SSL client authentication with AD

24 Oct 2006

      Hi All,

I'm trying to connect to an active directory (Win 2000 server) using ssl
(with client authentication)
The primary goal is doing that by using python-ldap (on a SuSE 10.1
environment)

I get here however a strange situation that it "sometimes" works..

After some hints from the python-ldap mailing list, I tested the ssl
connection with openssl,
and guess what..the same result.it sometimes works..

SuSE 10.1
Openssl : 0.9.8a-16

I've tried with another version of openssl (0.9.7l) but with same result
I've also tried both versions of openssl on windows and fedora core 3 with
success!

Anyone any idea?
Thanks in advance,

in the event vieuwer : directory service : ldap interface events -> 5
date:                Source: NTDS LDAP
Time                Category: (16)
Type: warning    Event ID:1216
The LDAP server closed a socket to a client bacause of an error condition,
87

Here is the output of my openssl commands..

-à If it does not work

openssl s_client -connect 192.168.1.5:636 -CAfile
/home/gvm/Temp/PYSSL/rootca.pem -cert
/home/gvm/Temp/PYSSL/endor-crt.pem -key /home/gvm/Temp/PYSSL/endor-key.pem

CONNECTED(00000003)
depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
verify return:1
depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
verify return:1
15313:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

and If it does work:

openssl s_client -connect 192.168.1.5:636 -CAfile
/home/gvm/Temp/PYSSL/rootca.pem -cert
/home/gvm/Temp/PYSSL/endor-crt.pem -key /home/gvm/Temp/PYSSL/endor-key.pem

CONNECTED(00000003)
depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
verify return:1
depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
verify return:1
---
Certificate chain
 0 s:/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
   i:/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICjDCCAfWgAwIBAgIBHDANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJCRTEU
MBIGA1UEBxMLSG9vZ3N0cmF0ZW4xEDAOBgNVBAoTB0NBVHJ1c3QxDDAKBgNVBAsT
A1BLSTEPMA0GA1UEAwwGQ0FTX1NLMB4XDTA2MTAxNzEwNDk1NVoXDTA3MTAxNzEw
NDk1NVowWzELMAkGA1UEBhMCQkUxFDASBgNVBAcTC0hvb2dzdHJhdGVuMRAwDgYD
VQQKEwdDQVRydXN0MQwwCgYDVQQLEwNQS0kxFjAUBgNVBAMTDWVvd3luLmRvb20u
YmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6pGS7FO76CcZuDBOtwso5+
H1Sr/9hfDy2Cymp0gLixW1Fga5xdsO+hiV255NDiI2jQHvjP/FloThEp5UzJVwTY
lvT50APyGl1f2g/Akv8eqvK12TyOAtGwuj8SXzayyEzsWtzlN2NFnlWEKJc0qh6Q
l2UmDo/ggGxJBxxlfBkNAgMBAAGjZzBlMB8GA1UdIwQYMBaAFDhp/FYUPtJVxyCc
64ksf3y38HKIMB0GA1UdDgQWBBQ/g+qO3W1SDxsEJu86QgEzTrZAVDAOBgNVHQ8B
Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEA
ASmsG3ltOTkUJWv5zlTSZ69sr9hSjOeSC+wqiKFI0fqmbbcMkiDdxp+olwZwE3LM
RGwg9KXU4MZjQsMbDPoySPqDvHh4LlDOeMx8SVqvfQxQa/SnOYIGtONl3CosVe81
P19ynZeq4z+QzubR4F1Is3dqYqL9zYi0k4z2F0pXixA=
-----END CERTIFICATE-----
subject=/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
issuer=/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
---
Acceptable client certificate CA names
/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Freemail
CA/emailAddress=personal-freemail@thawte.com
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Premium
CA/emailAddress=personal-premium@thawte.com
/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital
Certificates Inc. Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Basic
CA/emailAddress=personal-basic@thawte.com
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=EOWYN CA
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE 
CyberTrust
Global Root
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft 
Corporation/CN=Microsoft
Root Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE 
CyberTrust
Root
---
SSL handshake has read 3261 bytes and written 1781 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID:
830A000079AD969762D5CA1CC27D874EADB5777B7F9AF5A191900602703F0F9B
    Session-ID-ctx:
    Master-Key:
2D17CCBF98E9610A5043C5348A5551717846756EFAE04734239A1DBA6D044788D3A34E7074E1
08CD12D1364586B2405E
    Key-Arg   : None
    Start Time: 1161103751
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
read:errno=0

geert.van.muylem＠utimaco.be

tags

participants (1)