AD and SSL

W

Wendy Moore

Hi All,



I'm trying to connect to an active directory (W2K server) using ssl (with
client authentication)

The primary goal is doing that by using python-ldap (on a SuSE 10.1
environment)

I get here however a strange situation that it "sometimes" works..

After some hints from the python-ldap mailing list, I tested the ssl
connection

with openssl, and guess what..the same result.it sometimes works..



Anyone any idea?



in the event vieuwer : directory service : ldap interface events -> 5



date: Source: NTDS LDAP

Time Category: (16)

Type: warning Event ID:1216



The LDAP server closed a socket to a client bacause of an error condition,
87



Thanks in advance,

Geert



SuSE 10.1

Openssl : 0.9.8a-16



Here is the output of my openssl commands..



-à If it does not work



gvm@endor:~/Temp/PYSSL> openssl s_client -connect 192.168.1.5:636 -CAfile
/home/gvm/Temp/PYSSL/rootca.pem -cert
/home/gvm/Temp/PYSSL/endor-crt.pem -key /home/gvm/Temp/PYSSL/endor-key.pem

CONNECTED(00000003)

depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK

verify return:1

depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be

verify return:1

15313:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:





à If it does work:



gvm@endor:~/Temp/PYSSL> openssl s_client -connect 192.168.1.5:636 -CAfile
/home/gvm/Temp/PYSSL/rootca.pem -cert
/home/gvm/Temp/PYSSL/endor-crt.pem -key /home/gvm/Temp/PYSSL/endor-key.pem

CONNECTED(00000003)

depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK

verify return:1

depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be

verify return:1



---

Certificate chain

0 s:/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be

i:/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK

---

Server certificate

-----BEGIN CERTIFICATE-----

MIICjDCCAfWgAwIBAgIBHDANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJCRTEU

MBIGA1UEBxMLSG9vZ3N0cmF0ZW4xEDAOBgNVBAoTB0NBVHJ1c3QxDDAKBgNVBAsT

A1BLSTEPMA0GA1UEAwwGQ0FTX1NLMB4XDTA2MTAxNzEwNDk1NVoXDTA3MTAxNzEw

NDk1NVowWzELMAkGA1UEBhMCQkUxFDASBgNVBAcTC0hvb2dzdHJhdGVuMRAwDgYD

VQQKEwdDQVRydXN0MQwwCgYDVQQLEwNQS0kxFjAUBgNVBAMTDWVvd3luLmRvb20u

YmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6pGS7FO76CcZuDBOtwso5+

H1Sr/9hfDy2Cymp0gLixW1Fga5xdsO+hiV255NDiI2jQHvjP/FloThEp5UzJVwTY

lvT50APyGl1f2g/Akv8eqvK12TyOAtGwuj8SXzayyEzsWtzlN2NFnlWEKJc0qh6Q

l2UmDo/ggGxJBxxlfBkNAgMBAAGjZzBlMB8GA1UdIwQYMBaAFDhp/FYUPtJVxyCc

64ksf3y38HKIMB0GA1UdDgQWBBQ/g+qO3W1SDxsEJu86QgEzTrZAVDAOBgNVHQ8B

Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEA

ASmsG3ltOTkUJWv5zlTSZ69sr9hSjOeSC+wqiKFI0fqmbbcMkiDdxp+olwZwE3LM

RGwg9KXU4MZjQsMbDPoySPqDvHh4LlDOeMx8SVqvfQxQa/SnOYIGtONl3CosVe81

P19ynZeq4z+QzubR4F1Is3dqYqL9zYi0k4z2F0pXixA=

-----END CERTIFICATE-----

subject=/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be

issuer=/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK

---

Acceptable client certificate CA names

/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK

/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network

/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network

/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Freemail
CA/[email protected]

/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Premium
CA/[email protected]

/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital
Certificates Inc. Certification Authority

/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Basic
CA/[email protected]

/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority

/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority

/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network

/C=US/O=GTE Corporation/CN=GTE CyberTrust Root

/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=EOWYN CA

/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
Global Root

/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft
Root Authority

/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network

/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
Root

---

SSL handshake has read 3261 bytes and written 1781 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-MD5

Server public key is 1024 bit

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : RC4-MD5

Session-ID:
830A000079AD969762D5CA1CC27D874EADB5777B7F9AF5A191900602703F0F9B

Session-ID-ctx:

Master-Key:
2D17CCBF98E9610A5043C5348A5551717846756EFAE04734239A1DBA6D044788D3A34E7074E1
08CD12D1364586B2405E

Key-Arg : None

Start Time: 1161103751

Timeout : 300 (sec)

Verify return code: 0 (ok)
 
I

ido.hadanny

Hi Wendy, did you got any progress with that?

Wendy said:
Hi All,



I'm trying to connect to an active directory (W2K server) using ssl (with
client authentication)

The primary goal is doing that by using python-ldap (on a SuSE 10.1
environment)

I get here however a strange situation that it "sometimes" works..

After some hints from the python-ldap mailing list, I tested the ssl
connection

with openssl, and guess what..the same result.it sometimes works..



Anyone any idea?



in the event vieuwer : directory service : ldap interface events -> 5



date: Source: NTDS LDAP

Time Category: (16)

Type: warning Event ID:1216



The LDAP server closed a socket to a client bacause of an error condition,
87



Thanks in advance,

Geert



SuSE 10.1

Openssl : 0.9.8a-16



Here is the output of my openssl commands..



