Hi! I've tried to establish a TLS-secured connection between freeradius-1.0.1-3 (Red Hat Enterprise Linux 4) and a openldap server. I tried every combination of tls_mode, start_tls and tls_require_cert, but I never got more than this error:
(/etc/raddb/radiusd.conf)
-------------------8<----------------------------------------
ldap {
server = "MYLDAPSERVER.ira.uka.de"
port = 389
identity = "uid=MYUSERNAME, ou=MYUNIT, dc=ira, dc=uka, dc=de"
password = MYPASSWORD
basedn = "ou=MYUNIT,dc=ira,dc=uka,dc=de"
filter = "(uid=MYPREFIX-%u)"
start_tls = yes
tls_mode = no
tls_cacertdir = /etc/raddb/cacerts/
tls_require_cert = demand
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
# No useful error msg w/o 0xffff
ldap_debug = 0xffff
}
-------------------8<----------------------------------------
(/var/log/radius/radius.log)
-------------------8<----------------------------------------
Error: rlm_ldap: could not start TLS Connect error
Error: rlm_ldap: (re)connection attempt failed
-------------------8<----------------------------------------
The problem was:
(/usr/sbin/radiusd -X)
-------------------8<----------------------------------------
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS, Fakultaet
fuer Informatik/CN=MYCACERTIFICATE/[EMAIL PROTECTED],
issuer: /C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS,
Fakultaet fuer Informatik/CN=MYCACERTIFICATE/[EMAIL PROTECTED]
TLS certificate verification: depth: 0, err: 0, subject:
/C=DE/ST=Germany/L=Karlsruhe/O=Universitaet
Karlsruhe/OU=ATIS/CN=MYLDAPSERVER.ira.uni-karlsruhe.de/[EMAIL PROTECTED],
issuer: /C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS,
Fakultaet fuer
Informatik/CN=MYCACERTIFICATE/[EMAIL PROTECTED]
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (MYLDAPSERVER.ira.uka.de) does not match common name in
certificate (MYLDAPSERVER.ira.uni-karlsruhe.de).
rlm_ldap: ldap_start_tls_s()
ldap_err2string
rlm_ldap: could not start TLS Connect error
ldap_free_connection
ldap_send_unbind
ldap_free_connection: actually freed
TLS trace: SSL3 alert write:warning:close notify
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
-------------------8<----------------------------------------
The importent one is:
TLS: hostname (MYLDAPSERVER.ira.uka.de) does not match common name in
certificate (MYLDAPSERVER.ira.uni-karlsruhe.de).
MYLDAPSERVER.ira.uka.de is an alias for
MYLDAPSERVER.ira.uni-karlsruhe.de (hostname used in the certificate).
After I set
server = MYLDAPSERVER.ira.uni-karlsruhe.de
in my radiusd.conf the TLS connection worked without any problem.
Maybe this mail will save someone the amount of time I had to waste,
figuring it out.. :-/
_And_ maybe this mail inspires some of the developers to report the
appropriate error message instead of "rlm_ldap: could not start TLS
Connect error".
Linus van Geuns.
PS:
Every certificate of an certificate authority in <tls_cacertdir> needs
to be accessable by it's openssl-hash as filename. This can be achieved
as follows:
In <tls_cacertdir> run: CERT=CACERTFILENAME;ln ${CERT} `openssl x509
-noout -hash -in ${CERT} `.0 -s
signature.asc
Description: OpenPGP digital signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
