Google
  Web www.spinics.net

Re: [389-users] problem with SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




2010/12/14 Rich Megginson <rmeggins@xxxxxxxxxx>
On 12/14/2010 01:51 AM, remy d1 wrote:
Hi list,

I have followed the instructions of the SSL Howto, but I am still stick at the SSL activation.

From a clean installation, I try to launch the setupssl.sh script, but at the end, I have
ldapmodify: invalid format (line 11) entry: "cn=encryption,cn=config"

There is not specific configuration except that I use the port 9831 for my DS instead of 389 (I already use the standard LDAP port for OpenLDAP and I do not want to migrate (it is for testing)). I have modified the setupssl script to execute on this port.
What version of 389-ds-base? What platform?


389-ds-base-1.2.7.2-1.fc13.x86_64

Fedora 13
Linux 2.6.34.7-56.fc13.x86_64 #1 SMP




If I just try the end of the script, you can see the error :

ldapmodify -x -h localhost -p 9831 -D "cn=Directory Manager" -W <<EOF
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_qsha
Did you modify the script in any other way, other than changing the port number? Because the Ciphers attribute LDIF does not look correct. Each of the continuation lines should begin with a single space character - these continuation lines look left justified.

I changed the name of "myhost" to put a "real hostname" corresponding to my domain. I will try to insert a space before each line.


dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
-
replace: nsslapd-secureport
nsslapd-secureport: 636

dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on

EOF

Enter LDAP Password:
ldapmodify: invalid format (line 11) entry: "cn=encryption,cn=config"

I have checked every part of these ldif data. The error is here :
nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_qsha

But if I do the modifications except this piece of code, ldaps can be started on the port 636, but the cert files could not be loaded from dirsrv, so I can not do any request in SSL...
If you do not successfully complete TLS/SSL configuration, you will almost always find that TLS/SSL is not working correctly.

What errors do you get? Error codes?

Red Hat Link with error codes "14.2.7.ÂUpdating Attribute Encryption for New SSL/TLS Certificates"Â:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_SSL.htmlÂ

Another error :

Starting dirsrv:
ÂÂ ÂKingKong...[16/Dec/2010:13:52:16 +0100] SSL Initialization - Warning: certificate DB file cert8.db nor cert7.db exists in [/etc/dirsrv/slapd-KingKong] - SSL initialization will likely fail
[16/Dec/2010:13:52:16 +0100] SSL Initialization - Warning: key DB file /etc/dirsrv/slapd-KingKong/key3.db does not exist - SSL initialization will likely fail
[16/Dec/2010:13:52:16 +0100] - SSL alert: Security Initialization: Unable to authenticate (Netscape Portable Runtime error -8192 - An I/O error occurred during security authorization.)
[16/Dec/2010:13:52:16 +0100] - ERROR: SSL Initialization Failed.


I also try to :
Â- edit dse.ldif file in the dirsrv DS configuration directory and delete the line corresponding to the cert files as Red Hat documentation tells (after stoping dirsrv service).
Since you did not successfully complete TLS/SSL configuration, you will find that TLS/SSL is not working correctly.

Can you provide a link to the Red Hat docs?

We can see that dirsrv reload the cert files in the dse.ldif file, but it changed nothing.
Â- delete every *.db and *.txt files and cacert.csa. Then, if I reexecute setupssl.sh, it generates the cert files, but (again), there is no changes...

Obviously, if I open 389-console, I could see this string in the properties of "cn=encryption,cn=config".
Including all of the ciphers in the Ciphers attribute?

Yes !Â



********


Following the debugging :

Finally, it works... !

I have downloaded setupssl2.sh again with good spaces (for ciphers), and execute it. After removing the cert files (cacert, db, txt files) in /etc/dirsrv/slapd-instance/ I could launch ldaps correctly.

#./setupssl2.sh /etc/dirsrv/slapd-KingKong/ 9831
Using /etc/dirsrv/slapd-KingKong/ as sec directory
No CA certificate found - will create new one
No Server Cert found - will create new one
No Admin Server Cert found - will create new one
Creating password file for security token
Creating noise file
Creating new key and cert db
Creating encryption key for CA


Generating key. ÂThis may take a few moments...

Creating self-signed CA certificate


Generating key. ÂThis may take a few moments...

Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?
Exporting the CA certificate to cacert.asc
Generating server certificate for 389 Directory Server on host KingKong.mylocaldomain.com
Using fully qualified hostname KingKong.mylocaldomain.comÂfor the server name in the server cert subject DN
Note: If you do not want to use this hostname, edit this script to change myhost to the
real hostname you want to use


Generating key. ÂThis may take a few moments...

Creating the admin server certificate


Generating key. ÂThis may take a few moments...

Exporting the admin server certificate pk12 file
pk12util: PKCS12 EXPORT SUCCESSFUL
Creating pin file for directory server
Creating key and cert db for admin server
Importing the admin server key and cert (created above)
pk12util: PKCS12 IMPORT SUCCESSFUL
Importing the CA certificate from cacert.asc
Enabling the use of a password file in admin server
Enabling SSL in the directory server - when prompted, provide the directory manager password
Enter LDAP Password:

-> Here, I could launch dirsrv (in another window shell).

modifying entry "cn=encryption,cn=config"
ldap_modify: Type or value exists (20)


Now, after restarting dirsrv server and adding this :
# vi ~/.ldaprc
# TLS_CACERT <path-to-ca>.pem
TLS_REQCERT allow

I could launch ldaps request on my server.

Thanks;

Regards.

I have checked my real hostname and other stuffs specified in the documentation... I know that I do not use the standard LDAP port but I do not see why this section could not work... Other ldap request on this port work.

Sorry for my bad english...

Any help would be gracefull !

Regards;

RÃmy
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

[Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Home]     [Fedora Tools]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Red Hat 9 Bible]     [Red Hat 9]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

Add to Google