the error you refer to has just a wee bit more description here
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html
in particular "This generally indicates that the remote peer system
has a flawed implementation of SSL, and is violating the SSL
specification." so i suggest you ask on NSS related list for more
insight and explanation. personally i havent seen that error before
but then i didnt try to connect to AD over SSL either.
NataliaB wrote:
Hi,
Could somebody give me an advice on how to debug a problem with SSL
connection?
A customer uses AD as an LDAP server. The server listens on port 389
without SSL and 636 with SSL. Our client software successfully
connects to the server on port 389, but it fails to connect on 636.
Client libraries are built with DS 6.3.
I tried a couple of ways to connect to the server, but all of them end
up with an error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG SSL received a
record that exceeded the maximum permissible length)
Here is the sample code:
“
/ Initialize the client /
if ( ldapssl_client_init( certdbpath, NULL ) < 0 ) {
perror( "ldapssl_client_init" );
return( 1 );
}
printf ("DEBUG: ldapssl_client_init success\n");
/ set the max I/O timeout option to 10 seconds /
if ( prldap_set_session_option( NULL, NULL, PRLDAP_OPT_IO_MAX_TIMEOUT,
10000 / 10 secs / ) != LDAP_SUCCESS ) {
ldap_perror( NULL,
"prldap_set_session_option PRLDAP_OPT_IO_MAX_TIMEOUT" );
exit( 1 );
}
printf ("DEBUG: prldap_set_session_option success\n");
/ get a handle to an LDAP connection /
if ( (ld = ldapssl_init( host, nPort, 1 )) == NULL ) {
perror( "ldapssl_init" );
return( 1 );
}
printf ("DEBUG: ldapssl_init success\n");
/ use LDAPv3 /
i = LDAP_VERSION3;
if ( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &i ) < 0 ) {
ldap_perror( ld, "ldap_set_option LDAPv3" );
ldap_unbind( ld );
return( 1 );
}
printf ("DEBUG: ldap_set_option LDAP_OPT_PROTOCOL_VERSION=3 success
\n");
/ search for all entries with surname of Jensen /
if ( ldap_search_s( ld, basedn, LDAP_SCOPE_SUBTREE,
srh_str, NULL, 0, &result ) != LDAP_SUCCESS ) {
ldap_perror( ld, "ldap_search_s" );
printf(" ERROR: ldap_search_s err: %d\n", PR_GetError());
/
if ( result == NULL ) {
ldap_unbind( ld );
return( 1 );
}
/
}
else
{
….}
printf ("DEBUG: binding user\n");
if (res = ldap_simple_bind_s(ld, loginDN, password) != LDAP_SUCCESS)
{
printf(" ERROR: ldap_simple_bind_s err: %d\n", PR_GetError());
}
else
printf ("DEBUG: ldap_simple_bind_s success\n");
“
The output from that code:
“
DEBUG: ldapssl_client_init success
DEBUG: prldap_set_session_option success
DEBUG: ldapssl_init success
DEBUG: ldap_set_option LDAP_OPT_PROTOCOL_VERSION=3 success
ldap_search_s: Can't connect to the LDAP server - Unknown error
ERROR: ldap_search_s err: -12263
DEBUG: binding user
ERROR: ldap_simple_bind_s err: -12263
“
Wireshark network protocol analyzer displays the following
communication:
The client contacts the server and says "Client Hello".
The Server responds with "Server Hello, Certificate, Certificate
Request, Server Hello Done"
Then the client responds with a "Fatal, Record Overflow" error
Is it something wrong with the certificate? Or the way I initialize
and connect to the server ?
Natalia
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
