tags:

views:

36

answers:

1
Q: 

Using StartTLS with Perl-LDAP

Hi,

I'm trying to use Net::LDAP in Perl to do LDAPS authentication against my Server 2008 Active Directory and I'm having a hard time getting server verification to work. It works if in start_tls I useverify=> 'none', but this is not so great.

When I use verify => 'require' (which is preferable), I get this error:

SSL connect attempt failed with unknown error error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm at ./ldap.pl line 23, line 522.

When I test from the command line using Openssl s_client it works great, so I don't think it's an OpenSSL problem. I'm kind of a noob with Perl, so I'm not sure what else to debug.

Here's the relevant code snippet:

#!/usr/bin/perl
use Net::LDAP;

$ldap = Net::LDAP->new('ho.mydomain.com',
                        ) or die "LDAP error";
$mesg = $ldap->start_tls(
    sslversion => 'tlsv1',
    verify => 'require',
    capath => '/etc/ssl/certs/',
    );
die $mesg->error if $mesg->is_error;

The output from OpenSSL s_client:


New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: [removed]
    Session-ID-ctx:
    Master-Key: [removed]    
    Key-Arg   : None
    Start Time: 1278707544
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Any help would be greatly appreciated.

Thanks

A: 

Are you sure your s_client works properly when verifying the whole certificate chain (pass the -verify option)?

"unknown message digest algorithm" means that some crypto element in your chain does not support the digest hash for some certificate in the path to a trusted root.

It could be that an intermediate or root certificate is using the problematic hash algorithm (probably sha256 if you have an old openssl, or something really old if you have a new one).

Make sure you have a recent openssl library. See http://bugs.gentoo.org/294615 for one example of this happening.

Borealid  2010-07-09 21:00:20
Interesting, thanks for the input! I think verification is working on the whole chain, s_client doesn't give any errors. Here's the top part of the output:CONNECTED(00000003)depth=1 /DC=com/DC=mydomain/DC=ho/CN=DC01verify return:1depth=0 /CN=dc03.ho.mydomain.comverify return:1---Certificate chain 0 s:/CN=dc03.ho.mydomain.com i:/DC=com/DC=mydomain/DC=ho/CN=DC01---My openssl version is 0.9.8h. Thanks again,
Tracert  2010-07-09 21:20:22
Well, that's a dead end then.Trying again: Do you have all the prerequisites for Perl-LDAP installed? Specifically, if the server is offering DIGEST-MD5 SASL auth, you need to have Digest::MD5 installed.
Borealid  2010-07-09 21:43:38
Also, make sure to use LDAP v3. There's really no reason you'd not want to do this. `Net::LDAP->new( 'ho.mydomain.com', version => 3 );`
Borealid  2010-07-09 21:45:18
I think I've got all the prerequisites. My distro is SLES11-SP1, so I just used zypper to install perl-ldap and perl-ldap-ssl. It resolved a bunch of dependencies, too, including IO::Socket::SSL. I didn't have Digest::MD5, so I installed it just now with CPAN and specified the LDAP version also, but no love.
Tracert  2010-07-09 23:51:25
Hey is it possible there's something weird about my CA cert? It's an internal one generated by my Server 2008 AD, which is running Active Directory Certificate Services.
Tracert  2010-07-09 23:59:45
You've got me.One thing to try would be to use SSL instead of TLS (connect to the `ldaps` port). If that doesn't work, I'm out of ideas.
Borealid  2010-07-10 04:43:51

related questions

Regex to replace Boolean with bool
How do I lock a file in Perl?
How do you use XML::Parser with Style => 'Objects'
Parsing XML Elements & Attributes with Perl
Regex to match all HTML tags except <p> and </p>
Best way to extract data from a FileMaker Pro database in a script?
What's the fastest way to determine a full URL from a relative URL (given a base URL).
Why can't I connect to my CAS server with Perl's AuthCAS?
Why can't I fetch wikipedia pages with LWP::Simple?
How do I perform a Perl substitution on a string while keeping the original?
How do I read in the contents of a directory in Perl?
How can Perl's system() print the command that it's running?
How can I test STDIN without blocking in Perl?
How do I tell if a variable has a numeric value in Perl?
Why doesn't my Perl map return anything?
How can I determine the type of a blessed reference in Perl?
Parsing attributes with regex in Perl
How do you retrieve selected text using Regex in C#?
Why does the Perl conditional operator not do what I expect?
Class::DBI-like library for php?
How do you create objects in Perl?
How do I remove duplicate items from an array in Perl?
Is The Perl Journal available online?
Can you force either a scalar or array ref to be an array in Perl?
What's the safest way to iterate through the keys of a Perl hash?