Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Alan DeKok wrote: Linus van Geuns [EMAIL PROTECTED] wrote: _And_ maybe this mail inspires some of the developers to report the appropriate error message instead of rlm_ldap: could not start TLS Connect error. You just volunteered to write the patch. Please mail it to the list when it's ready. I'm sorry, but I am bound to another software project atm. Linus van Geuns. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Linus van Geuns [EMAIL PROTECTED] wrote: Please mail it to the list when it's ready. I'm sorry, but I am bound to another software project atm. That's terrible! When can we expect a fix? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Alan DeKok wrote: Linus van Geuns [EMAIL PROTECTED] wrote: Please mail it to the list when it's ready. I'm sorry, but I am bound to another software project atm. That's terrible! When can we expect a fix? I'm working on a daemon that aims to implement PXE 2.1 and to be easily configurable. As I have to learn C++, network programming and programming for Linux/*nix by creating this daemon, and as this project is nothing official or something I get payed for, it will be done when it's done. Did I forget to tell you, I'm very sorry for intending to help others and mentioning that the error message is not appropriate? It was my fault, I should not even think of saving other peoples' time without getting payed for it. Is there something else that I may learn by reading your mails, Mr. DeKok? If not, they'll be read by /dev/null.. Linus van Geuns. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Linus van Geuns [EMAIL PROTECTED] wrote: Did I forget to tell you, I'm very sorry for intending to help others and mentioning that the error message is not appropriate? It was my fault, I should not even think of saving other peoples' time without getting payed for it. The issue was that you were asking other people to fix a problem you ran into. Where is the incentive for us to fix something you don't like? Is there something else that I may learn by reading your mails, Mr. DeKok? If not, they'll be read by /dev/null.. Too bad it isn't a two-way pipe. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Alan DeKok wrote: Linus van Geuns [EMAIL PROTECTED] wrote: Did I forget to tell you, I'm very sorry for intending to help others and mentioning that the error message is not appropriate? It was my fault, I should not even think of saving other peoples' time without getting payed for it. The issue was that you were asking other people to fix a problem you ran into. Where is the incentive for us to fix something you don't like? 1.) The developers of freeradius declared their intend to provide a radius daemon, so other people may _use_ (not develope) it. 2.) I mailed the solution to my problem so others, running into the same one, may find this mail useful. 3.) Did I claim someone _has_ to fix it, because I don't 'like' it? 4.) I think, the error message from freeradius does obviously contain no useful degub information. So what? signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Linus van Geuns [EMAIL PROTECTED] wrote: 3.) Did I claim someone _has_ to fix it, because I don't 'like' it? Pretty much, yes. And you then got upset when I said you could fix it. 4.) I think, the error message from freeradius does obviously contain no useful degub information. laughs Sure. Have you ever tried using a *commercial* server? They have *no* useful debugging or error messages. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No appropriate error message (rlm_ldap: could not start TLS Connect error)
Hi! I've tried to establish a TLS-secured connection between freeradius-1.0.1-3 (Red Hat Enterprise Linux 4) and a openldap server. I tried every combination of tls_mode, start_tls and tls_require_cert, but I never got more than this error: (/etc/raddb/radiusd.conf) ---8 ldap { server = MYLDAPSERVER.ira.uka.de port = 389 identity = uid=MYUSERNAME, ou=MYUNIT, dc=ira, dc=uka, dc=de password = MYPASSWORD basedn = ou=MYUNIT,dc=ira,dc=uka,dc=de filter = (uid=MYPREFIX-%u) start_tls = yes tls_mode = no tls_cacertdir = /etc/raddb/cacerts/ tls_require_cert = demand dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 # No useful error msg w/o 0x ldap_debug = 0x } ---8 (/var/log/radius/radius.log) ---8 Error: rlm_ldap: could not start TLS Connect error Error: rlm_ldap: (re)connection attempt failed ---8 The problem was: (/usr/sbin/radiusd -X) ---8 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS, Fakultaet fuer Informatik/CN=MYCACERTIFICATE/[EMAIL PROTECTED], issuer: /C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS, Fakultaet fuer Informatik/CN=MYCACERTIFICATE/[EMAIL PROTECTED] TLS certificate verification: depth: 0, err: 0, subject: /C=DE/ST=Germany/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS/CN=MYLDAPSERVER.ira.uni-karlsruhe.de/[EMAIL PROTECTED], issuer: /C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS, Fakultaet fuer Informatik/CN=MYCACERTIFICATE/[EMAIL PROTECTED] TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS: hostname (MYLDAPSERVER.ira.uka.de) does not match common name in certificate (MYLDAPSERVER.ira.uni-karlsruhe.de). rlm_ldap: ldap_start_tls_s() ldap_err2string rlm_ldap: could not start TLS Connect error ldap_free_connection ldap_send_unbind ldap_free_connection: actually freed TLS trace: SSL3 alert write:warning:close notify rlm_ldap: (re)connection attempt failed rlm_ldap: search failed ---8 The importent one is: TLS: hostname (MYLDAPSERVER.ira.uka.de) does not match common name in certificate (MYLDAPSERVER.ira.uni-karlsruhe.de). MYLDAPSERVER.ira.uka.de is an alias for MYLDAPSERVER.ira.uni-karlsruhe.de (hostname used in the certificate). After I set server = MYLDAPSERVER.ira.uni-karlsruhe.de in my radiusd.conf the TLS connection worked without any problem. Maybe this mail will save someone the amount of time I had to waste, figuring it out.. :-/ _And_ maybe this mail inspires some of the developers to report the appropriate error message instead of rlm_ldap: could not start TLS Connect error. Linus van Geuns. PS: Every certificate of an certificate authority in tls_cacertdir needs to be accessable by it's openssl-hash as filename. This can be achieved as follows: In tls_cacertdir run: CERT=CACERTFILENAME;ln ${CERT} `openssl x509 -noout -hash -in ${CERT} `.0 -s signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Linus van Geuns [EMAIL PROTECTED] wrote: _And_ maybe this mail inspires some of the developers to report the appropriate error message instead of rlm_ldap: could not start TLS Connect error. You just volunteered to write the patch. Please mail it to the list when it's ready. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html