[CentOS] ldapsearch w. SSL refuses to connect to server with openssl 1.0.1 (worked with openssl 1.0.0)

Tue Dec 17 19:35:36 UTC 2013
Frank Thommen <frank.thommen at embl-heidelberg.de>

Hi,

ldapsearch with an ldaps-URL stopped working recently, probably with the 
update from openssl 1.0.0 to openssl 1.0.1.

On a server with up-to-date packages (openssl-1.0.1e-16.el6_5.x86_64, 
openldap-clients-2.4.23-32.el6_4.1.x86_64) I get the following errors 
when issuing an ldapsearch (some parts anonymized):


[bad]# ldapsearch -H "ldaps://ldap.domain.org:6636/" -D <binddn> -x -W 
-b <searchbase> -d1 -s sub -v "uid=ME"
ldap_url_parse_ext(ldaps://ldap.domain.org:6636/)
ldap_initialize( ldaps://ldap.domain.org:6636/??base )
ldap_create
ldap_url_parse_ext(ldaps://ldap.domain.org:6636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.domain.org:6636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 12.34.56.78:6636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap/cacerts' 
tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: cannot open certdb '/etc/openldap/cacerts', error -8018:Unknown 
PKCS #11 error.
TLS: error: connect - force handshake failure: errno 0 - moznss error -12226
TLS: can't connect: TLS error -12226:SSL peer rejected a handshake 
message for unacceptable content..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[bad]#


while on a system with slightly older OpenSSL package 
(openssl-1.0.0-27.el6_4.2.x86_64, same openldap-clients package 
version), I get the following error:

[good]# ldapsearch -H "ldaps://ldap.domain.org:6636/" -D <binddn> -x -W 
-b <searchbase> -d1 -s sub -v "uid=me"
ldap_url_parse_ext(ldaps://ldap.domain.org:6636/)
ldap_initialize( ldaps://ldap.domain.org:6636/??base )
ldap_create
ldap_url_parse_ext(ldaps://ldap.domain.org:6636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.domain.org:6636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 12.34.56.78:6636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap' tokenDescription='ldap(0)' 
certPrefix='cacerts' keyPrefix='cacerts' flags=readOnly
TLS: cannot open certdb '/etc/openldap', error -8018:Unknown PKCS #11 error.
TLS: could not get info about the CA certificate directory 
/etc/openldap/cacerts - error -5950:File not found.
TLS: certificate [CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign 
nv-sa,C=BE] is not valid - error -8172:Peer's certificate issuer has 
been marked as not trusted by the user..
TLS: error: connect - force handshake failure: errno 2 - moznss error -8172
TLS: can't connect: TLS error -8172:Peer's certificate issuer has been 
marked as not trusted by the user..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[good]#


It /does/ see the certificate, even though it has a problem with it. 
Since I know the LDAP server is trustable - despite the certificate 
issue -, I can work around it with "TLS_REQCERT never" in 
/etc/openldap/ldap.conf or by prefixing the ldapsearch line with 
"LDAPTLS_REQCERT=never":

[good]# LDAPTLS_REQCERT=never ldapsearch -H 
"ldaps://ldap.domain.org:6636/" -D <binddn> -x -W -b <searchbase> -d1 -s 
sub -v "uid=me"
ldap_url_parse_ext(ldaps://ldap.domain.org:6636/)
ldap_initialize( ldaps://ldap.domain.org:6636/??base )
ldap_create
ldap_url_parse_ext(ldaps://ldap.domain.org:6636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.domain.org:6636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 12.34.56.78:6636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certdb config: configDir='/etc/openldap' tokenDescription='ldap(0)' 
certPrefix='cacerts' keyPrefix='cacerts' flags=readOnly
TLS: cannot open certdb '/etc/openldap', error -8018:Unknown PKCS #11 error.
TLS: could not get info about the CA certificate directory 
/etc/openldap/cacerts - error -5950:File not found.
TLS: certificate [CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign 
nv-sa,C=BE] is not valid - error -8172:Peer's certificate issuer has 
been marked as not trusted by the user..
TLS certificate verification: subject: CN=ldap.domain.org,OU=Domain 
Control Validated,C=DE, issuer: CN=GlobalSign Domain Validation CA - 
G2,O=GlobalSign nv-sa,C=BE, cipher: AES-256, security level: high, 
secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 
0, cache not reusable: 0
[... ldapsearch results here ...]
[good]#


If I do the same on the system with OpenSSL 1.0.1e, I get the same error 
as w/o this setting.


It could be a problem with the OpenSSL 1.0.1 package - hopefully not - 
or just a configuration issue.  I just have no idea which one.  Any 
pointer is highly appreciated.

Cheers
frank