Openldap 2.4.48-1 vs my company's pki

David Goldberg dsg18096@gmail.com
Tue Aug 6 15:23:00 GMT 2019 

Thank you, Brian that got me to a local build. Unfortunately that has the
same error as the binary installation of 2.4.48.  Here are relevant
snippets of the output from each version:


2.4.42 which works:



TLS trace: SSL_connect:before/connect initialization

TLS trace: SSL_connect:SSLv2/v3 write client hello A

TLS trace: SSL_connect:SSLv3 read server hello A

TLS certificate verification: depth: 2, err: 0, subject: /CN=MYCOMPANY BA
ROOT, issuer: /CN=MYCOMPANY BA ROOT

TLS certificate verification: depth: 1, err: 0, subject:
/DC=ORG/DC=MYCOMPANY/CN=MYCOMPANY BA NPE CA-3, issuer: /CN=MYCOMPANY BA ROOT

TLS certificate verification: depth: 0, err: 0, subject:
/O=mycompany.tld/OU=Servers/CN=uds.mycompany.tld, issuer:
/DC=ORG/DC=MYCOMPANY/CN=MYCOMPANY BA NPE CA-3

TLS trace: SSL_connect:SSLv3 read server certificate A

TLS trace: SSL_connect:SSLv3 read server key exchange A

TLS trace: SSL_connect:SSLv3 read server done A

TLS trace: SSL_connect:SSLv3 write client key exchange A

TLS trace: SSL_connect:SSLv3 write change cipher spec A

TLS trace: SSL_connect:SSLv3 write finished A

TLS trace: SSL_connect:SSLv3 flush data

TLS trace: SSL_connect:SSLv3 read finished A



2.4.48 which doesn’t:



TLS trace: SSL_connect:before SSL initialization

TLS trace: SSL_connect:SSLv3/TLS write client hello

TLS trace: SSL_connect:SSLv3/TLS write client hello

TLS trace: SSL_connect:SSLv3/TLS read server hello

TLS certificate verification: depth: 2, err: 19, subject: /CN=MYCOMPANY BA
ROOT, issuer: /CN=MYCOMPANY BA ROOT

TLS certificate verification: Error, self signed certificate in certificate
chain

TLS trace: SSL3 alert write:fatal:unknown CA

TLS trace: SSL_connect:error in error

TLS: can't connect: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed (self
signed certificate in certificate chain).


 I'm stumped at this point.

Thanks


On Mon, Aug 5, 2019, 18:41 Brian Inglis <Brian.Inglis@systematicsw.ab.ca>
wrote:

> On 2019-08-05 14:06, David Goldberg wrote:
> > On Mon, Aug 5, 2019, 15:25 Quanah Gibson-Mount wrote:
> >> On Monday, August 05, 2019 9:22 AM -0400 David Goldberg wrote:
> >>> Sorry, was away from work over the weekend. I just tested with openssl
> >>> s_client and it works just fine.  Version is 1.1.1.  there is no self
> >>> signed certificate. It's signed with the company pki rather than
> >>> commercial and I've properly installed that chain. The problem send to
> be
> >>> with the new build, at least the weird ldd output leads me to that
> >>> conclusion. I'll try to find some time to build from source and see if
> it
> >> Do you mean you connected to the ldap server using OpenSSL s_client to
> >> confirm that works?  If that works and the ldapsearch (or other ldap
> >> client) binary does not, then you likely have a global /etc/ldap.conf
> (or
> >> whereever this build looks for it) or a ~/.ldaprc file that defines the
> >> path or file to find the CA certificate that would need updating.
> > Correct, openssl s_client works, as does the older build of ldapsearch.
> I
> > can't find any .ldaprc nor ldap.conf files on my system.
> > Unfortunately I've only set up my system for end user purposes. Building
> > from source will be a challenge. Any guidance (a link is fine) on what
> > packages to install to set that up? And do I need to worry about the
> > .cygport and patch files in the source distribution or will configure
> pick
> > them up?
>
> Install the cygport package and all its dependencies, plus the openldap
> source
> package, plus any build dependency packages named in the openldap.cygport
> DEPEND="" list.
>
> Change to the directory containing openldap.cygport and type:
>
>         $ cygport openldap.cygport download all test
>
> and deal with any missing lib*-devel packages or other issues arising
> during the
> build.
>
> --
> Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
>
> This email may be disturbing to some readers as it contains
> too much technical detail. Reader discretion is advised.
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list