dovecot - Mar 2017 - Dovecot can't connect to openldap over starttls [REQUEST OF OPENLDAP]

The one that works fine was my openxchange server, that loads contacts 
from openldap.

In my opinion I don't have installed a security framework list SELinux 
or AppArmor.

The output of namei -l /etc/ssl/certs/LetsEncrypt.pem
f: /etc/ssl/certs/LetsEncrypt.pem
drwxr-xr-x root root     /
drwxr-xr-x root root     etc
drwxr-xr-x root root     ssl
drwxr-xr-x root root     certs
lrwxrwxrwx root root     LetsEncrypt.pem -> 
/etc/ssl/own/LetsEncrypt.crt
drwxr-xr-x root root       /
drwxr-xr-x root root       etc
drwxr-xr-x root root       ssl
drwxr-x--- root ssl-cert   own
-rw-r----- root ssl-cert   LetsEncrypt.crt

Tobias

Am 2017-03-20 21:49, schrieb Aki Tuomi:
> Did you do some succesful lookup with something there? I can see few
> failed attempts and one that seems to have worked just fine.
> 
> As pointed out earlier, are you using security frameworks like
> SELinux or AppArmor? Also, can you provide namei -l
> /etc/ssl/certs/LetsEncrypt.pem
> 
> The failed attempts are really short, indicating a VERY early problem
> with SSL handshake.
> 
> Aki
> 
>> On March 20, 2017 at 9:24 PM info at gwarband.de wrote:
>> 
>> 
>> I have a new pcap from beginning to the end with openldap "TLS
>> negoiation failed"
>> 
>> https://gwarband.de/openldap/tracefile.dump
>> 
>> The sourceports are 45376 and 45377
>> 
>> Tobias
>> 
>> Am 2017-03-20 19:59, schrieb Aki Tuomi:
>>> Well, those actually *reduce* the possible algorithms that can be
>>> used, so uncommenting those can make things worse.
>>> 
>>> Anyways, your pcap seems incomplete, can you try again?
>>> 
>>> Aki
>>> 
>>>> On March 20, 2017 at 8:14 PM info at gwarband.de wrote:
>>>> 
>>>> 
>>>> I have also tested with 2.2.28 and this version has the same
issue.
>>>> 
>>>> The finding of compatible ciphers is not the problem because I
have
>>>> uncommented the ldap entrys:
>>>> TLSCipherSuite
>>>>
SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
>>>> TLSProtocolMin          3.1
>>>> 
>>>> Maybe you have further ideas.
>>>> 
>>>> Am 2017-03-20 17:42, schrieb Aki Tuomi:
>>>>>> On March 20, 2017 at 5:28 PM info at gwarband.de wrote:
>>>>>> 
>>>>>> 
>>>>>> Can sombody say something about this request?
>>>>>> 
>>>>>> This is an email from the openldap-technical
mailinglist from
>>>>>> openldap.
>>>>>> 
>>>>>> Systemdetails are mention in the other email.
>>>>>> 
>>>>>> -------- Originalnachricht --------
>>>>>> Betreff: Re: Dovecot can't connect to openldap over
starttls
>>>>>> Datum: 2017-03-20 16:18
>>>>>> Absender: Dan White <dwhite at cafedemocracy.org>
>>>>>> Empf?nger: info at gwarband.de
>>>>>> Kopie: openldap-technical at openldap.org
>>>>>> 
>>>>>> On 03/20/17 16:06 +0100, info at gwarband.de wrote:
>>>>>>>> Debug Dovecot's implementation of
ldap_start_tls_s().
>>>>>>> I don't have any idea how to set a higher debug
level to
>>>>>>> dovecot.
>>>>>>> In
>>>>>>> my opinion I have the highest. So I can't
deliver a greater log.
>>>>>> 
>>>>>> I recommend consulting Dovecot's advice on how to
run a debugger,
>>>>>> or
>>>>>> dig
>>>>>> into the code which calls libldap.
>>>>> 
>>>>> Hi!
>>>>> I just ran a quick test, and following things are needed:
>>>>> 
>>>>> uris = ldap://ldap.host.com
>>>>> tls = yes
>>>>> tls_ca_cert_file = /path/to/cert-bundle.crt
>>>>> 
>>>>> this has been tested with 2.2.28, and works just fine. Not
sure
>>>>> why
>>>>> you are having issues.
>>>>> 
>>>>> Of course this could be anything between not finding
compatible
>>>>> ciphers to the LDAP server actually expecting client
certificate,
>>>>> what
>>>>> with the logs not actually being too verbose unfortunately.
There
>>>>> isn't too much to "debug" in Dovecot's
TLS implementation, it's
>>>>> not
>>>>> doing anything fancy asides from calling the
ldap_start_tls_s.
>>>>> 
>>>>> I am not sure what debugging you could try further.
>>>>> 
>>>>> Aki

