AD and openssl

---

• From: "Wendy Moore" <WenMoore@xxxxxxxxx>
• Date: Tue, 24 Oct 2006 12:38:20 +0200

---

Hi All,

I'm trying to connect to an active directory (Win 2000 server) using ssl
(with client authentication)
The primary goal is doing that by using python-ldap (on a SuSE 10.1
environment)

I get here however a strange situation that it "sometimes" works..

After some hints from the python-ldap mailing list, I tested the ssl
connection with openssl,
and guess what..the same result.it sometimes works..

SuSE 10.1
Openssl : 0.9.8a-16

I've tried with another version of openssl (0.9.7l) but with same result
I've also tried both versions of openssl on windows and fedora core 3 with
success!

Anyone any idea?
Thanks in advance,


in the event vieuwer : directory service : ldap interface events -> 5
date: Source: NTDS LDAP
Time Category: (16)
Type: warning Event ID:1216
The LDAP server closed a socket to a client bacause of an error condition,
87

Here is the output of my openssl commands..

-à If it does not work

openssl s_client -connect 192.168.1.5:636 -CAfile
/home/gvm/Temp/PYSSL/rootca.pem -cert
/home/gvm/Temp/PYSSL/endor-crt.pem -key /home/gvm/Temp/PYSSL/endor-key.pem

CONNECTED(00000003)
depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
verify return:1
depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
verify return:1
15313:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

and If it does work:

openssl s_client -connect 192.168.1.5:636 -CAfile
/home/gvm/Temp/PYSSL/rootca.pem -cert
/home/gvm/Temp/PYSSL/endor-crt.pem -key /home/gvm/Temp/PYSSL/endor-key.pem

CONNECTED(00000003)
depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
verify return:1
depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
verify return:1
---
Certificate chain
0 s:/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
i:/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICjDCCAfWgAwIBAgIBHDANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJCRTEU
MBIGA1UEBxMLSG9vZ3N0cmF0ZW4xEDAOBgNVBAoTB0NBVHJ1c3QxDDAKBgNVBAsT
A1BLSTEPMA0GA1UEAwwGQ0FTX1NLMB4XDTA2MTAxNzEwNDk1NVoXDTA3MTAxNzEw
NDk1NVowWzELMAkGA1UEBhMCQkUxFDASBgNVBAcTC0hvb2dzdHJhdGVuMRAwDgYD
VQQKEwdDQVRydXN0MQwwCgYDVQQLEwNQS0kxFjAUBgNVBAMTDWVvd3luLmRvb20u
YmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6pGS7FO76CcZuDBOtwso5+
H1Sr/9hfDy2Cymp0gLixW1Fga5xdsO+hiV255NDiI2jQHvjP/FloThEp5UzJVwTY
lvT50APyGl1f2g/Akv8eqvK12TyOAtGwuj8SXzayyEzsWtzlN2NFnlWEKJc0qh6Q
l2UmDo/ggGxJBxxlfBkNAgMBAAGjZzBlMB8GA1UdIwQYMBaAFDhp/FYUPtJVxyCc
64ksf3y38HKIMB0GA1UdDgQWBBQ/g+qO3W1SDxsEJu86QgEzTrZAVDAOBgNVHQ8B
Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEA
ASmsG3ltOTkUJWv5zlTSZ69sr9hSjOeSC+wqiKFI0fqmbbcMkiDdxp+olwZwE3LM
RGwg9KXU4MZjQsMbDPoySPqDvHh4LlDOeMx8SVqvfQxQa/SnOYIGtONl3CosVe81
P19ynZeq4z+QzubR4F1Is3dqYqL9zYi0k4z2F0pXixA=
-----END CERTIFICATE-----
subject=/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be
issuer=/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
---
Acceptable client certificate CA names
/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Freemail
CA/emailAddress=personal-freemail@xxxxxxxxxx
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Premium
CA/emailAddress=personal-premium@xxxxxxxxxx
/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital
Certificates Inc. Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Basic
CA/emailAddress=personal-basic@xxxxxxxxxx
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=EOWYN CA
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
Global Root
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft
Root Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
Root
---
SSL handshake has read 3261 bytes and written 1781 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
830A000079AD969762D5CA1CC27D874EADB5777B7F9AF5A191900602703F0F9B
Session-ID-ctx:
Master-Key:
2D17CCBF98E9610A5043C5348A5551717846756EFAE04734239A1DBA6D044788D3A34E7074E1
08CD12D1364586B2405E
Key-Arg : None
Start Time: 1161103751
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=0



.

---

• Prev by Date: SUSE 10.1 - Intel ICH5R Software RAID - NTFS
• Next by Date: I want my dead keys back
• Previous by thread: SUSE 10.1 - Intel ICH5R Software RAID - NTFS
• Next by thread: I want my dead keys back
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: AD and SSL ... I'm trying something similar, with a java client, but can't seem to ... I'm trying to connect to an active directory (W2K server) using ssl (with ... verify return:1 ... Server certificate ... (microsoft.public.win2000.active_directory) Re: Unable to use stunnel with tin... ... Looks like you got an odd version of stunnel. ... was getting the certificate written correctly. ... Next verify you can connect to the server. ... (comp.os.linux.setup) RE: [Full-Disclosure] Openssl proof of concept code? / Neoteris ... its own built-in cert and offers it up without solicitation. ... SSL connection with the server with a corrupt cert like that. ... modify a copy of openssl such that it sends a client certificate ... verify error:num=20:unable to get local issuer certificate ... (Full-Disclosure) RE: RPC over HTTP Certificate Issue ... There's no need to configure Exchange - whatever changes you made, ... When you installed the certificate, did you install it in the Trusted Root ... I enabled RPC over HTTP on SBS 2003 Sp1 server, ... How to Verify That World Wide Web Publishing Service Is ... (microsoft.public.windows.server.sbs) 2K3 Cert Svcs gives invalid policy error on OpenSSL gend cert req ... OpenSSL-based UNIX SSL client and server and a Windows Server 2003 ... Standard Edition with Certificate Services for the CA. ... The OpenSSL generated ones look like, ... X509v3 Extended Key Usage: ... (microsoft.public.windows.server.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)