I am running openLDAP 2.4.41 and trying to achieve client TLS certificate checking.
I've configured TLS at server side as the following.
olcTLSCACertificateFile: /etc/pki/trust/anchors/rootCA.pem
olcTLSCertificateKeyFile: /etc/openldap/openldap.key
olcTLSCertificateFile: /etc/openldap/openldap.crt
TLS connection works well when olcTLSVerifyClient is set to try.
My client ldap.conf is the following (for testing simplicity I use the same cert both for the server and the client):
TLS_CACERT /etc/pki/trust/anchors/rootCA.pem
TLS_CACERTDIR /var/lib/ca-certificates/pem/
TLS_CERT /etc/openldap/openldap.crt
TLS_KEY /etc/openldap/openldap.key
Now, I am setting olcTLSVerifyClient: demand.
> ldapsearch -d 1 -H ldaps:/// -v -x -D 'mydn' -w mysecret -b 'cn=log' -s base
ldap_url_parse_ext(ldaps:///)
ldap_initialize( ldaps://:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: [SKIPPED]
TLS certificate verification: depth: 0, err: 0, subject: [SKIPPED]
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read server session ticket A
TLS: can't connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
In the server logs I see the following:
slap_listener_activate(8):
>>> slap_listener(ldaps:///)
connection_get(11): got connid=1021
connection_read(11): checking for input on id=1021
connection_get(11): got connid=1021
connection_read(11): checking for input on id=1021
connection_read(11): TLS accept failure error=-1 id=1021, closing
connection_close: conn=1021 sd=11
How could I debug why client certificate checking doesn't work?
upd: When I use openssl s_server there is a kind of contradiction.
# openssl s_server -accept 636 -cert /etc/openldap/openldap.crt -key /etc/openldap/openldap.key -CAfile /etc/pki/trust/anchors/rootCA.pem -Verify 0
verify depth is 0, must return a certificate
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
ERROR
139864715617936:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:3309:
shutting down SSL
CONNECTION CLOSED
ACCEPT
But ldapsearch still says
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
upd2: I use OpenSSL 1.0.1i
Best Answer
usually when olcTLSVerifyClient is set to try and it works but if olcTLSVerifyClient set to demand that does not work, it means that the server does not recognize the client certificate (rootCA who signed client side certificate is not considered trusted CA on the server).