Traveler/LDAP/HTTPS problem

hcl-bot · July 16, 2015, 7:36am

Hi,

I use LDAP for authenticating to traveler
There are configured SSL connection via 636 in Directory assistance database.
Everything worked fine, until I began use HTTPS for Traveler.
I have SSL certificate from third party CA.
I used kyrtool for implementation.
RSA private key, 4096 bit
SHA-256

When is new server.kyr in server document, authentication via LDAP doesn’t work.
When turn back old keyfile.kyr or change LDAP connection to 389 in Directory Assistance, everything works.

Thank you

hcl-bot · July 20, 2015, 3:15am

Subject: Re:What versions are each of the servers, and is the LDAP server running on Domino?

Domino 9.0.1 FP3

LDAP … Tivoli Directory server

Traveler 9.0.1.6

hcl-bot · July 20, 2015, 2:49pm

Subject: Domino console output…

If you set DEBUG_SSL_HANDSHAKE=2 on the Domino server, what messages do you see associated with the Domino → TDS connection over LDAPS? If switching the LDAP connection from SSL/TLS to plaintext makes the problem go away, the problem is probably in that space.

hcl-bot · July 17, 2015, 7:51am

Subject: RE: Is the server key 4096?

I try a 2048 bit key but there is same problem

hcl-bot · November 13, 2015, 12:39pm

Subject:

The Domino server server needs to know about the certificate information of the remote LDAP server it is connecting to. Please refer to the following technote:

Title: How to allow Directory Assistance to communicate with an external LDAP server using SSL encryption
Doc #: 1249483
URL: http://www.ibm.com/support/docview.wss?uid=swg21249483 http://www.ibm.com/support/docview.wss?uid=swg21249483

hcl-bot · July 16, 2015, 9:08am

Subject: Is the server key 4096?

Try a 2048-bit key and see if that works.

hcl-bot · July 21, 2015, 7:39am

Subject: Re:

This is console output after setting of debug parameter:

[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLInitContext> 0 Available cipherspec: 0x009D
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLInitContext> 1 Available cipherspec: 0x009C
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLInitContext> 2 Available cipherspec: 0x003D
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLInitContext> 3 Available cipherspec: 0x0035
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLInitContext> 4 Available cipherspec: 0x003C
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLInitContext> 5 Available cipherspec: 0x002F
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLInitContext> 6 Available cipherspec: 0x000A
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSL_TRUSTPOLICY> bits for signature hashes: 0014
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSL_Handshake> Enter
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSL_Handshake> outgoing ->protocolVersion: 0303
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLAdvanceHandshake Enter> Processed : 0 State: 4 (HandshakeClientIdle)
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLAdvanceHandshake Enter> Processed : SSL_hello_request
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeClientHello
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLEncodeClientHello> We offered SSL/TLS version TLS1.2 (0x0303)
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLAdvanceHandshake Exit> State : 5 (HandshakeServerHello)
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessProtocolMessage> Record Content: 22
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessHandshakeMessage Enter> Message: 2 State: 5 (HandshakeServerHello) Key Exchange: 0 Cipher: 0x0000 (Unknown Cipher)
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessHandshakeMessage Enter> Message:= SSL_server_hello
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessServerHello> Server chose SSL/TLS version TLS1.0 (0x0301)
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessServerHello> Server chose cipher spec RSA_WITH_AES_256_CBC_SHA (0x0035)
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessServerHello> Extensions found in this message
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessServerHello> Extension type 0xFF01, extension length 0x0001
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessHandshakeMessage Exit> Message: 2 State: 5 (HandshakeServerHello) Key Exchange: 1 Cipher: 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLAdvanceHandshake Enter> Processed : 2 State: 5 (HandshakeServerHello)
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLAdvanceHandshake Enter> Processed : SSL_server_hello
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLAdvanceHandshake Exit> State : 8 (HandshakeCertificate)
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLProcessHandshakeMessage Enter> Message: 11 State: 8 (HandshakeCertificate) Key Exchange: 1 Cipher: 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLProcessHandshakeMessage Enter> Message:= SSL_certificate
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal)
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSLProcessHandshakeMessage Exit> Message: 11 State: 2 (SSLErrorClose) Key Exchange: 1 Cipher: 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> After handshake state= 2 Status= -5000
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Exit Status = -5000
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Enter
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Current Cipher 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> After handshake2 state 2
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Exit Status = -6986
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM int_MapSSLError> Mapping SSL error -6986 to 4163 [X509CertChainInvalidErr]

hcl-bot · July 21, 2015, 9:55am

Subject: Looks like an invalid or untrusted certificate chain on the LDAP server

This section of the log shows that Domino was processing the LDAP server’s certificate chain when it hit a fatal problem, sending an alert back to the LDAP server and reporting “X509CertChainInvalid” back up to the higher levels.
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLAdvanceHandshake Exit> State : 8 (HandshakeCertificate)
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLProcessHandshakeMessage Enter> Message: 11 State: 8 (HandshakeCertificate) Key Exchange: 1 Cipher: 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLProcessHandshakeMessage Enter> Message:= SSL_certificate
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal)
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSLProcessHandshakeMessage Exit> Message: 11 State: 2 (SSLErrorClose) Key Exchange: 1 Cipher: 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> After handshake state= 2 Status= -5000
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Exit Status = -5000
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Enter
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Current Cipher 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> After handshake2 state 2
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Exit Status = -6986
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM int_MapSSLError> Mapping SSL error -6986 to 4163 [X509CertChainInvalidErr]

Did the “old” keyring file on Domino contain any trusted roots that aren’t in the new keyring file, such as, for example, the LDAP server’s trusted root? You can view that information in both keyring files via kyrtool, and can import any missing roots from the old keyring file into the new one also using kyrtool.

hcl-bot · July 23, 2015, 10:33am

Subject: Re:Looks like an invalid or untrusted certificate chain on the LDAP server

I don’t have old keyring file. It was new installation of domino server and traveler.

Traveler used only http and DA used connection via 636.

After enabling HTTPS with new keyring file started problems.

hcl-bot · July 17, 2015, 9:10am

Subject: What versions are each of the servers, and is the LDAP server running on Domino? <>