[SunHELP] pam_ldap tls/ssl connection failed: SSL3_GET_RECORD:wrong version number s3_pkt.c:297

Lara Adianto m1r4cle_26 at yahoo.com
Wed Jul 7 05:44:58 CDT 2004


Hello everyone,

I would like to get solaris 8 machine to authenticate
to an openldap server in redhat linux using pam_ldap
from PADL. So far, I've been successful with the
authentication without TLS/SSL securing the connection
between the client and the server. Now, I would like
ti include TLS/SSL...

I installed the following packages:

1. in redhat linux:
- openldap-2.1.30 (compiled with-tls, TLS/SSL
connection has been tested with the ldapclient on the
same machine)
- openssl-0.9.6b

2. in solaris 8:
- pam_ldap-169
-  OpenLDAP 2.0.8 Solaris 8 Sparc Binaries (I added
this in solaris bec pam_ldap could not find the right
ldap library which has ldap_start_tls_s etc)
-  OpenSSL 0.9.6a Solaris 8 Sparc Binaries 
(both binaries are downloaded from
http://www.ypass.net/solaris8/openldap/gettingsoftware.html
coz I had difficulties in compiling the source)

Now the problem is that the server complains about
wrong version number !!! What does it mean ?
Do I need to install the same version of openssl or
openldap in both the server and the client ?

I generated the server's and client's certificates and
keys on the server, and then move the CA, client's
cert and key over to solaris client.

Below is an excerpt of debug message from the server:
------------------------------------------------------

daemon: activity on 1 descriptors
daemon: new connection on 10
ldap_pvt_gethostbyname_a: host=authserver, r=0
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
daemon: added 10r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 10
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource
temporarily unavailable)
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client
certificate A
TLS trace: SSL_accept:error in SSLv3 read client
certificate A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:error in SSLv3 read client
certificate A
TLS: can't accept.
TLS: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number s3_pkt.c:297
connection_read(10): TLS accept error error=-1 id=0,
closing
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
daemon: removing 10
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL

/etc/ldap.conf:
---------------
base dc=adianto,dc=com
uri ldap://adianto.com/
binddn cn=Manager,dc=adianto,dc=com
bindpw secret
port 389
scope sub
pam_filter objectclass=posixaccount
pam_login_attribute uid
ssl start_tls
tls_checkpeer yes
tls_cacertfile /usr/lara/certs/cacert.pem
tls_ciphers HIGH
tls_cert /usr/lara/certs/ldap.client.pem
tls_key /usr/lara/certs/ldap.client.key.pem

The TLS configuration in slapd.conf :
-------------------------------------
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cert/cacert.pem
TLSCertificateFile /etc/openldap/cert/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cert/serverkey.pem

cheers,
-lara-

=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------


		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 



More information about the SunHELP mailing list