Menu
▾
▴
perl-ldap-dev
|
From: Keith A. C. <cl...@ac...> - 2003-01-16 18:05:21
Attachments:
smime.p7s
|
Folks,
Here is my program on RedHat 8.0 with perl 5.8.0 and the current
versions of perl-ldap and IO::Socket::SSL:
use Net::LDAP;
my $lds=Net::LDAP->new('oracleOidServer',
version=>'3',
debug => '12',
);
$result = $lds->start_tls ( verify => 'required',
cafile => 'oracle.pem',
);
print "TLS_RESULT: $result\n";
print "TLS_CODE: " . $result->code . "\n";
print "TLS_MESS: " . $result->error . "\n";
print "TLS_Cipher: " . $lds->version . "\n";
Here is the result:
Net::LDAP=HASH(0x804c120) sending:
0000 29: SEQUENCE {
0002 1: INTEGER = 1
0005 24: [APPLICATION 23] {
0007 22: [CONTEXT 0]
0009 : 31 2E 33 2E 36 2E 31 2E 34 2E 31 2E 31 34 36 36
1.3.6.1.4.1.1466
0019 : 2E 32 30 30 33 37 __ __ __ __ __ __ __ __ __ __ .20037
001F : }
001F : }
Net::LDAP=HASH(0x804c120) received:
0000 35: SEQUENCE {
0002 1: INTEGER = 1
0005 30: [APPLICATION 24] {
0007 1: ENUM = 12
000A 0: STRING = ''
000C 23: STRING = 'Currently Not Supported'
0025 : }
0025 : }
TLS_RESULT: Net::LDAP::Extension=HASH(0x8066c10)
TLS_CODE: 12
TLS_MESS: Currently Not Supported
TLS_Cipher: 3
When I run the following:
openssl s_client -host oracleOidServer -port 636 -CAfile oracle.pem -debug
SSL handshake has read 1328 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv3
Cipher : DES-CBC3-SHA
Session-ID: E0E6EDA8AE37D9DA4167D30F68699A3F
Session-ID-ctx:
Master-Key:
3FB9984032B664D176E1613DB156D45022BD8A64698CD879C6282049E78D4F2A66D72C7467D462738C839234DEE19A12
Key-Arg : None
Start Time: 1042737956
Timeout : 300 (sec)
Verify return code: 0 (ok)
If I try to run this port 389 I get the following:
CONNECTED(00000003)
write to 0814DAC8 [0814DB10] (130 bytes => 130 (0x82))
0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ......W... .....
0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .........f......
0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 ................
0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a..
0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...........@...
0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 ................
0060 - 00 80 4c 82 1f 51 66 17-63 ad 57 4b 57 ae b7 08 ..L..Qf.c.WKW...
0070 - a6 00 41 95 b7 c7 94 d5-aa e0 5e 43 c2 2a 88 84 ..A.......^C.*..
0080 - 47 b3 G.
read from 0814DAC8 [08153070] (7 bytes => 0 (0x0))
24369:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:
I would assume the start_tls would point to port 636 rather than 389.
When I set the port to 636 in the constructor it just hangs the program.
keith
--
-------------------------------------------------
Keith Clay, Kei...@ac...
