[SunHELP] Re: [pamldap] pam_ldap tls/ssl connection failed: SSL3_GET_RECORD:wrong version number s3_pkt.c:297

Lara Adianto m1r4cle_26 at yahoo.com
Thu Jul 8 05:47:44 CDT 2004 

Hello,

I'm still stuck with my problem...

I've tried to modify my ldap.conf in solaris as simple
as possible by not doing server verification, etc and
leave out only ssl start_tls.

Unfortunately, the problem persists. The server still
complains about wrong version number which I don't
have a clue at all what it means. 

-----------------------------------------------------
....
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client
certificate A
TLS trace: SSL_accept:error in SSLv3 read client
certificate A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=1
connection_read(10): checking for input on id=1
TLS trace: SSL_accept:error in SSLv3 read client
certificate A
TLS: can't accept.
TLS: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number s3_pkt.c:297
connection_read(10): TLS accept error error=-1 id=1,
closing
connection_closing: readying conn=1 sd=10 for close
connection_close: conn=1 sd=10
-----------------------------------------------------

I tried the certificates with an ldapclient in the
same machine as the server, and it works perfectly. I
have no idea why it didn't work with solaris. From the
debugging message of the working negotiation, I can
see that the server should proceed by doing some kind
of key exchange with the client, but instead it said
TLS can't accept. Can somebody give me a clue ?

Thanks in advance,
lara

--- Lara Adianto <m1r4cle_26 at yahoo.com> wrote:
> Hello everyone,
> 
> I would like to get solaris 8 machine to
> authenticate
> to an openldap server in redhat linux using pam_ldap
> from PADL. So far, I've been successful with the
> authentication without TLS/SSL securing the
> connection
> between the client and the server. Now, I would like
> ti include TLS/SSL...
> 
> I installed the following packages:
> 
> 1. in redhat linux:
> - openldap-2.1.30 (compiled with-tls, TLS/SSL
> connection has been tested with the ldapclient on
> the
> same machine)
> - openssl-0.9.6b
> 
> 2. in solaris 8:
> - pam_ldap-169
> -  OpenLDAP 2.0.8 Solaris 8 Sparc Binaries (I added
> this in solaris bec pam_ldap could not find the
> right
> ldap library which has ldap_start_tls_s etc)
> -  OpenSSL 0.9.6a Solaris 8 Sparc Binaries 
> (both binaries are downloaded from
>
http://www.ypass.net/solaris8/openldap/gettingsoftware.html
> coz I had difficulties in compiling the source)
> 
> Now the problem is that the server complains about
> wrong version number !!! What does it mean ?
> Do I need to install the same version of openssl or
> openldap in both the server and the client ?
> 
> I generated the server's and client's certificates
> and
> keys on the server, and then move the CA, client's
> cert and key over to solaris client.
> 
> Below is an excerpt of debug message from the
> server:
>
------------------------------------------------------
> 
> daemon: activity on 1 descriptors
> daemon: new connection on 10
> ldap_pvt_gethostbyname_a: host=authserver, r=0
> put_filter: "(objectclass=*)"
> put_filter: simple
> put_simple_filter: "objectclass=*"
> ber_scanf fmt (m) ber:
> daemon: added 10r
> daemon: activity on:
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 10r
> daemon: read activity on 10
> connection_get(10): got connid=0
> connection_read(10): checking for input on id=0
> ber_get_next
> ber_get_next: tag 0x30 len 29 contents:
> do_extended
> ber_scanf fmt ({m) ber:
> send_ldap_extended: err=0 oid= len=0
> send_ldap_response: msgid=1 tag=120 err=0
> ber_flush: 14 bytes to sd 10
> ber_get_next
> ber_get_next on fd 10 failed errno=11 (Resource
> temporarily unavailable)
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 10r
> daemon: read activity on 10
> connection_get(10): got connid=0
> connection_read(10): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:error in SSLv3 read client
> certificate A
> TLS trace: SSL_accept:error in SSLv3 read client
> certificate A
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 10r
> daemon: read activity on 10
> connection_get(10): got connid=0
> connection_read(10): checking for input on id=0
> TLS trace: SSL_accept:error in SSLv3 read client
> certificate A
> TLS: can't accept.
> TLS: error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong
> version number s3_pkt.c:297
> connection_read(10): TLS accept error error=-1 id=0,
> closing
> connection_closing: readying conn=0 sd=10 for close
> connection_close: conn=0 sd=10
> daemon: removing 10
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> 
> /etc/ldap.conf:
> ---------------
> base dc=adianto,dc=com
> uri ldap://adianto.com/
> binddn cn=Manager,dc=adianto,dc=com
> bindpw secret
> port 389
> scope sub
> pam_filter objectclass=posixaccount
> pam_login_attribute uid
> ssl start_tls
> tls_checkpeer yes
> tls_cacertfile /usr/lara/certs/cacert.pem
> tls_ciphers HIGH
> tls_cert /usr/lara/certs/ldap.client.pem
> tls_key /usr/lara/certs/ldap.client.key.pem
> 
> The TLS configuration in slapd.conf :
> -------------------------------------
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /etc/openldap/cert/cacert.pem
> TLSCertificateFile /etc/openldap/cert/servercrt.pem
> TLSCertificateKeyFile
> /etc/openldap/cert/serverkey.pem
> 
> cheers,
> -lara-
> 
> =====
>
------------------------------------------------------------------------------------
> 
> La vie, voyez-vous, ca n'est jamais si bon ni si
> mauvais qu'on croit
>                                                     
>                    - Guy de Maupassant -
>
------------------------------------------------------------------------------------
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> http://mail.yahoo.com 
> 


=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the SunHELP mailing list