web-dev-qa-db-ja.com

LDAP ssl v2v3がサーバーhalloAを読み取れません

StartTLSを使用してOpenLDAPクライアントでApacheDSデータベースに接続する必要があります。私のldaprcファイルには次のものが含まれています。

URI ldap://127.0.0.1:7323 ldaps://127.0.0.1:7423
SSL start_tls
SASL_MECH plain
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
TLS_REQCERT allow

私が使用したコマンドは次のとおりです。

ldapsearch -H ldap://localhost:7323 -D "uid=admin,ou=system" -w secret -Z -d1

サーバーがこれらのポートをリッスンしていることを確認しました。他のクライアント(ldapbrowser、jxplorerなど)に接続できますが、OpenLdapを使用したテストは失敗します。

.。

ldap_connect_to_Host: Trying 127.0.0.1:7323
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7f81d95282a0 msgid 1
wait4msg ld 0x7f81d95282a0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f81d95282a0 msgid 1 all 1
** ld 0x7f81d95282a0 Connections:
* Host: 127.0.0.1  port: 7323  (default)
refcnt: 2  status: Connected
last used: Tue Dec  8 09:51:45 2015
** ld 0x7f81d95282a0 Outstanding Requests:
* msgid 1,  origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f81d95282a0 request count 1 (abandoned 0)
** ld 0x7f81d95282a0 Response Queue:
Empty
ld 0x7f81d95282a0 response count 0
ldap_chkResponseList ld 0x7f81d95282a0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f81d95282a0 NULL
ldap_int_select
read1msg: ld 0x7f81d95282a0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 38 contents:
read1msg: ld 0x7f81d95282a0 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f81d95282a0 0 new referrals
read1msg:  mark request completed, ld 0x7f81d95282a0 msgid 1
request done: ld 0x7f81d95282a0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL3 alert read:fatal:unexpected_message
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message.
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: error:140773F2:SSLroutines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message

何が間違っているのか、何が欠けているのか、何か考えはありますか?

編集:あなたが私に尋ねたように、私は-ZZオプションを使用しました、そしてそれは私が持っているものです:

ldapsearch -H ldap://localhost:7323 -D "uid=admin,ou=system" -w secret -ZZ -d1 ldap_url_parse_ext(ldap://localhost:7323)
ldap_create
ldap_url_parse_ext(ldap://localhost:7323/??base) ldap_extended_operation_s ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_Host: TCP localhost:7323
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_Host: Trying 127.0.0.1:7323
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x7ff278d7e2a0 msgid 1
wait4msg ld 0x7ff278d7e2a0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7ff278d7e2a0 msgid 1 all 1
** ld 0x7ff278d7e2a0 Connections:
* Host: localhost  port: 7323  (default)   refcnt: 2  status: Connected
last used: Mon Dec 14 08:48:04 2015
** ld 0x7ff278d7e2a0 Outstanding Requests:  * msgid 1,  origid 1, status
InProgress    outstanding referrals 0, parent count 0   ld 0x7ff278d7e2a0 request count 1 (abandoned 0)
** ld 0x7ff278d7e2a0 Response Queue:    Empty   ld 0x7ff278d7e2a0 response count 0 ldap_chkResponseList ld 0x7ff278d7e2a0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7ff278d7e2a0 NULL
ldap_int_select read1msg: ld 0x7ff278d7e2a0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 38 contents:
read1msg: ld 0x7ff278d7e2a0 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: 
read1msg: ld 0x7ff278d7e2a0 0 new referrals read1msg:  mark request completed, ld 0x7ff278d7e2a0 msgid 1 request done: ld 0x7ff278d7e2a0 msgid 1 res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1) 
ldap_parse_extended_result 
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ber_scanf fmt (O) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (x)
ber: ber_scanf fmt (}) ber: ldap_msgfree<br/>TLS trace:
SSL_connect:before/connect initialization 
TLS trace: SSL_connect:SSLv2/v3 write client hello A<br/> TLS trace: SSL3 alert read:fatal:unexpected_message
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A 
TLS: can't connect: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv#
alert unexpected message.
ldap_err2string
ldap_start_tls: Connect error (-11) additional info: error:140773F2:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message
1
eewe

ApacheDSがSSLv2をサポートしていないことがわかりました。これは、デフォルトでJava 1.7と同じです。したがって、最小バージョンのプロトコルも追加して、OpenLDAPでSSLv2をオフにしました。TLS_PROTOCOL_MIN 3.3。それが私の回避策でした。

0
eewe