Lead Programmer, Web Integration and Programming
286 Adams Center for Teaching Excellence
Abilene Christian University
Abilene, TX 79699
(915) 674-2187
(915) 674-2834
-------------------------------------------------
|
|
From: Christopher A B. <ca...@tc...> - 2003-01-16 19:01:16
|
As Keith A. Clay once put it so eloquently: > openssl s_client -host oracleOidServer -port 636 -CAfile oracle.pem -debug [...] > I would assume the start_tls would point to port 636 rather than 389. > When I set the port to 636 in the constructor it just hangs the program. start_tls changes an existing non-SSL session (usually on port 389) to SSL. Use Net::LDAPS instead of start_tls to do a completely SSL session to port 636, like your openssl example. %% Christopher A. Bongaarts %% ca...@tc... %% %% Internet Services %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %% |
|
From: Keith A. C. <cl...@ac...> - 2003-01-16 19:10:54
Attachments:
smime.p7s
|
The Net::LDAPS docs say that you should not use it since it is has no IETF docs and tls does. So, if I build a system on top of it will it go away??? keith Christopher A Bongaarts wrote: >As Keith A. Clay once put it so eloquently: > > > >>openssl s_client -host oracleOidServer -port 636 -CAfile oracle.pem -debug >> >> >[...] > > >>I would assume the start_tls would point to port 636 rather than 389. >>When I set the port to 636 in the constructor it just hangs the program. >> >> > >start_tls changes an existing non-SSL session (usually on port 389) to >SSL. > >Use Net::LDAPS instead of start_tls to do a completely SSL session to >port 636, like your openssl example. > >%% Christopher A. Bongaarts %% ca...@tc... %% >%% Internet Services %% http://umn.edu/~cab %% >%% University of Minnesota %% +1 (612) 625-1809 %% > > -- ------------------------------------------------- Keith Clay, Kei...@ac... Lead Programmer, Web Integration and Programming 286 Adams Center for Teaching Excellence Abilene Christian University Abilene, TX 79699 (915) 674-2187 (915) 674-2834 ------------------------------------------------- |
|
From: Christopher A B. <ca...@tc...> - 2003-01-16 19:09:31
|
As Keith A. Clay once put it so eloquently: > The Net::LDAPS docs say that you should not use it since it is has no > IETF docs and tls does. So, if I build a system on top of it will it > go away??? Not likely. > Christopher A Bongaarts wrote: > > >As Keith A. Clay once put it so eloquently: > > > > > > > >>openssl s_client -host oracleOidServer -port 636 -CAfile oracle.pem -debug > >> > >> > >[...] > > > > > >>I would assume the start_tls would point to port 636 rather than 389. > >>When I set the port to 636 in the constructor it just hangs the program. > >> > >> > > > >start_tls changes an existing non-SSL session (usually on port 389) to > >SSL. > > > >Use Net::LDAPS instead of start_tls to do a completely SSL session to > >port 636, like your openssl example. > > > >%% Christopher A. Bongaarts %% ca...@tc... %% > >%% Internet Services %% http://umn.edu/~cab %% > >%% University of Minnesota %% +1 (612) 625-1809 %% > > > > > > -- > ------------------------------------------------- > Keith Clay, Kei...@ac... > Lead Programmer, Web Integration and Programming > 286 Adams Center for Teaching Excellence > Abilene Christian University > Abilene, TX 79699 > (915) 674-2187 > (915) 674-2834 > ------------------------------------------------- > > %% Christopher A. Bongaarts %% ca...@tc... %% %% Internet Services %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %% |
|
From: Chris R. <chr...@ma...> - 2003-01-16 19:17:58
|
On 16/1/03 7:09 pm, Christopher A Bongaarts <ca...@tc...> wrote: > As Keith A. Clay once put it so eloquently: > >> The Net::LDAPS docs say that you should not use it since it is has no >> IETF docs and tls does. So, if I build a system on top of it will it >> go away??? > > Not likely. Agreed, especially since it is trivial to do if you've got SSL code. All the docs say is that it *is* unofficial and IETF's preferred approach is to use StartTLS. Well, that's all I meant for them to say :-) Cheers, Chris |
|
From: Graham B. <gb...@po...> - 2003-01-16 19:16:52
|
On Thu, Jan 16, 2003 at 01:09:28PM -0600, Keith A. Clay wrote: > The Net::LDAPS docs say that you should not use it since it is has no > IETF docs and tls does. So, if I build a system on top of it will it > go away??? No. Or if it does it will have a replacement. Graham. |
|
From: Chris R. <chr...@ma...> - 2003-01-16 19:14:30
|
On 16/1/03 6:04 pm, Keith A. Clay <cl...@ac...> wrote:
> Folks,
>
> Here is my program on RedHat 8.0 with perl 5.8.0 and the current
> versions of perl-ldap and IO::Socket::SSL:
>
> use Net::LDAP;
>
> my $lds=Net::LDAP->new('oracleOidServer',
> version=>'3',
> debug => '12',
> );
>
> $result = $lds->start_tls ( verify => 'required',
> cafile => 'oracle.pem',
> );
>
> print "TLS_RESULT: $result\n";
> print "TLS_CODE: " . $result->code . "\n";
> print "TLS_MESS: " . $result->error . "\n";
> print "TLS_Cipher: " . $lds->version . "\n";
>
>
> Here is the result:
> Net::LDAP=HASH(0x804c120) sending:
> 0000 29: SEQUENCE {
> 0002 1: INTEGER = 1
> 0005 24: [APPLICATION 23] {
> 0007 22: [CONTEXT 0]
> 0009 : 31 2E 33 2E 36 2E 31 2E 34 2E 31 2E 31 34 36 36
> 1.3.6.1.4.1.1466
> 0019 : 2E 32 30 30 33 37 __ __ __ __ __ __ __ __ __ __ .20037
> 001F : }
> 001F : }
> Net::LDAP=HASH(0x804c120) received:
> 0000 35: SEQUENCE {
> 0002 1: INTEGER = 1
> 0005 30: [APPLICATION 24] {
> 0007 1: ENUM = 12
> 000A 0: STRING = ''
> 000C 23: STRING = 'Currently Not Supported'
> 0025 : }
> 0025 : }
> TLS_RESULT: Net::LDAP::Extension=HASH(0x8066c10)
> TLS_CODE: 12
> TLS_MESS: Currently Not Supported
> TLS_Cipher: 3
>
Maybe Oracle doesn't support start_tls. Before you try start_tls() you
should read the root_dse() and check if the supportedExtension attribute
contains the start_tls OID, ie 1.3.6.1.4.1.1466.20037. If that value is not
there the server officially doesn't support start_tls.