Could you copy LetsEncrypt.pem to a world-readable location, with
world-readable rights, and see if this helps with your problem. I saw
you tried with cat using su(do), but unfortunately supplementary groups
are not always used with processes.

Aki


On 20.03.2017 23:09, info at gwarband.de wrote:
> The one that works fine was my openxchange server, that loads contacts
> from openldap.
>
> In my opinion I don't have installed a security framework list SELinux
> or AppArmor.
>
> The output of namei -l /etc/ssl/certs/LetsEncrypt.pem
> f: /etc/ssl/certs/LetsEncrypt.pem
> drwxr-xr-x root root     /
> drwxr-xr-x root root     etc
> drwxr-xr-x root root     ssl
> drwxr-xr-x root root     certs
> lrwxrwxrwx root root     LetsEncrypt.pem -> /etc/ssl/own/LetsEncrypt.crt
> drwxr-xr-x root root       /
> drwxr-xr-x root root       etc
> drwxr-xr-x root root       ssl
> drwxr-x--- root ssl-cert   own
> -rw-r----- root ssl-cert   LetsEncrypt.crt
>
> Tobias
>
> Am 2017-03-20 21:49, schrieb Aki Tuomi:
>> Did you do some succesful lookup with something there? I can see few
>> failed attempts and one that seems to have worked just fine.
>>
>> As pointed out earlier, are you using security frameworks like
>> SELinux or AppArmor? Also, can you provide namei -l
>> /etc/ssl/certs/LetsEncrypt.pem
>>
>> The failed attempts are really short, indicating a VERY early problem
>> with SSL handshake.
>>
>> Aki
>>
>>> On March 20, 2017 at 9:24 PM info at gwarband.de wrote:
>>>
>>>
>>> I have a new pcap from beginning to the end with openldap "TLS
>>> negoiation failed"
>>>
>>> https://gwarband.de/openldap/tracefile.dump
>>>
>>> The sourceports are 45376 and 45377
>>>
>>> Tobias
>>>
>>> Am 2017-03-20 19:59, schrieb Aki Tuomi:
>>>> Well, those actually *reduce* the possible algorithms that can
be
>>>> used, so uncommenting those can make things worse.
>>>>
>>>> Anyways, your pcap seems incomplete, can you try again?
>>>>
>>>> Aki
>>>>
>>>>> On March 20, 2017 at 8:14 PM info at gwarband.de wrote:
>>>>>
>>>>>
>>>>> I have also tested with 2.2.28 and this version has the
same issue.
>>>>>
>>>>> The finding of compatible ciphers is not the problem
because I have
>>>>> uncommented the ldap entrys:
>>>>> TLSCipherSuite
>>>>>
SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
>>>>> TLSProtocolMin          3.1
>>>>>
>>>>> Maybe you have further ideas.
>>>>>
>>>>> Am 2017-03-20 17:42, schrieb Aki Tuomi:
>>>>>>> On March 20, 2017 at 5:28 PM info at gwarband.de
wrote:
>>>>>>>
>>>>>>>
>>>>>>> Can sombody say something about this request?
>>>>>>>
>>>>>>> This is an email from the openldap-technical
mailinglist from
>>>>>>> openldap.
>>>>>>>
>>>>>>> Systemdetails are mention in the other email.
>>>>>>>
>>>>>>> -------- Originalnachricht --------
>>>>>>> Betreff: Re: Dovecot can't connect to openldap
over starttls
>>>>>>> Datum: 2017-03-20 16:18
>>>>>>> Absender: Dan White <dwhite at
cafedemocracy.org>
>>>>>>> Empf?nger: info at gwarband.de
>>>>>>> Kopie: openldap-technical at openldap.org
>>>>>>>
>>>>>>> On 03/20/17 16:06 +0100, info at gwarband.de wrote:
>>>>>>>>> Debug Dovecot's implementation of
ldap_start_tls_s().
>>>>>>>> I don't have any idea how to set a higher
debug level to dovecot.
>>>>>>>> In
>>>>>>>> my opinion I have the highest. So I can't
deliver a greater log.
>>>>>>>
>>>>>>> I recommend consulting Dovecot's advice on how
to run a debugger,
>>>>>>> or
>>>>>>> dig
>>>>>>> into the code which calls libldap.
>>>>>>
>>>>>> Hi!
>>>>>> I just ran a quick test, and following things are
needed:
>>>>>>
>>>>>> uris = ldap://ldap.host.com
>>>>>> tls = yes
>>>>>> tls_ca_cert_file = /path/to/cert-bundle.crt
>>>>>>
>>>>>> this has been tested with 2.2.28, and works just fine.
Not sure why
>>>>>> you are having issues.
>>>>>>
>>>>>> Of course this could be anything between not finding
compatible
>>>>>> ciphers to the LDAP server actually expecting client
certificate,
>>>>>> what
>>>>>> with the logs not actually being too verbose
unfortunately. There
>>>>>> isn't too much to "debug" in
Dovecot's TLS implementation, it's not
>>>>>> doing anything fancy asides from calling the
ldap_start_tls_s.
>>>>>>
>>>>>> I am not sure what debugging you could try further.
>>>>>>
>>>>>> Aki

