Wednesday, April 6, 2016

[389-users] Re: SSL/TLS server side debugging howto?

On Sun, 2016-04-03 at 18:09 +0200, Graham Leggett wrote:
> Hi all,
> I have a 389ds v1.3.4 server as deployed by CentOS7 configured with SSL/TLS to
> require client certificates.
> Attempts to connect to this server using "openssl s_client" fail, and the
> failure is triggered by the 389ds server side as follows:
> 4 4  0.0079 (0.0009)  S>CV3.3(2)  Alert
>     level           fatal
>     value           bad_certificate
> 4    0.0080 (0.0000)  S>C  TCP FIN
> Unfortunately the error log on the 389ds server is dead silent on this issue,
> and without a sensible error message it is making debugging this very
> difficult.
> What mechanism must I use to enable any kind of logging inside 389ds that will
> indicate why a particular SSL/TLS connection is being rejected?

I believe that in the slapd access log by default you can see details about why
the authentication was failing. It will show you details about this:

>> [02/Feb/2016:18:34:00 +1000] conn=2721 fd=77 slot=77 SSL connection from
>> 2001:db8::5054:ff:fe89:97e2 to 2001:db8::5054:ff:fe89:97e2
>> [02/Feb/2016:18:34:00 +1000] conn=2721 TLS1.2 128-bit AES-GCM; client CN=CA
>> Subsystem,O=IPA.EXAMPLE.COM; issuer CN=Certificate
>> Authority,O=IPA.EXAMPLE.COM
>> [02/Feb/2016:18:34:00 +1000] conn=2721 TLS1.2 failed to map client certificate
>> LDAP DN (Could not matching certificate in User's LDAP entry)
>> [02/Feb/2016:18:34:00 +1000] conn=2721 op=0 BIND dn="" method=sasl version=3
>> mech=EXTERNAL
>> [02/Feb/2016:18:34:00 +1000] conn=2721 op=0 RESULT err=49 tag=97 nentries=0
>> etime=0

Additionally, using the ldapsearch command with highlevels of debugging may help


William Brown
Software Engineer
Red Hat, Brisbane

No comments:

Post a Comment