touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #131595
[Bug 1534230] Re: LDAP TLS connection stopped working
Hello Seth,
openssl s_client -connect... gets an error before a ciphersuite is indicated:
#openssl s_client -connect ldapserver:389 -tls1_2
CONNECTED(00000003)
140032666195616:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1453829896
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Meanwhile on the slapd -d -1 debugging side the error is "Result too large" for function ber_get_next():
56a7af08 daemon: waked
56a7af08 daemon: select: listen=6 active_threads=0 tvp=NULL
56a7af08 daemon: select: listen=7 active_threads=0 tvp=NULL
56a7af08 daemon: activity on 1 descriptor
56a7af08 daemon: activity on:56a7af08 11r56a7af08
56a7af08 daemon: read activity on 11
56a7af08 daemon: select: listen=6 active_threads=0 tvp=NULL
56a7af08 connection_get(11)
56a7af08 daemon: select: listen=7 active_threads=0 tvp=NULL
56a7af08 connection_get(11): got connid=1000
56a7af08 connection_read(11): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=8
0000: 16 03 01 01 22 01 00 01 ...."...
56a7af08 ber_get_next on fd 11 failed errno=34 (Result too large)
56a7af08 connection_read(11): input error=-2 id=1000, closing.
56a7af08 connection_closing: readying conn=1000 sd=11 for close
56a7af08 daemon: activity on 1 descriptor
56a7af08 connection_close: conn=1000 sd=11
56a7af08 daemon: waked
56a7af08 daemon: select: listen=6 active_threads=0 tvp=NULL
56a7af08 daemon: select: listen=7 active_threads=0 tvp=NULL
56a7af08 daemon: removing 11
56a7af08 conn=1000 fd=11 closed (connection lost)
I tried several values for TLSCipherSuite in slapd.conf, but to no success yet. I will try some more.
Thanks for your help.
François
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1534230
Title:
LDAP TLS connection stopped working
Status in gnutls26 package in Ubuntu:
Invalid
Bug description:
My LDAP authentication stopped working with the error: "The signature
algorithm is not supported"
This is GNUTLS Error code: -106
GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM
LDAP search reproduces it:
$ ldapsearch -H ldaps://xxx.xxx.gov/ -b "OU=xxx" -x -d1
ldap_url_parse_ext(ldaps://xxx.xxx.gov/)
ldap_create
ldap_url_parse_ext(ldaps://xxx.xxx.gov:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP xxx.xxx.gov:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 128.219.164.41:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: can't connect: The signature algorithm is not supported..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
It looks like the SHA1 support was removed from gnutls26...
Other packages:
ldap-utils:
Version: 2.4.31-1+nmu2ubuntu8.2
libsasl2-2:
Version: 2.1.25.dfsg1-17build1
libldap-2.4-2:
Version: 2.4.31-1+nmu2ubuntu8.2
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libgnutls26 2.12.23-12ubuntu2.4
ProcVersionSignature: Ubuntu 3.13.0-75.119-generic 3.13.11-ckt32
Uname: Linux 3.13.0-75-generic x86_64
NonfreeKernelModules: fglrx
ApportVersion: 2.14.1-0ubuntu3.19
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Jan 14 11:38:36 2016
InstallationDate: Installed on 2014-10-08 (462 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
SourcePackage: gnutls26
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1534230/+subscriptions
References
