Re: SSL and AD

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Michael,

Here is the result with openssl. It also "sometimes" work...

gvm@endor:~/Temp/PYSSL> openssl s=5Fclient -connect 192.168.1.5:636 -CAfile=
=20
/home/gvm/Temp/PYSSL/rootca.pem -cert /home/gvm/Temp/PYSSL/endor-crt.pem=20
-key /home/gvm/Temp/PYSSL/endor-key.pem
CONNECTED(00000003)
depth=3D1 /C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK
verify return:1
depth=3D0 /C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3Deowyn.doom.be
verify return:1
15313:error:140790E5:SSL routines:SSL23=5FWRITE:ssl handshake=20
failure:s23=5Flib.c:188:

gvm@endor:~/Temp/PYSSL> openssl s=5Fclient -connect 192.168.1.5:636 -CAfile=
=20
/home/gvm/Temp/PYSSL/rootca.pem -cert /home/gvm/Temp/PYSSL/endor-crt.pem=20
-key /home/gvm/Temp/PYSSL/endor-key.pem
CONNECTED(00000003)
depth=3D1 /C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK
verify return:1
depth=3D0 /C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3Deowyn.doom.be
verify return:1
15318:error:140790E5:SSL routines:SSL23=5FWRITE:ssl handshake=20
failure:s23=5Flib.c:188:
gvm@endor:~/Temp/PYSSL> openssl s=5Fclient -connect 192.168.1.5:636 -CAfile=
=20
/home/gvm/Temp/PYSSL/rootca.pem -cert /home/gvm/Temp/PYSSL/endor-crt.pem=20
-key /home/gvm/Temp/PYSSL/endor-key.pem
CONNECTED(00000003)
depth=3D1 /C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK
verify return:1
depth=3D0 /C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3Deowyn.doom.be
verify return:1

---
Certificate chain
 0 s:/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3Deowyn.doom.be
   i:/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICjDCCAfWgAwIBAgIBHDANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJCRTEU
MBIGA1UEBxMLSG9vZ3N0cmF0ZW4xEDAOBgNVBAoTB0NBVHJ1c3QxDDAKBgNVBAsT
A1BLSTEPMA0GA1UEAwwGQ0FTX1NLMB4XDTA2MTAxNzEwNDk1NVoXDTA3MTAxNzEw
NDk1NVowWzELMAkGA1UEBhMCQkUxFDASBgNVBAcTC0hvb2dzdHJhdGVuMRAwDgYD
VQQKEwdDQVRydXN0MQwwCgYDVQQLEwNQS0kxFjAUBgNVBAMTDWVvd3luLmRvb20u
YmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6pGS7FO76CcZuDBOtwso5+
H1Sr/9hfDy2Cymp0gLixW1Fga5xdsO+hiV255NDiI2jQHvjP/FloThEp5UzJVwTY
lvT50APyGl1f2g/Akv8eqvK12TyOAtGwuj8SXzayyEzsWtzlN2NFnlWEKJc0qh6Q
l2UmDo/ggGxJBxxlfBkNAgMBAAGjZzBlMB8GA1UdIwQYMBaAFDhp/FYUPtJVxyCc
64ksf3y38HKIMB0GA1UdDgQWBBQ/g+qO3W1SDxsEJu86QgEzTrZAVDAOBgNVHQ8B
Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEA
ASmsG3ltOTkUJWv5zlTSZ69sr9hSjOeSC+wqiKFI0fqmbbcMkiDdxp+olwZwE3LM
RGwg9KXU4MZjQsMbDPoySPqDvHh4LlDOeMx8SVqvfQxQa/SnOYIGtONl3CosVe81
P19ynZeq4z+QzubR4F1Is3dqYqL9zYi0k4z2F0pXixA=3D
-----END CERTIFICATE-----
subject=3D/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3Deowyn.doom.be
issuer=3D/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK
---
Acceptable client certificate CA names
/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DCAS=5FSK
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 1 Public Primary Certification Author=
ity -=20
G2/OU=3D(c) 1998 VeriSign, Inc. - For authorized use only/OU=3DVeriSign Tru=
st=20
Network
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 4 Public Primary Certification Author=
ity -=20
G2/OU=3D(c) 1998 VeriSign, Inc. - For authorized use only/OU=3DVeriSign Tru=
st=20
Network
/C=3DZA/ST=3DWestern Cape/L=3DCape Town/O=3DThawte Consulting/OU=3DCertific=
ation=20
Services Division/CN=3DThawte Personal Freemail=20
CA/emailAddress=3Dp...@th...
/C=3DZA/ST=3DWestern Cape/L=3DCape Town/O=3DThawte Consulting/OU=3DCertific=
ation=20
Services Division/CN=3DThawte Personal Premium=20
CA/emailAddress=3Dp...@th...
/C=3DUS/O=3DFirst Data Digital Certificates Inc./CN=3DFirst Data Digital=20
Certificates Inc. Certification Authority
/C=3DZA/ST=3DWestern Cape/L=3DCape Town/O=3DThawte Consulting/OU=3DCertific=
ation=20
Services Division/CN=3DThawte Personal Basic=20
CA/emailAddress=3Dp...@th...
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Primary Certification Author=
ity
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 2 Public Primary Certification Author=
ity
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 1 Public Primary Certification Author=
ity
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Primary Certification Author=
ity -=20
G2/OU=3D(c) 1998 VeriSign, Inc. - For authorized use only/OU=3DVeriSign Tru=
st=20
Network
/C=3DUS/O=3DGTE Corporation/CN=3DGTE CyberTrust Root
/C=3DBE/L=3DHoogstraten/O=3DCATrust/OU=3DPKI/CN=3DEOWYN CA
/C=3DUS/O=3DGTE Corporation/OU=3DGTE CyberTrust Solutions, Inc./CN=3DGTE=20
CyberTrust Global Root
/OU=3DCopyright (c) 1997 Microsoft Corp./OU=3DMicrosoft=20
Corporation/CN=3DMicrosoft Root Authority
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 2 Public Primary Certification Author=
ity -=20
G2/OU=3D(c) 1998 VeriSign, Inc. - For authorized use only/OU=3DVeriSign Tru=
st=20
Network
/C=3DUS/O=3DGTE Corporation/OU=3DGTE CyberTrust Solutions, Inc./CN=3DGTE=20
CyberTrust Root
---
SSL handshake has read 3261 bytes and written 1781 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID:=20
830A000079AD969762D5CA1CC27D874EADB5777B7F9AF5A191900602703F0F9B
    Session-ID-ctx:
    Master-Key:=20
2D17CCBF98E9610A5043C5348A5551717846756EFAE04734239A1DBA6D044788D3A34E7074E=
108CD12D1364586B2405E
    Key-Arg   : None
    Start Time: 1161103751
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
read:errno=3D0
gvm@endor:~/Temp/PYSSL>=20

Thanks,
Geert

Michael Str=F6der <mi...@st...>
Sent by: pyt...@li...
10/17/2006 06:18 PM
=20
        To:     gee...@ut...
        cc:     pyt...@li...
        Subject:        Re: SSL and AD

gee...@ut... wrote:
>
> Strange things are happening: It sometimes works.

Hmm, this kind of error we all like most... ;-)

> I can sometime make an
> ssl connection with client authentication,
> search for some entries,,,

Could you please verify that your connection always works on
command-line without python-ldap?

openssl s=5Fclient ...

Ciao, Michael.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job=20
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&dat=3D1=
21642
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
Python-LDAP-dev mailing list
Pyt...@li...
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev