STARTTLS failures post 10.5 to 10.6 migration
We have migrated our 10.5.8 OD server to 10.6.3 via the install DVD's migration feature. Post-migration LDAP+TLS fails on 10.5 and 10.6 Mac clients, CentOS, Debian and FreeBSD clients.
ldap.conf has TLS_REQCERT set to never.
/etc/openldap/slapd_macosxserver.conf TLS settings:
TLSCertificatePassphraseTool "/usr/sbin/certadmin --get-private-key-passphrase /etc/certificates/gnome.darkhorse.com.794BB9A8C58B9E8517C0E02ABFEC9DF9AB635720. key.pem"
TLSCertificateFile /etc/certificates/gnome.darkhorse.com.794BB9A8C58B9E8517C0E02ABFEC9DF9AB635720. cert.pem
TLSCertificateKeyFile /etc/certificates/gnome.darkhorse.com.794BB9A8C58B9E8517C0E02ABFEC9DF9AB635720. key.pem
TLSCACertificateFile /etc/certificates/gnome.darkhorse.com.794BB9A8C58B9E8517C0E02ABFEC9DF9AB635720. chain.pem
We can verify the trust of the certs via openssl s_client -connect gnome.darkhorse.com:636 -showcerts -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department/emailAddress=hostmaster@darkhorse.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=MIS/CN=gnome.darkhorse.com/emailAddress=hostmaster@darkhorse.com
i:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department/emailAddress=hostmaster@darkhorse.com
-----BEGIN CERTIFICATE-----
CLIPPED
-----END CERTIFICATE-----
1 s:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department/emailAddress=hostmaster@darkhorse.com
i:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department/emailAddress=hostmaster@darkhorse.com
-----BEGIN CERTIFICATE-----
CLIPPED
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=MIS/CN=gnome.darkhorse.com/emailAddress=hostmaster@darkhorse.com
issuer=/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department/emailAddress=hostmaster@darkhorse.com
---
No client certificate CA names sent
---
SSL handshake has read 2640 bytes and written 325 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 654B7294D9FAAE7FE553E5513172D78F02132946DC61B8FB192CDAB30E87B22C
Session-ID-ctx:
Master-Key: D8354A0742DAFEDB68E27E535FB6F5F998FFD7ED8F39429491D581F84314769811D0E5EACB22309 72D52CF4CF360D245
Key-Arg : None
Start Time: 1271264425
Timeout : 300 (sec)
Verify return code: 0 (ok)
Using the check from Apple's documentation:
ldapsearch -LLL -x -H ldaps://gnome.darkhorse.com -b "dc=darkhorse,dc=com" succeeds.
However, using ldapsearch -h gnome.darkhorse.com -ZZZ -x -b "dc=darkhorse,dc=com" '(uid=donaldr)' returns ldap starttls: Protocol error (2)
This has been repeatable with the default cert and the migrated self signed cert. The server in question has an ethernet interface with two IPs assigned to it, checkhost name returns no errors.
Any advice on addtional tests and especially pointers to the differences between 10.5/LDAP & 10.6 LDAP handling of TLS would be aprreciated.
Has anyone experienced any SSL/TLS issues post 10.6 OD migration?
Message was edited by: wjstevens
ldap.conf has TLS_REQCERT set to never.
/etc/openldap/slapd_macosxserver.conf TLS settings:
TLSCertificatePassphraseTool "/usr/sbin/certadmin --get-private-key-passphrase /etc/certificates/gnome.darkhorse.com.794BB9A8C58B9E8517C0E02ABFEC9DF9AB635720. key.pem"
TLSCertificateFile /etc/certificates/gnome.darkhorse.com.794BB9A8C58B9E8517C0E02ABFEC9DF9AB635720. cert.pem
TLSCertificateKeyFile /etc/certificates/gnome.darkhorse.com.794BB9A8C58B9E8517C0E02ABFEC9DF9AB635720. key.pem
TLSCACertificateFile /etc/certificates/gnome.darkhorse.com.794BB9A8C58B9E8517C0E02ABFEC9DF9AB635720. chain.pem
We can verify the trust of the certs via openssl s_client -connect gnome.darkhorse.com:636 -showcerts -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department/emailAddress=hostmaster@darkhorse.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=MIS/CN=gnome.darkhorse.com/emailAddress=hostmaster@darkhorse.com
i:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department/emailAddress=hostmaster@darkhorse.com
-----BEGIN CERTIFICATE-----
CLIPPED
-----END CERTIFICATE-----
1 s:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department/emailAddress=hostmaster@darkhorse.com
i:/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department/emailAddress=hostmaster@darkhorse.com
-----BEGIN CERTIFICATE-----
CLIPPED
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=MIS/CN=gnome.darkhorse.com/emailAddress=hostmaster@darkhorse.com
issuer=/C=US/ST=Oregon/L=Milwaukie/O=Dark Horse Comics, Inc./OU=Dark Horse Network/CN=DHC MIS Department/emailAddress=hostmaster@darkhorse.com
---
No client certificate CA names sent
---
SSL handshake has read 2640 bytes and written 325 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 654B7294D9FAAE7FE553E5513172D78F02132946DC61B8FB192CDAB30E87B22C
Session-ID-ctx:
Master-Key: D8354A0742DAFEDB68E27E535FB6F5F998FFD7ED8F39429491D581F84314769811D0E5EACB22309 72D52CF4CF360D245
Key-Arg : None
Start Time: 1271264425
Timeout : 300 (sec)
Verify return code: 0 (ok)
Using the check from Apple's documentation:
ldapsearch -LLL -x -H ldaps://gnome.darkhorse.com -b "dc=darkhorse,dc=com" succeeds.
However, using ldapsearch -h gnome.darkhorse.com -ZZZ -x -b "dc=darkhorse,dc=com" '(uid=donaldr)' returns ldap starttls: Protocol error (2)
This has been repeatable with the default cert and the migrated self signed cert. The server in question has an ethernet interface with two IPs assigned to it, checkhost name returns no errors.
Any advice on addtional tests and especially pointers to the differences between 10.5/LDAP & 10.6 LDAP handling of TLS would be aprreciated.
Has anyone experienced any SSL/TLS issues post 10.6 OD migration?
Message was edited by: wjstevens
Many..., Mac OS X (10.6.2)