| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:mime-version:references:in-reply-to:from:date | |
| :message-id:subject:to:content-type:content-transfer-encoding; | |
| q=dns; s=default; b=c0xsp1RCso48e8qDmxZfHU9q4fO3s6gVW9zrCr1Errz | |
| mlQGwkQmxBDXtvmbZ1jdIxoTOP8PHE8Jq36p3wJxsBqDLcZQSEtdTilzBjKawTgU | |
| W2JwZfN3TXFlWTQBmkcoyHZg1Pw3ZRw2yt6vOFpm5f/stCp+6Go5XLXRM9X270q0 | |
| = | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:mime-version:references:in-reply-to:from:date | |
| :message-id:subject:to:content-type:content-transfer-encoding; | |
| s=default; bh=/pNWk49ebMENybud+vdWelaK+qE=; b=BjnDFAFHtJuvD7vNR | |
| 73M697EYKS5V6m1W6TRkvUftqIWgdW6J6XfByZnK0TAE43msl/2ORBD4jcRWeFkD | |
| 7veMFP5vTV5nVr4PboWEHSajHYWnHHVwe7hJSW3EqJ6guFVJEUEL1Z561yIPY6Zl | |
| jpf+xFwnHs9hE/UFDAadZQIFn8= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Spam-SWARE-Status: | No, score=-1.7 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.1 spammy=ssl, issuer, H*c:alternative, alert |
| X-HELO: | mail-qk1-f194.google.com |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=c09SxEQgEK+OxZlqCqxcD3w4UKKFJv3E+t4qn1ldUis=; b=NKCnMkwtj2d+WUXGuxuxj5kKHlK+c7vu4p0EzViK8fR2Fyp/DHRdPveeWqRM3mIrd+ eC69VjyTZ5IiD5C/SzGEv+8nSYf+jxAnrOYqi7lW7eoKwWwycsFn+j+d0IJgdG/rnecp C/4KXPZsuNEe0EB3H9UK9M8NG4NtqQxSvxE7hixb9m+gyeOKT28ZMdFEyK/eaR5vLHc4 spDTgSKpNWbF1lGEsr1zqbvMch+4gjBY/5k2ojSnWbS/toDhsMfimRDJOCsJaUCy/Wpr LxCbCS3rW6/zcZGDcraAIRTtaaetBuUotowkHuJ/cVuXjJ5H/kjaOW/TL0HQ2M17Gua6 pRSw== |
| MIME-Version: | 1.0 |
| References: | <CAN9EdkY=zrEv31+PD8XXu9rVw4H_eXLEoMk5u=7H02Q1Xu7-Wg AT mail DOT gmail DOT com> <87ftmje5zb DOT fsf AT Rainer DOT invalid> <CAN9EdkYzh558w=CG3UkzgN0rg98eVx2V0BcdktEwVEW3dS1qCQ AT mail DOT gmail DOT com> <874l2y4ulo DOT fsf AT Rainer DOT invalid> <CAN9EdkYG1aFnaMAPM3jg=0psRoiS1rF7Hze618UYj1mHByjKbg AT mail DOT gmail DOT com> <228DE7899A9CF9C913C8B1B8 AT 192 DOT 168 DOT 1 DOT 39> <CAN9Edkbv6ZaHyLs3MVyYapgYa3XiXU2D+kr8o2zTCJivk8h0-w AT mail DOT gmail DOT com> <38c09027-12a9-4b38-b28c-fb3683815928 AT SystematicSw DOT ab DOT ca> |
| In-Reply-To: | <38c09027-12a9-4b38-b28c-fb3683815928@SystematicSw.ab.ca> |
| From: | David Goldberg <dsg18096 AT gmail DOT com> |
| Date: | Tue, 6 Aug 2019 11:23:32 -0400 |
| Message-ID: | <CAN9EdkaFMScEr8nEu9MatLOVGcMDjiS6LQG+c2ngKw-Pz-JB5w@mail.gmail.com> |
| Subject: | Re: Openldap 2.4.48-1 vs my company's pki |
| To: | cygwin AT cygwin DOT com |
| X-IsSubscribed: | yes |
| X-MIME-Autoconverted: | from quoted-printable to 8bit by delorie.com id x76FOKOn032352 |
Thank you, Brian that got me to a local build. Unfortunately that has the same error as the binary installation of 2.4.48. Here are relevant snippets of the output from each version: 2.4.42 which works: TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 0, subject: /CN=MYCOMPANY BA ROOT, issuer: /CN=MYCOMPANY BA ROOT TLS certificate verification: depth: 1, err: 0, subject: /DC=ORG/DC=MYCOMPANY/CN=MYCOMPANY BA NPE CA-3, issuer: /CN=MYCOMPANY BA ROOT TLS certificate verification: depth: 0, err: 0, subject: /O=mycompany.tld/OU=Servers/CN=uds.mycompany.tld, issuer: /DC=ORG/DC=MYCOMPANY/CN=MYCOMPANY BA NPE CA-3 TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server key exchange A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A 2.4.48 which doesn’t: TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS read server hello TLS certificate verification: depth: 2, err: 19, subject: /CN=MYCOMPANY BA ROOT, issuer: /CN=MYCOMPANY BA ROOT TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in error TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain). I'm stumped at this point. Thanks On Mon, Aug 5, 2019, 18:41 Brian Inglis <Brian DOT Inglis AT systematicsw DOT ab DOT ca> wrote: > On 2019-08-05 14:06, David Goldberg wrote: > > On Mon, Aug 5, 2019, 15:25 Quanah Gibson-Mount wrote: > >> On Monday, August 05, 2019 9:22 AM -0400 David Goldberg wrote: > >>> Sorry, was away from work over the weekend. I just tested with openssl > >>> s_client and it works just fine. Version is 1.1.1. there is no self > >>> signed certificate. It's signed with the company pki rather than > >>> commercial and I've properly installed that chain. The problem send to > be > >>> with the new build, at least the weird ldd output leads me to that > >>> conclusion. I'll try to find some time to build from source and see if > it > >> Do you mean you connected to the ldap server using OpenSSL s_client to > >> confirm that works? If that works and the ldapsearch (or other ldap > >> client) binary does not, then you likely have a global /etc/ldap.conf > (or > >> whereever this build looks for it) or a ~/.ldaprc file that defines the > >> path or file to find the CA certificate that would need updating. > > Correct, openssl s_client works, as does the older build of ldapsearch. > I > > can't find any .ldaprc nor ldap.conf files on my system. > > Unfortunately I've only set up my system for end user purposes. Building > > from source will be a challenge. Any guidance (a link is fine) on what > > packages to install to set that up? And do I need to worry about the > > .cygport and patch files in the source distribution or will configure > pick > > them up? > > Install the cygport package and all its dependencies, plus the openldap > source > package, plus any build dependency packages named in the openldap.cygport > DEPEND="" list. > > Change to the directory containing openldap.cygport and type: > > $ cygport openldap.cygport download all test > > and deal with any missing lib*-devel packages or other issues arising > during the > build. > > -- > Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada > > This email may be disturbing to some readers as it contains > too much technical detail. Reader discretion is advised. > > -- > Problem reports: http://cygwin.com/problems.html > FAQ: http://cygwin.com/faq/ > Documentation: http://cygwin.com/docs.html > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > > -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |