ldap ssl v2 v3 无法读取服务器 hallo A

tag-icon tag-icon ssl openldap tls apache-ds
ldap ssl v2 v3 无法读取服务器 hallo A

我需要使用 startTLS 和 OpenLDAP 客户端连接 ApacheDS 数据库。我的 ldaprc 文件包含:

URI ldap://127.0.0.1:7323 ldaps://127.0.0.1:7423
SSL start_tls
SASL_MECH plain
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
TLS_REQCERT allow

我使用过的命令是:

ldapsearch -H ldap://localhost:7323 -D "uid=admin,ou=system" -w secret -Z -d1

我已经检查过,我的服务器正在监听这些端口,我能够连接到其他客户端(例如 ldapbrowser、jxplorer),但使用 OpenLdap 的测试失败:

...

ldap_connect_to_host: Trying 127.0.0.1:7323
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7f81d95282a0 msgid 1
wait4msg ld 0x7f81d95282a0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f81d95282a0 msgid 1 all 1
** ld 0x7f81d95282a0 Connections:
* host: 127.0.0.1  port: 7323  (default)
refcnt: 2  status: Connected
last used: Tue Dec  8 09:51:45 2015
** ld 0x7f81d95282a0 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f81d95282a0 request count 1 (abandoned 0)
** ld 0x7f81d95282a0 Response Queue:
Empty
ld 0x7f81d95282a0 response count 0
ldap_chkResponseList ld 0x7f81d95282a0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f81d95282a0 NULL
ldap_int_select
read1msg: ld 0x7f81d95282a0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 38 contents:
read1msg: ld 0x7f81d95282a0 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f81d95282a0 0 new referrals
read1msg:  mark request completed, ld 0x7f81d95282a0 msgid 1
request done: ld 0x7f81d95282a0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL3 alert read:fatal:unexpected_message
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message.
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: error:140773F2:SSLroutines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message

知道我做错了什么或者我遗漏了什么吗?

编辑:正如您所要求的,我使用了 -ZZ 选项,而我得到的是:

ldapsearch -H ldap://localhost:7323 -D "uid=admin,ou=system" -w secret -ZZ -d1 ldap_url_parse_ext(ldap://localhost:7323)
ldap_create
ldap_url_parse_ext(ldap://localhost:7323/??base) ldap_extended_operation_s ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:7323
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:7323
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7ff278d7e2a0 msgid 1
wait4msg ld 0x7ff278d7e2a0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7ff278d7e2a0 msgid 1 all 1
** ld 0x7ff278d7e2a0 Connections:
* host: localhost  port: 7323  (default)   refcnt: 2  status: Connected
last used: Mon Dec 14 08:48:04 2015
** ld 0x7ff278d7e2a0 Outstanding Requests:  * msgid 1,  origid 1, status
InProgress    outstanding referrals 0, parent count 0   ld 0x7ff278d7e2a0 request count 1 (abandoned 0)
** ld 0x7ff278d7e2a0 Response Queue:    Empty   ld 0x7ff278d7e2a0 response count 0 ldap_chkResponseList ld 0x7ff278d7e2a0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7ff278d7e2a0 NULL
ldap_int_select read1msg: ld 0x7ff278d7e2a0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 38 contents:
read1msg: ld 0x7ff278d7e2a0 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: 
read1msg: ld 0x7ff278d7e2a0 0 new referrals read1msg:  mark request completed, ld 0x7ff278d7e2a0 msgid 1 request done: ld 0x7ff278d7e2a0 msgid 1 res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1) 
ldap_parse_extended_result 
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (x)
ber: ber_scanf fmt (}) ber: ldap_msgfree<br/>TLS trace:
SSL_connect:before/connect initialization 
TLS trace: SSL_connect:SSLv2/v3 write client hello A<br/> TLS trace: SSL3 alert read:fatal:unexpected_message
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A 
TLS: can't connect: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv#
alert unexpected message.
ldap_err2string
ldap_start_tls: Connect error (-11) additional info: error:140773F2:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message

答案1

我发现 ApacheDS 不支持 SSLv2,默认情况下与 Java 1.7 相同。因此,我通过添加最低版本的协议关闭了 OpenLDAP 中的 SSLv2:TLS_PROTOCOL_MIN 3.3。这就是我的解决方法。

相关内容