[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-directory-users
Subject:    Re: [389-users] SSL connection with 'startTLS' problem
From:       nbodnar <nbodnar () selectica ! com>
Date:       2014-10-25 18:34:32
Message-ID: 544BED38.2050004 () selectica ! com
[Download RAW message or body]

I'm not so big expert with ssl connection. But I exactly know that when 
you attempt to use startTLS/SSl connection you should to generate couple 
of keys (public and private key). One of the keys you should copy to 
server another should be on client. Without it connection won't work. 
Also You didn't mention about couple of keys you only said about 
selfsigned key. If i rightly understood this key hardly the same that need.

On 25.10.2014 19:34, David Boreham wrote:
>
> I think you're on the right track with the comment that the startTLS 
> extended op is not needed if the connection is already native SSL on 
> the SSL port. First thing I'd try, given the printer's penchant for 
> using startTLS would be to tell it to connect to the non-SSL port (389 
> is the default port number). If its behavior is consistent it will 
> connect, initiate the startTLS op, which will succeed.
>
> On 10/24/2014 4:20 PM, Karel Lang AFD wrote:
>> Hi guys,
>> please anyone could help me to decode error in access log?
>>
>> Problem desr.:
>> I need to make Ricoh C3001 printer authenticate x 389 DS.
>>
>> The printer stubbornly tries to start TLS inside SSL connection (if i 
>> read the log file correct?) and the authentication fails, because 389 
>> doesn't know what to make off it (i think) see:
>>
>> The server uses ldaps:// method of connection on 636 port (with 
>> selfsigned certificates).
>>
>> [20/Oct/2014:18:31:50 +0200] conn=38 fd=70 slot=70 SSL connection 
>> from 192.168.2.139 to 192.168.2.245
>> [20/Oct/2014:18:31:50 +0200] conn=38 SSL 256-bit AES
>> [20/Oct/2014:18:31:50 +0200] conn=38 op=0 EXT 
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [20/Oct/2014:18:31:50 +0200] conn=38 op=0 RESULT err=1 tag=120 
>> nentries=0 etime=0
>> [20/Oct/2014:18:31:50 +0200] conn=38 op=1 BIND dn="RICOH2-SB$" 
>> method=128 version=3
>> [20/Oct/2014:18:31:50 +0200] conn=38 op=1 RESULT err=53 tag=97 
>> nentries=0 etime=0
>> [20/Oct/2014:18:31:51 +0200] conn=38 op=2 UNBIND
>> [20/Oct/2014:18:31:51 +0200] conn=38 op=2 fd=70 closed - U1
>>
>> The 'err=53' means "server is unwilling to perform" and i see same 
>> message in the printer logs
>>
>> also, you can see the printer starts 'extended operation':
>>  EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> which i think it should not? (because it is already SSL conn from 
>> start?)
>>
>> different encryption (same result):
>> [root@srv-022 slapd-srv-022]# cat access | grep conn=48
>> [20/Oct/2014:18:35:56 +0200] conn=48 fd=68 slot=68 SSL connection 
>> from 192.168.2.139 to 192.168.2.245
>> [20/Oct/2014:18:35:57 +0200] conn=48 SSL 128-bit RC4
>> [20/Oct/2014:18:35:57 +0200] conn=48 op=0 EXT 
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [20/Oct/2014:18:35:57 +0200] conn=48 op=0 RESULT err=1 tag=120 
>> nentries=0 etime=1
>> [20/Oct/2014:18:35:57 +0200] conn=48 op=1 BIND dn="RICOH2-SB$" 
>> method=128 version=3
>> [20/Oct/2014:18:35:57 +0200] conn=48 op=1 RESULT err=53 tag=97 
>> nentries=0 etime=0
>> [20/Oct/2014:18:35:57 +0200] conn=48 op=2 UNBIND
>> [20/Oct/2014:18:35:57 +0200] conn=48 op=2 fd=68 closed - U1
>>
>>
>> Please note the different encryption i tried to use - for eg. 128-bit 
>> RC4 and 256-bit AES etc, but all produces same result.
>>
>>
>> The printer has choice for usinge of ssl:
>> ssl 2.0 (set to 'yes)
>> ssl 3.0 (set to 'yes')
>> tls (i set this option to "NO" - but made no difference and result is 
>> still same)
>>
>> Also, the printer has only 2options:
>> 1.
>> use SSL/TLS - if i check this, port 636 is automatically used
>>
>> 2.
>> dont use SSL/TLS - if i check this option, port 389 is used
>>
>> Not much else to pick on (ofc there is other LDAP things to fill up 
>> like hostname etc.)
>>
>> I think this looks like client problem? Or do you think i can try to 
>> tune up something on the server side? - anybody had experienced 
>> similar troubles?
>>
>>
>
> -- 
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-- 
Nickolay Bodnar | Noc Engineer

Selectica | nbodnar@selectica.com

2/4 Observatorny ln. | Ukraine, Odessa

+380 097 439 2176
skype: bodnar_n

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic