Mailinglist Archive: opensuse-security (69 mails)

< Previous Next >
SSL client authentication with AD
  • From: geert.van.muylem@xxxxxxxxxx
  • Date: Tue, 24 Oct 2006 16:00:11 +0200
  • Message-id: <OF6A9653BF.4F1782F5-ONC1257211.004CB762-C1257211.004A9EE0@xxxxxxxxxx>
Hi All,

I'm trying to connect to an active directory (Win 2000 server) using ssl
(with client authentication)
The primary goal is doing that by using python-ldap (on a SuSE 10.1
environment)

I get here however a strange situation that it "sometimes" works..

After some hints from the python-ldap mailing list, I tested the ssl
connection with openssl,
and guess what..the same result.it sometimes works..

SuSE 10.1
Openssl : 0.9.8a-16

I've tried with another version of openssl (0.9.7l) but with same result
I've also tried both versions of openssl on windows and fedora core 3 with
success!

Anyone any idea?
Thanks in advance,


in the event vieuwer : directory service : ldap interface events -> 5
date: Source: NTDS LDAP
Time Category: (16)
Type: warning Event ID:1216
The LDAP server closed a socket to a client bacause of an error condition,
87

Here is the output of my openssl commands..

-à If it does not work

openssl s_client -connect 192.168.1.5:636 -CAfile
/home/gvm/Temp/PYSSL/rootca.pem -cert
/home/gvm/Temp/PYSSL/endor-crt.pem -key /home/gvm/Temp/PYSSL/endor-key.pem

CONNECTED(00000003)
depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
verify return:1
depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
verify return:1
15313:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

and If it does work:

openssl s_client -connect 192.168.1.5:636 -CAfile
/home/gvm/Temp/PYSSL/rootca.pem -cert
/home/gvm/Temp/PYSSL/endor-crt.pem -key /home/gvm/Temp/PYSSL/endor-key.pem

CONNECTED(00000003)
depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
verify return:1
depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
verify return:1
---
Certificate chain
0 s:/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
i:/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICjDCCAfWgAwIBAgIBHDANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJCRTEU
MBIGA1UEBxMLSG9vZ3N0cmF0ZW4xEDAOBgNVBAoTB0NBVHJ1c3QxDDAKBgNVBAsT
A1BLSTEPMA0GA1UEAwwGQ0FTX1NLMB4XDTA2MTAxNzEwNDk1NVoXDTA3MTAxNzEw
NDk1NVowWzELMAkGA1UEBhMCQkUxFDASBgNVBAcTC0hvb2dzdHJhdGVuMRAwDgYD
VQQKEwdDQVRydXN0MQwwCgYDVQQLEwNQS0kxFjAUBgNVBAMTDWVvd3luLmRvb20u
YmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6pGS7FO76CcZuDBOtwso5+
H1Sr/9hfDy2Cymp0gLixW1Fga5xdsO+hiV255NDiI2jQHvjP/FloThEp5UzJVwTY
lvT50APyGl1f2g/Akv8eqvK12TyOAtGwuj8SXzayyEzsWtzlN2NFnlWEKJc0qh6Q
l2UmDo/ggGxJBxxlfBkNAgMBAAGjZzBlMB8GA1UdIwQYMBaAFDhp/FYUPtJVxyCc
64ksf3y38HKIMB0GA1UdDgQWBBQ/g+qO3W1SDxsEJu86QgEzTrZAVDAOBgNVHQ8B
Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEA
ASmsG3ltOTkUJWv5zlTSZ69sr9hSjOeSC+wqiKFI0fqmbbcMkiDdxp+olwZwE3LM
RGwg9KXU4MZjQsMbDPoySPqDvHh4LlDOeMx8SVqvfQxQa/SnOYIGtONl3CosVe81
P19ynZeq4z+QzubR4F1Is3dqYqL9zYi0k4z2F0pXixA=
-----END CERTIFICATE-----
subject=/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
issuer=/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
---
Acceptable client certificate CA names
/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Freemail
CA/emailAddress=personal-freemail@xxxxxxxxxx
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Premium
CA/emailAddress=personal-premium@xxxxxxxxxx
/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital
Certificates Inc. Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Basic
CA/emailAddress=personal-basic@xxxxxxxxxx
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=EOWYN CA
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust
Global Root
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft
Corporation/CN=Microsoft
Root Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust
Root
---
SSL handshake has read 3261 bytes and written 1781 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
830A000079AD969762D5CA1CC27D874EADB5777B7F9AF5A191900602703F0F9B
Session-ID-ctx:
Master-Key:
2D17CCBF98E9610A5043C5348A5551717846756EFAE04734239A1DBA6D044788D3A34E7074E1
08CD12D1364586B2405E
Key-Arg : None
Start Time: 1161103751
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=0

< Previous Next >
This Thread
  • No further messages