Thank you very much for this idea.
I thought I have already tried this out.
I have copy the *.crt to the official dir of ssl/cert and set the 
access to 644.
And now all works correctly.

Tobias

Am 2017-03-21 08:06, schrieb Aki Tuomi:
> Could you copy LetsEncrypt.pem to a world-readable location, with
> world-readable rights, and see if this helps with your problem. I saw
> you tried with cat using su(do), but unfortunately supplementary 
> groups
> are not always used with processes.
> 
> Aki
> 
> 
> On 20.03.2017 23:09, info at gwarband.de wrote:
>> The one that works fine was my openxchange server, that loads 
>> contacts
>> from openldap.
>> 
>> In my opinion I don't have installed a security framework list 
>> SELinux
>> or AppArmor.
>> 
>> The output of namei -l /etc/ssl/certs/LetsEncrypt.pem
>> f: /etc/ssl/certs/LetsEncrypt.pem
>> drwxr-xr-x root root     /
>> drwxr-xr-x root root     etc
>> drwxr-xr-x root root     ssl
>> drwxr-xr-x root root     certs
>> lrwxrwxrwx root root     LetsEncrypt.pem -> 
>> /etc/ssl/own/LetsEncrypt.crt
>> drwxr-xr-x root root       /
>> drwxr-xr-x root root       etc
>> drwxr-xr-x root root       ssl
>> drwxr-x--- root ssl-cert   own
>> -rw-r----- root ssl-cert   LetsEncrypt.crt
>> 
>> Tobias
>> 
>> Am 2017-03-20 21:49, schrieb Aki Tuomi:
>>> Did you do some succesful lookup with something there? I can see
few
>>> failed attempts and one that seems to have worked just fine.
>>> 
>>> As pointed out earlier, are you using security frameworks like
>>> SELinux or AppArmor? Also, can you provide namei -l
>>> /etc/ssl/certs/LetsEncrypt.pem
>>> 
>>> The failed attempts are really short, indicating a VERY early 
>>> problem
>>> with SSL handshake.
>>> 
>>> Aki
>>> 
>>>> On March 20, 2017 at 9:24 PM info at gwarband.de wrote:
>>>> 
>>>> 
>>>> I have a new pcap from beginning to the end with openldap
"TLS
>>>> negoiation failed"
>>>> 
>>>> https://gwarband.de/openldap/tracefile.dump
>>>> 
>>>> The sourceports are 45376 and 45377
>>>> 
>>>> Tobias
>>>> 
>>>> Am 2017-03-20 19:59, schrieb Aki Tuomi:
>>>>> Well, those actually *reduce* the possible algorithms that
can be
>>>>> used, so uncommenting those can make things worse.
>>>>> 
>>>>> Anyways, your pcap seems incomplete, can you try again?
>>>>> 
>>>>> Aki
>>>>> 
>>>>>> On March 20, 2017 at 8:14 PM info at gwarband.de wrote:
>>>>>> 
>>>>>> 
