F0t1Dp4I3gOFUs2WZJJv9Y1zCFwQbQbfJuBuXmZ
QKIZJOw3jwPbfcvoTyqQhM0Yyb1YzgM2ghuv8Zz/+LYrjBo2yrmf86zvMhDVOD7z
dhDzyTxCh5F6+K6Mcmmar+ncFMmIum2bAgMBAAGjYjBgMBIGA1UdEwEB/wQIMAYB
Af8CAQAwSgYDVR0lBEMwQQYIKwYBBQUHAwEGCCsGAQUFBwMDBgorBgEEAYI3CgMD
BglghkgBhvhCBAEGCCsGAQUFBwMIBgorBgEEAYI3CgMCMA0GCSqGSIb3DQEBBAUA
A4GBALIfbC0RQ9g4Zxf/Y8IA2jWm8Tt+jvFWPt5wT3n5k0orRAvbmTROVPHGSLw7
oMNeapH1eRG5yn+erwqYazcoFXJ6AsIC5WUjAnClsSrHBCAnEn6rDU080F38xIQ3
j1FBvwMOxAq/JR5eZZcBHlSpJad88Twfd7E+0fQcqgk+nnjH
-----END CERTIFICATE-----

I get the following information back regarding the certificates returned:

Cipher used: DES-CBC3-SHA
Subject DN: /C=US/ST=Colorado/L=Boulder/OU=IBM Global
Services/O=IBM/CN=bluepages.ibm.com
Issuer Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA-2

This information matches the CA's certificate information. As soon as I
attempt to change the ldap object's verify status from none to require,
the software dies during connection establishment. Has anyone had a
similar problem? If so, how did you resolve it?

perl-5.6.1
perl-ldap-0.23
IO-Socket-SSL-0.79
Crypt-SSLeay-0.27
Net_SSLeay-1.07

Regards,
Christian

-----------------
Christian Gilmore
Infrastructure & Tools Team Lead
Web & Multimedia Development
IBM Software Group

Re: FW: Net::LDAPS and verifying the CA certificate

[Chris R. <chr...@me...>]

Christian Gilmore <cgi...@ti...> wrote:
> [ Sorry for the initial, icomplete post ]
> 
> I've successfully queried an SSL-enabled LDAPv3 service with Net::LDAPS,
> but the software continually dies when I attempt to verify the CA
> certificate. I have followed the instructions for creating the hash-valued
> symlink to the CA cert file.
> 
> lrwxrwxrwx   ce23b666.0 -> equifaxca2.crt
> -r--r--r--   equifaxca2.crt
> 
> tomcat% more ce23b666.0
> -----BEGIN CERTIFICATE-----
> MIIC8DCCAlmgAwIBAgIBEDANBgkqhkiG9w0BAQQFADCBxDELMAkGA1UEBhMCWkEx
> FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
> VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
> biBTZXJ2aWNlcyBEaXZpc2lvbjEZMBcGA1UEAxMQVGhhd3RlIFNlcnZlciBDQTEm
> MCQGCSqGSIb3DQEJARYXc2VydmVyLWNlcnRzQHRoYXd0ZS5jb20wHhcNOTkwNTI1
> MDMwMDAwWhcNMDIwNjEwMDMwMDAwWjBTMQswCQYDVQQGEwJVUzEbMBkGA1UEChMS
> RXF1aWZheCBTZWN1cmUgSW5jMScwJQYDVQQDEx5FcXVpZmF4IFNlY3VyZSBFLUJ1
> c2luZXNzIENBLTIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYna8GjS9mG
> q4Cb8L0VwDBMZ+ztPI05urQb8F0t1Dp4I3gOFUs2WZJJv9Y1zCFwQbQbfJuBuXmZ
> QKIZJOw3jwPbfcvoTyqQhM0Yyb1YzgM2ghuv8Zz/+LYrjBo2yrmf86zvMhDVOD7z
> dhDzyTxCh5F6+K6Mcmmar+ncFMmIum2bAgMBAAGjYjBgMBIGA1UdEwEB/wQIMAYB
> Af8CAQAwSgYDVR0lBEMwQQYIKwYBBQUHAwEGCCsGAQUFBwMDBgorBgEEAYI3CgMD
> BglghkgBhvhCBAEGCCsGAQUFBwMIBgorBgEEAYI3CgMCMA0GCSqGSIb3DQEBBAUA
> A4GBALIfbC0RQ9g4Zxf/Y8IA2jWm8Tt+jvFWPt5wT3n5k0orRAvbmTROVPHGSLw7
> oMNeapH1eRG5yn+erwqYazcoFXJ6AsIC5WUjAnClsSrHBCAnEn6rDU080F38xIQ3
> j1FBvwMOxAq/JR5eZZcBHlSpJad88Twfd7E+0fQcqgk+nnjH
> -----END CERTIFICATE-----
> 
> I get the following information back regarding the certificates returned:
> 
> Cipher used: DES-CBC3-SHA
> Subject DN: /C=US/ST=Colorado/L=Boulder/OU=IBM Global
> Services/O=IBM/CN=bluepages.ibm.com
> Issuer Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA-2
> 
> This information matches the CA's certificate information. As soon as I
> attempt to change the ldap object's verify status from none to require,
> the software dies during connection establishment. Has anyone had a
> similar problem? If so, how did you resolve it?
> 
> perl-5.6.1
> perl-ldap-0.23
> IO-Socket-SSL-0.79
> Crypt-SSLeay-0.27
> Net_SSLeay-1.07
> 
> Regards,
> Christian