-à If it does not work



gvm@endor:~/Temp/PYSSL> openssl s_client -connect 192.168.1.5:636 -CAfile
/home/gvm/Temp/PYSSL/rootca.pem -cert
/home/gvm/Temp/PYSSL/endor-crt.pem -key /home/gvm/Temp/PYSSL/endor-key.pem

CONNECTED(00000003)

depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK

verify return:1

depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be

verify return:1

15313:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:





à If it does work:



gvm@endor:~/Temp/PYSSL> openssl s_client -connect 192.168.1.5:636 -CAfile
/home/gvm/Temp/PYSSL/rootca.pem -cert
/home/gvm/Temp/PYSSL/endor-crt.pem -key /home/gvm/Temp/PYSSL/endor-key.pem

CONNECTED(00000003)

depth=1 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK

verify return:1

depth=0 /C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be

verify return:1



---

Certificate chain

0 s:/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be

i:/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK

---

Server certificate

-----BEGIN CERTIFICATE-----

MIICjDCCAfWgAwIBAgIBHDANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJCRTEU

MBIGA1UEBxMLSG9vZ3N0cmF0ZW4xEDAOBgNVBAoTB0NBVHJ1c3QxDDAKBgNVBAsT

A1BLSTEPMA0GA1UEAwwGQ0FTX1NLMB4XDTA2MTAxNzEwNDk1NVoXDTA3MTAxNzEw

NDk1NVowWzELMAkGA1UEBhMCQkUxFDASBgNVBAcTC0hvb2dzdHJhdGVuMRAwDgYD

VQQKEwdDQVRydXN0MQwwCgYDVQQLEwNQS0kxFjAUBgNVBAMTDWVvd3luLmRvb20u

YmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL6pGS7FO76CcZuDBOtwso5+

H1Sr/9hfDy2Cymp0gLixW1Fga5xdsO+hiV255NDiI2jQHvjP/FloThEp5UzJVwTY

lvT50APyGl1f2g/Akv8eqvK12TyOAtGwuj8SXzayyEzsWtzlN2NFnlWEKJc0qh6Q

l2UmDo/ggGxJBxxlfBkNAgMBAAGjZzBlMB8GA1UdIwQYMBaAFDhp/FYUPtJVxyCc

64ksf3y38HKIMB0GA1UdDgQWBBQ/g+qO3W1SDxsEJu86QgEzTrZAVDAOBgNVHQ8B

Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADgYEA

ASmsG3ltOTkUJWv5zlTSZ69sr9hSjOeSC+wqiKFI0fqmbbcMkiDdxp+olwZwE3LM

RGwg9KXU4MZjQsMbDPoySPqDvHh4LlDOeMx8SVqvfQxQa/SnOYIGtONl3CosVe81

P19ynZeq4z+QzubR4F1Is3dqYqL9zYi0k4z2F0pXixA=

-----END CERTIFICATE-----

subject=/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=eowyn.doom.be

issuer=/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK

---

Acceptable client certificate CA names

/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=CAS_SK

/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network

/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network

/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Freemail
CA/[email protected]

/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Premium
CA/[email protected]

/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital
Certificates Inc. Certification Authority

/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification
Services Division/CN=Thawte Personal Basic
CA/[email protected]

/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority

/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority

/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network

/C=US/O=GTE Corporation/CN=GTE CyberTrust Root

/C=BE/L=Hoogstraten/O=CATrust/OU=PKI/CN=EOWYN CA

/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
Global Root

/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft
Root Authority

/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority -
G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust
Network

/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
Root

---

SSL handshake has read 3261 bytes and written 1781 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-MD5

Server public key is 1024 bit

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : RC4-MD5

Session-ID:
830A000079AD969762D5CA1CC27D874EADB5777B7F9AF5A191900602703F0F9B

Session-ID-ctx:

Master-Key:
2D17CCBF98E9610A5043C5348A5551717846756EFAE04734239A1DBA6D044788D3A34E7074E1
08CD12D1364586B2405E

Key-Arg : None

Start Time: 1161103751

Timeout : 300 (sec)

Verify return code: 0 (ok)

---

read:errno=0

gvm@endor:~/Temp/PYSSL>
Click to expand...
 
I

ido.hadanny

Hi Wendy, any progress with that one?
I'm trying something similar, with a java client, but can't seem to
make the server acknowledge anything I try - I configured "directory
service : ldap interface events -> 5" as you adviced, but nothing shows
in the Event log :( can you help? 10x
 
W

Wendy Moore

Hi there,

I didn't got any reaction on this problem :-(
so it's still a mistery for me....
I've also posted this issue to
microsoft.public.windows.server.active_directory but without any reaction!!!

Regards,


Hi Wendy, any progress with that one?
I'm trying something similar, with a java client, but can't seem to
make the server acknowledge anything I try - I configured "directory
service : ldap interface events -> 5" as you adviced, but nothing shows
in the Event log :( can you help? 10x
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

certificate revocation error 1
certificate revocation error 0
Can MS Certificate Services create Subordinate CA Certificate? 2
L2TP/IPSEC Connection problem to Windows 2000 Server 2
WTD: Nvidia Videocard for 4x AGP Slot 0
lots of extra information and no attachmnet 1
Error 786 1
Cscript: No PORTS & canNOT reinstall "OneCare"--- Error 1277 [WMI] 1

Top