directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf Hauser (JIRA)" <directory-...@incubator.apache.org>
Subject [jira] Commented: (DIR-185) ldaps not working with gpg
Date Tue, 13 Jun 2006 20:58:37 GMT
    [ http://issues.apache.org/jira/browse/DIR-185?page=comments#action_12416073 ] 

Ralf Hauser commented on DIR-185:
---------------------------------

Thanks, similar effect with "ldapsearch" (even under cygwin):

<<Ralf Hauser@Acer:~> ldapsearch -v -H ldaps://localhost:2636 -d5 -D "dn=micky" -w
mouse -b "ou=PgpKeys,ou=domain" pgpuserid='test*'
ldap_initialize( ldaps://localhost:2636 )
ldap_create
ldap_url_parse_ext(ldaps://localhost:2636)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:2636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:2636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject: /DC=com/DC=domain/emailAddress=vlatkogj@domain.com.mk,
issuer: /DC=com/DC=netcetera/emailAddress=vlatkogj@domain.com.mk
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed>>

just adding 
  TLS_REQCERT never 
was enough.
You could get the cert with
   openssl s_client -connect localhost:2636
---------------

Ralf Hauser@Acer_Ralf:~> gpg.1.4.2.1 --keyserver ldaps://localhost:2636 --keyserver-options
'binddn=\"micky"' --keyserver-options bindpw=mouse --search Test
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: searching for "Test" from ldaps server localhost
gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
gpg: key "Test" not found on keyserver
gpg: keyserver internal error
gpg: keyserver search failed: keyserver error

so cygwin's gpg.1.4.2.1 and window's gpg.1.4.3 unfortunately don't appear to honour ~/.ldaprc


> ldaps not working with gpg
> --------------------------
>
>          Key: DIR-185
>          URL: http://issues.apache.org/jira/browse/DIR-185
>      Project: Directory
>         Type: Bug

>   Components: miscellaneous
>  Environment: cygwin gpg (GnuPG) 1.4.1
>     Reporter: Ralf Hauser
>     Assignee: Alex Karasulu

>
> when doing 
> myPc> gpg --keyserver ldaps://localhost:2636 --search micky -v
> gpg: searching for "micky -v" from ldaps server localhost
> gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
> gpg: key "micky -v" not found on keyserver
> gpg: keyserver internal error
> gpg: keyserver search failed: keyserver error
> on the server-side, I see 
> <<7594 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler
- [/127.0.0.1:1808] OPENED
> 8016 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler
- [/127.0.0.1:1808] CLOSED
> 8016 [IoThreadPool-1] ERROR org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler
- [/127.0.0.1:1808] EXCEPTION:
> javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
> 	at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:422)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:494)
> 	at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
> 	at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:761)
> 	at org.apache.mina.filter.ThreadPoolFilter.processEvent(ThreadPoolFilter.java:665)
> 	at org.apache.mina.filter.ThreadPoolFilter$Worker.processEvents(ThreadPoolFilter.java:421)
> 	at org.apache.mina.filter.ThreadPoolFilter$Worker.run(ThreadPoolFilter.java:376)
> Caused by: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
> 	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)
> 	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
> 	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> 	at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:675)
> 	at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:492)
> 	at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:291)
> 	at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:390)
> 	... 6 more>>
> it would be great to know what ca gpg is presenting or what other measures would make
this work...

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message