Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Alan DeKok wrote: Linus van Geuns [EMAIL PROTECTED] wrote: _And_ maybe this mail inspires some of the developers to report the appropriate error message instead of rlm_ldap: could not start TLS Connect error. You just volunteered to write the patch. Please mail it to the list when it's ready. I'm sorry, but I am bound to another software project atm. Linus van Geuns. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Linus van Geuns [EMAIL PROTECTED] wrote: Please mail it to the list when it's ready. I'm sorry, but I am bound to another software project atm. That's terrible! When can we expect a fix? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Alan DeKok wrote: Linus van Geuns [EMAIL PROTECTED] wrote: Please mail it to the list when it's ready. I'm sorry, but I am bound to another software project atm. That's terrible! When can we expect a fix? I'm working on a daemon that aims to implement PXE 2.1 and to be easily configurable. As I have to learn C++, network programming and programming for Linux/*nix by creating this daemon, and as this project is nothing official or something I get payed for, it will be done when it's done. Did I forget to tell you, I'm very sorry for intending to help others and mentioning that the error message is not appropriate? It was my fault, I should not even think of saving other peoples' time without getting payed for it. Is there something else that I may learn by reading your mails, Mr. DeKok? If not, they'll be read by /dev/null.. Linus van Geuns. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Linus van Geuns [EMAIL PROTECTED] wrote: Did I forget to tell you, I'm very sorry for intending to help others and mentioning that the error message is not appropriate? It was my fault, I should not even think of saving other peoples' time without getting payed for it. The issue was that you were asking other people to fix a problem you ran into. Where is the incentive for us to fix something you don't like? Is there something else that I may learn by reading your mails, Mr. DeKok? If not, they'll be read by /dev/null.. Too bad it isn't a two-way pipe. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Alan DeKok wrote: Linus van Geuns [EMAIL PROTECTED] wrote: Did I forget to tell you, I'm very sorry for intending to help others and mentioning that the error message is not appropriate? It was my fault, I should not even think of saving other peoples' time without getting payed for it. The issue was that you were asking other people to fix a problem you ran into. Where is the incentive for us to fix something you don't like? 1.) The developers of freeradius declared their intend to provide a radius daemon, so other people may _use_ (not develope) it. 2.) I mailed the solution to my problem so others, running into the same one, may find this mail useful. 3.) Did I claim someone _has_ to fix it, because I don't 'like' it? 4.) I think, the error message from freeradius does obviously contain no useful degub information. So what? signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Linus van Geuns [EMAIL PROTECTED] wrote: 3.) Did I claim someone _has_ to fix it, because I don't 'like' it? Pretty much, yes. And you then got upset when I said you could fix it. 4.) I think, the error message from freeradius does obviously contain no useful degub information. laughs Sure. Have you ever tried using a *commercial* server? They have *no* useful debugging or error messages. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No appropriate error message (rlm_ldap: could not start TLS Connect error)
Hi!
I've tried to establish a TLS-secured connection between
freeradius-1.0.1-3 (Red Hat Enterprise Linux 4) and a openldap server. I
tried every combination of tls_mode, start_tls and tls_require_cert, but
I never got more than this error:
(/etc/raddb/radiusd.conf)
---8
ldap {
server = MYLDAPSERVER.ira.uka.de
port = 389
identity = uid=MYUSERNAME, ou=MYUNIT, dc=ira, dc=uka, dc=de
password = MYPASSWORD
basedn = ou=MYUNIT,dc=ira,dc=uka,dc=de
filter = (uid=MYPREFIX-%u)
start_tls = yes
tls_mode = no
tls_cacertdir = /etc/raddb/cacerts/
tls_require_cert = demand
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
# No useful error msg w/o 0x
ldap_debug = 0x
}
---8
(/var/log/radius/radius.log)
---8
Error: rlm_ldap: could not start TLS Connect error
Error: rlm_ldap: (re)connection attempt failed
---8
The problem was:
(/usr/sbin/radiusd -X)
---8
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS, Fakultaet
fuer Informatik/CN=MYCACERTIFICATE/[EMAIL PROTECTED],
issuer: /C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS,
Fakultaet fuer Informatik/CN=MYCACERTIFICATE/[EMAIL PROTECTED]
TLS certificate verification: depth: 0, err: 0, subject:
/C=DE/ST=Germany/L=Karlsruhe/O=Universitaet
Karlsruhe/OU=ATIS/CN=MYLDAPSERVER.ira.uni-karlsruhe.de/[EMAIL PROTECTED],
issuer: /C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS,
Fakultaet fuer
Informatik/CN=MYCACERTIFICATE/[EMAIL PROTECTED]
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (MYLDAPSERVER.ira.uka.de) does not match common name in
certificate (MYLDAPSERVER.ira.uni-karlsruhe.de).
rlm_ldap: ldap_start_tls_s()
ldap_err2string
rlm_ldap: could not start TLS Connect error
ldap_free_connection
ldap_send_unbind
ldap_free_connection: actually freed
TLS trace: SSL3 alert write:warning:close notify
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
---8
The importent one is:
TLS: hostname (MYLDAPSERVER.ira.uka.de) does not match common name in
certificate (MYLDAPSERVER.ira.uni-karlsruhe.de).
MYLDAPSERVER.ira.uka.de is an alias for
MYLDAPSERVER.ira.uni-karlsruhe.de (hostname used in the certificate).
After I set
server = MYLDAPSERVER.ira.uni-karlsruhe.de
in my radiusd.conf the TLS connection worked without any problem.
Maybe this mail will save someone the amount of time I had to waste,
figuring it out.. :-/
_And_ maybe this mail inspires some of the developers to report the
appropriate error message instead of rlm_ldap: could not start TLS
Connect error.
Linus van Geuns.
PS:
Every certificate of an certificate authority in tls_cacertdir needs
to be accessable by it's openssl-hash as filename. This can be achieved
as follows:
In tls_cacertdir run: CERT=CACERTFILENAME;ln ${CERT} `openssl x509
-noout -hash -in ${CERT} `.0 -s
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Linus van Geuns [EMAIL PROTECTED] wrote: _And_ maybe this mail inspires some of the developers to report the appropriate error message instead of rlm_ldap: could not start TLS Connect error. You just volunteered to write the patch. Please mail it to the list when it's ready. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
