openldap 2.4：olcTLSVerifyClient 需求

2024-5-30 • tag-icon

我正在运行 openLDAP 2.4.41 并尝试实现客户端 TLS 证书检查。我在服务器端配置了 TLS，如下所示。

olcTLSCACertificateFile: /etc/pki/trust/anchors/rootCA.pem
olcTLSCertificateKeyFile: /etc/openldap/openldap.key
olcTLSCertificateFile: /etc/openldap/openldap.crt

olcTLSVerifyClient当设置为时，TLS 连接工作正常try。

我的客户端ldap.conf如下（为了测试简单，我对服务器和客户端使用相同的证书）：

TLS_CACERT /etc/pki/trust/anchors/rootCA.pem
TLS_CACERTDIR /var/lib/ca-certificates/pem/
TLS_CERT /etc/openldap/openldap.crt
TLS_KEY /etc/openldap/openldap.key

现在，我正在设置olcTLSVerifyClient: demand。

> ldapsearch -d 1 -H ldaps:/// -v -x -D 'mydn' -w mysecret -b 'cn=log' -s base
ldap_url_parse_ext(ldaps:///)
ldap_initialize( ldaps://:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect success
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: [SKIPPED]
TLS certificate verification: depth: 0, err: 0, subject: [SKIPPED]
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read server session     ticket A
TLS: can't connect: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure.
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

在服务器日志中我看到以下内容：

slap_listener_activate(8):
>>> slap_listener(ldaps:///)
connection_get(11): got connid=1021
connection_read(11): checking for input on id=1021
connection_get(11): got connid=1021
connection_read(11): checking for input on id=1021
connection_read(11): TLS accept failure error=-1 id=1021, closing
connection_close: conn=1021 sd=11

我该如何调试为什么客户端证书检查不起作用？

更新：我在使用的时候openssl s_server就存在一种矛盾。

# openssl s_server -accept 636 -cert /etc/openldap/openldap.crt -key /etc/openldap/openldap.key -CAfile /etc/pki/trust/anchors/rootCA.pem -Verify 0
verify depth is 0, must return a certificate
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
ERROR
139864715617936:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:3309:
shutting down SSL
CONNECTION CLOSED
ACCEPT

但 ldapsearch 仍然说

TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A

更新2：我使用 OpenSSL 1.0.1i

答案1

通常当 olcTLSVerifyClient 设置为尝试和有用但如果 olcTLSVerifyClient 设置为要求确实不是工作，这意味着服务器无法识别客户端证书（签署客户端证书的 rootCA 不被视为服务器上受信任的 CA）。

答案1

相关内容