What is in the 'die' message?

The IO::Socket::SSL interface changed a little bit a while ago, it is
possible that I need to update the Net::LDAPS documentation to match. IIRC,
the problem is that you *have* to set cafile and capath otherwise you get
some useless default behaviour.

Since you only usually want to set one of cafile or capath, I think you
have to simply set the other one to an empty string. (It looks like you're
using capath, so set cafile to '')

So, please check that.

Are you connecting to the right host, ie bluepages.ibm.com? I can't
remember if OpenSSL checks that itself.

Otherwise, can you try and make sure that there's no underlying OpenSSL
problem? Use the OpenSSL s_client program and attempt to connect to your
directory. The -verify, -state and -debug options are useful. (It doesn't
matter that s_client doesn't understand LDAP, you're just trying to test
the SSL handshake.)

Cheers,

Chris

RE: FW: Net::LDAPS and verifying the CA certificate

[Christian G. <cgi...@ti...>]

> What is in the 'die' message?

IO::Socket::SSL: Timeout  ...propagated at ./test_ldaps.pl line 61.

> Since you only usually want to set one of cafile or capath, I
> think you
> have to simply set the other one to an empty string. (It
> looks like you're
> using capath, so set cafile to '')

Just tried that. Same result.

> Are you connecting to the right host, ie bluepages.ibm.com? I can't
> remember if OpenSSL checks that itself.

Yes. Here's my connect line:

  my $ldap = Net::LDAPS->new('bluepages.ibm.com',
                             port => 636,
                             verify => 'require',
                             capath =>
'/opt/apache/w3-dev.tivoli.com/443/conf/ssl.crt',
                             cafile => '',
                             debug => 15,
                             onerror => 'die')
    or die;

> Otherwise, can you try and make sure that there's no
> underlying OpenSSL
> problem?

I'm having trouble with openssl verifying the cert. I'll dig deeper on
this front.

Thanks,
Christian

Re: FW: Net::LDAPS and verifying the CA certificate

[Christopher A B. <ca...@tc...>]

As Christian Gilmore once put it so eloquently:

> > What is in the 'die' message?
> 
> IO::Socket::SSL: Timeout  ...propagated at ./test_ldaps.pl line 61.
[...]
> > Otherwise, can you try and make sure that there's no
> > underlying OpenSSL
> > problem?
> 
> I'm having trouble with openssl verifying the cert. I'll dig deeper on
> this front.

I got the same message when trying to connect to a server with an
expired cert...

%%  Christopher A. Bongaarts  %%  ca...@tc...       %%
%%  Internet Services         %%  http://umn.edu/~cab  %%
%%  University of Minnesota   %%  +1 (612) 625-1809    %%

RE: FW: Net::LDAPS and verifying the CA certificate

[Chris R. <chr...@me...>]

Christian Gilmore <cgi...@ti...> wrote:
>> What is in the 'die' message?
> 
> IO::Socket::SSL: Timeout  ...propagated at ./test_ldaps.pl line 61.

If it dies relatively quickly than that might suggest that the timeout
error is bogus. Maybe that's something Net_SSLeay throws if the cert
verification fails.

> I'm having trouble with openssl verifying the cert. I'll dig deeper on
> this front.

OK. That's quite likely the core of the problem.

Cheers,

Chris