>>>>>> I have also tested with 2.2.28 and this version has the
same
>>>>>> issue.
>>>>>> 
>>>>>> The finding of compatible ciphers is not the problem
because I
>>>>>> have
>>>>>> uncommented the ldap entrys:
>>>>>> TLSCipherSuite
>>>>>>
SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
>>>>>> TLSProtocolMin          3.1
>>>>>> 
>>>>>> Maybe you have further ideas.
>>>>>> 
>>>>>> Am 2017-03-20 17:42, schrieb Aki Tuomi:
>>>>>>>> On March 20, 2017 at 5:28 PM info at
gwarband.de wrote:
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Can sombody say something about this request?
>>>>>>>> 
>>>>>>>> This is an email from the openldap-technical
mailinglist from
>>>>>>>> openldap.
>>>>>>>> 
>>>>>>>> Systemdetails are mention in the other email.
>>>>>>>> 
>>>>>>>> -------- Originalnachricht --------
>>>>>>>> Betreff: Re: Dovecot can't connect to
openldap over starttls
>>>>>>>> Datum: 2017-03-20 16:18
>>>>>>>> Absender: Dan White <dwhite at
cafedemocracy.org>
>>>>>>>> Empf?nger: info at gwarband.de
>>>>>>>> Kopie: openldap-technical at openldap.org
>>>>>>>> 
>>>>>>>> On 03/20/17 16:06 +0100, info at gwarband.de
wrote:
>>>>>>>>>> Debug Dovecot's implementation of
ldap_start_tls_s().
>>>>>>>>> I don't have any idea how to set a
higher debug level to
>>>>>>>>> dovecot.
>>>>>>>>> In
>>>>>>>>> my opinion I have the highest. So I
can't deliver a greater
>>>>>>>>> log.
>>>>>>>> 
>>>>>>>> I recommend consulting Dovecot's advice on
how to run a
>>>>>>>> debugger,
>>>>>>>> or
>>>>>>>> dig
>>>>>>>> into the code which calls libldap.
>>>>>>> 
>>>>>>> Hi!
>>>>>>> I just ran a quick test, and following things are
needed:
>>>>>>> 
>>>>>>> uris = ldap://ldap.host.com
>>>>>>> tls = yes
>>>>>>> tls_ca_cert_file = /path/to/cert-bundle.crt
>>>>>>> 
>>>>>>> this has been tested with 2.2.28, and works just
fine. Not sure
>>>>>>> why
>>>>>>> you are having issues.
>>>>>>> 
>>>>>>> Of course this could be anything between not
finding compatible
>>>>>>> ciphers to the LDAP server actually expecting
client
>>>>>>> certificate,
>>>>>>> what
>>>>>>> with the logs not actually being too verbose
unfortunately.
>>>>>>> There
>>>>>>> isn't too much to "debug" in
Dovecot's TLS implementation, it's
>>>>>>> not
>>>>>>> doing anything fancy asides from calling the
ldap_start_tls_s.
>>>>>>> 
>>>>>>> I am not sure what debugging you could try further.
>>>>>>> 
>>>>>>> Aki