Назад | Перейти на главную страницу

ldap ssl v2 v3 не может прочитать сервер Hallo A

Мне нужно подключить базу данных ApacheDS с помощью startTLS с клиентом OpenLDAP. Мой файл ldaprc содержит:

URI ldap://127.0.0.1:7323 ldaps://127.0.0.1:7423
SSL start_tls
SASL_MECH plain
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
TLS_REQCERT allow

Я использовал следующую команду:

ldapsearch -H ldap://localhost:7323 -D "uid=admin,ou=system" -w secret -Z -d1

Я проверил, мой сервер прослушивает эти порты, я могу подключиться к другим клиентам (например, ldapbrowser, jxplorer), но тесты с OpenLdap не работают:

...

ldap_connect_to_host: Trying 127.0.0.1:7323
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7f81d95282a0 msgid 1
wait4msg ld 0x7f81d95282a0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f81d95282a0 msgid 1 all 1
** ld 0x7f81d95282a0 Connections:
* host: 127.0.0.1  port: 7323  (default)
refcnt: 2  status: Connected
last used: Tue Dec  8 09:51:45 2015
** ld 0x7f81d95282a0 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f81d95282a0 request count 1 (abandoned 0)
** ld 0x7f81d95282a0 Response Queue:
Empty
ld 0x7f81d95282a0 response count 0
ldap_chkResponseList ld 0x7f81d95282a0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f81d95282a0 NULL
ldap_int_select
read1msg: ld 0x7f81d95282a0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 38 contents:
read1msg: ld 0x7f81d95282a0 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f81d95282a0 0 new referrals
read1msg:  mark request completed, ld 0x7f81d95282a0 msgid 1
request done: ld 0x7f81d95282a0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL3 alert read:fatal:unexpected_message
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message.
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: error:140773F2:SSLroutines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message

Есть идеи, что я делаю не так или что мне не хватает?

edit: Как вы меня спросили, я использовал параметр -ZZ и то, что у меня есть:

ldapsearch -H ldap://localhost:7323 -D "uid=admin,ou=system" -w secret -ZZ -d1 ldap_url_parse_ext(ldap://localhost:7323)
ldap_create
ldap_url_parse_ext(ldap://localhost:7323/??base) ldap_extended_operation_s ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:7323
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:7323
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7ff278d7e2a0 msgid 1
wait4msg ld 0x7ff278d7e2a0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7ff278d7e2a0 msgid 1 all 1
** ld 0x7ff278d7e2a0 Connections:
* host: localhost  port: 7323  (default)   refcnt: 2  status: Connected
last used: Mon Dec 14 08:48:04 2015
** ld 0x7ff278d7e2a0 Outstanding Requests:  * msgid 1,  origid 1, status
InProgress    outstanding referrals 0, parent count 0   ld 0x7ff278d7e2a0 request count 1 (abandoned 0)
** ld 0x7ff278d7e2a0 Response Queue:    Empty   ld 0x7ff278d7e2a0 response count 0 ldap_chkResponseList ld 0x7ff278d7e2a0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7ff278d7e2a0 NULL
ldap_int_select read1msg: ld 0x7ff278d7e2a0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 38 contents:
read1msg: ld 0x7ff278d7e2a0 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: 
read1msg: ld 0x7ff278d7e2a0 0 new referrals read1msg:  mark request completed, ld 0x7ff278d7e2a0 msgid 1 request done: ld 0x7ff278d7e2a0 msgid 1 res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1) 
ldap_parse_extended_result 
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (x)
ber: ber_scanf fmt (}) ber: ldap_msgfree<br/>TLS trace:
SSL_connect:before/connect initialization 
TLS trace: SSL_connect:SSLv2/v3 write client hello A<br/> TLS trace: SSL3 alert read:fatal:unexpected_message
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A 
TLS: can't connect: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv#
alert unexpected message.
ldap_err2string
ldap_start_tls: Connect error (-11) additional info: error:140773F2:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message

Я обнаружил, что ApacheDS не поддерживает SSLv2, как и Java 1.7 по умолчанию. Поэтому я отключил SSLv2 в OpenLDAP, добавив также минимальную версию протокола: TLS_PROTOCOL_MIN 3.3. Это был мой обходной путь.