RE: ssl - Active directory

[Geert Van Muylem]

Hi again,     And if I use the –pause parameter, the problem is solved….   Reason?   Regards, Geert   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geert Van Muylem Sent: dinsdag 17 oktober 2006 20:17 To: openssl-users@openssl.org Subject: ssl - Active directory   Hi All,   I’m trying to connect to an active directory (W2K server) using ssl (with client authentication) The primary goal is doing that by using python-ldap (on a SuSE 10.1 environment) I get here however a strange situation that it “sometimes” works…. After some hints from the python-ldap mailing list, I tested the ssl connection with openssl, and guess what….the same result…it sometimes works….   Anyone any idea?   Thanks in advance, Geert   SuSE 10.1 Openssl : 0.9.8a-16   Here is the output of my openssl commands….   -à If it does not work   [EMAIL PROTECTED]:~/Temp/PYSSL> openssl s_client -connect 192.168.1.5:636 -CAfile /home/gvm/Temp/PYSSL/rootca.pem -cert /home/gvm/Temp/PYSSL/endor-crt.pem -key /home/gvm/Temp/PYSSL/endor-key.pem CONNECTED(00000003) depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK verify return:1 depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be verify return:1 15313:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:     à If it does work:   [EMAIL PROTECTED]:~/Temp/PYSSL> openssl s_client -connect 192.168.1.5:636 -CAfile /home/gvm/Temp/PYSSL/rootca.pem -cert /home/gvm/Temp/PYSSL/endor-crt.pem -key /home/gvm/Temp/PYSSL/endor-key.pem CONNECTED(00000003) depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK verify return:1 depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be verify return:1   --- Certificate chain  0 s:/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be    i:/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK --- Server certificate -----BEGIN CERTIFICATE----- MIICjDCCAfWgAwIBAgIBHDANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJCRTEU MBIGA1UEBxMLSG9vZ3N0cmF0ZW4xEDAOBgNVBAoTB0NBVHJ1c3QxDDAKBgNVBAsT A1BLSTEPMA0GA1UEAwwGQ0FTX1NLMB4XDTA2MTAxNzEwNDk1NVoXDTA3MTAxNzEw NDk1NVowWzELMAkGA1UEBhMCQkUxFDASBgNVBAcTC0hvb2dzdHJhdGVuMRAwDgYD VQQKEwdDQVRydXN0MQwwCgYDVQQLEwNQS0kxFjAUBgNVBAMTDWVvd3luLmRvb20u YmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6pGS7FO76CcZuDBOtwso5+ H1Sr/9hfDy2Cymp0gLixW1Fga5xdsO+hiV255NDiI2jQHvjP/FloThEp5UzJVwTY lvT50APyGl1f2g/Akv8eqvK12TyOAtGwuj8SXzayyEzsWtzlN2NFnlWEKJc0qh6Q l2UmDo/ggGxJBxxlfBkNAgMBAAGjZzBlMB8GA1UdIwQYMBaAFDhp/FYUPtJVxyCc 64ksf3y38HKIMB0GA1UdDgQWBBQ/g+qO3W1SDxsEJu86QgEzTrZAVDAOBgNVHQ8B Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEA ASmsG3ltOTkUJWv5zlTSZ69sr9hSjOeSC+wqiKFI0fqmbbcMkiDdxp+olwZwE3LM RGwg9KXU4MZjQsMbDPoySPqDvHh4LlDOeMx8SVqvfQxQa/SnOYIGtONl3CosVe81 P19ynZeq4z+QzubR4F1Is3dqYqL9zYi0k4z2F0pXixA= -----END CERTIFICATE----- subject=/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be issuer=/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK --- Acceptable client certificate CA names /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/[EMAIL PROTECTED] /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/[EMAIL PROTECTED] /C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/[EMAIL PROTECTED] /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=GTE Corporation/CN=GTE CyberTrust Root /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=EOWYN CA /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root --- SSL handshake has read 3261 bytes and written 1781 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session:     Protocol  : TLSv1     Cipher    : RC4-MD5     Session-ID: 830A000079AD969762D5CA1CC27D874EADB5777B7F9AF5A191900602703F0F9B     Session-ID-ctx:     Master-Key: 2D17CCBF98E9610A5043C5348A5551717846756EFAE04734239A1DBA6D044788D3A34E7074E108CD12D1364586B2405E     Key-Arg   : None     Start Time: 1161103751     Timeout   : 300 (sec)     Verify return code: 0 (ok) --- read:errno=0 [EMAIL PROTECTED]:~/Temp/PYSSL>