>
> When I run the following:
>
> openssl s_client -host oracleOidServer -port 636 -CAfile oracle.pem -debug
This is testing LDAPS, ie LDAP over SSL on port 636. (cf HTTPS is HTTP over
SSL on a different port)
> SSL handshake has read 1328 bytes and written 342 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
> Server public key is 1024 bit
> SSL-Session:
> Protocol : SSLv3
> Cipher : DES-CBC3-SHA
> Session-ID: E0E6EDA8AE37D9DA4167D30F68699A3F
> Session-ID-ctx:
> Master-Key:
> 3FB9984032B664D176E1613DB156D45022BD8A64698CD879C6282049E78D4F2A66D72C7467D462
> 738C839234DEE19A12
> Key-Arg : None
> Start Time: 1042737956
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
>
Yes, that works.
> If I try to run this port 389 I get the following:
>
> CONNECTED(00000003)
> write to 0814DAC8 [0814DB10] (130 bytes => 130 (0x82))
> 0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ......W... .....
> 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .........f......
> 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 ................
> 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a..
> 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...........@...
> 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 ................
> 0060 - 00 80 4c 82 1f 51 66 17-63 ad 57 4b 57 ae b7 08 ..L..Qf.c.WKW...
> 0070 - a6 00 41 95 b7 c7 94 d5-aa e0 5e 43 c2 2a 88 84 ..A.......^C.*..
> 0080 - 47 b3 G.
> read from 0814DAC8 [08153070] (7 bytes => 0 (0x0))
> 24369:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:226:
That doesn't work, which is correct.
> I would assume the start_tls would point to port 636 rather than 389.
> When I set the port to 636 in the constructor it just hangs the program.
>
> keith
You're confused :-)
LDAP servers will often listen on two ports, 389 and 636 (the defaults.)
On port 389 the server listens to plain LDAP which is unencrypted (unless
you negotiate confidentiality using SASL). On port 636 the server expects an
SSL connection and then LDAP on top of that.
The wrinkle is start_tls. Start_tls is used on port 389, and when you use it
it converts the sockets being used to SSL (er, TLS) sockets thus encrypting
the connection. It means you can get an encrypted connection using the
standard port and without using SASL.
Your program using start_tls() is correct in talking to port 389, and the
server is simply saying that it doesn't support start_tls even though it
supports LDAPS.
Cheers,
Chris
|
|
From: Keith A. C. <cl...@ac...> - 2003-01-16 19:47:18
Attachments:
smime.p7s
|
Folks,
I used LDAPS and it works fine. I used ethereal on my machine and
looked at all the packets and the data is encrypted.
my $lds=Net::LDAPS->new('myOracleOid',
version=>'3',
debug => '12',
cafile => 'oracle.pem',
port => '636',
);
Thanks for all the help and explanations.
keith
--
-------------------------------------------------
Keith Clay, Kei...@ac...
Lead Programmer, Web Integration and Programming
286 Adams Center for Teaching Excellence
Abilene Christian University
Abilene, TX 79699
(915) 674-2187
(915) 674-2834
-------------------------------------------------
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X