我正在运行openLDAP 2.4.41并尝试实现客户端TLS证书检查。 我已经在服务器端configuration了TLS,如下所示。
olcTLSCACertificateFile: /etc/pki/trust/anchors/rootCA.pem olcTLSCertificateKeyFile: /etc/openldap/openldap.key olcTLSCertificateFile: /etc/openldap/openldap.crt 当olcTLSVerifyClient设置为try时,TLS连接工作正常。
我的客户ldap.conf是下面的(为了testing的简单性,我对服务器和客户端都使用相同的证书):
TLS_CACERT /etc/pki/trust/anchors/rootCA.pem TLS_CACERTDIR /var/lib/ca-certificates/pem/ TLS_CERT /etc/openldap/openldap.crt TLS_KEY /etc/openldap/openldap.key
现在,我正在设置olcTLSVerifyClient: demand 。
> ldapsearch -d 1 -H ldaps:/// -v -x -D 'mydn' -w mysecret -b 'cn=log' -s base ldap_url_parse_ext(ldaps:///) ldap_initialize( ldaps://:636/??base ) ldap_create ldap_url_parse_ext(ldaps://:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: [SKIPPED] TLS certificate verification: depth: 0, err: 0, subject: [SKIPPED] TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:failed in SSLv3 read server session ticket A TLS: can't connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
在服务器日志中,我看到以下内容:
slap_listener_activate(8): >>> slap_listener(ldaps:///) connection_get(11): got connid=1021 connection_read(11): checking for input on id=1021 connection_get(11): got connid=1021 connection_read(11): checking for input on id=1021 connection_read(11): TLS accept failure error=-1 id=1021, closing connection_close: conn=1021 sd=11
我怎么能debugging为什么客户端证书检查不起作用?
upd:当我使用openssl s_server有一种矛盾。
# openssl s_server -accept 636 -cert /etc/openldap/openldap.crt -key /etc/openldap/openldap.key -CAfile /etc/pki/trust/anchors/rootCA.pem -Verify 0 verify depth is 0, must return a certificate Using default temp DH parameters Using default temp ECDH parameters ACCEPT ERROR 139864715617936:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:3309: shutting down SSL CONNECTION CLOSED ACCEPT
但是ldapsearch仍然说
TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A
upd2 :我使用OpenSSL 1.0.1i
通常当olcTLSVerifyClient被设置为尝试并且它工作时,但是如果olcTLSVerifyClient设置为不起作用的请求,则意味着服务器不能识别客户端证书(在服务器上不认为签名客户端证书的rootCA)。