ssl/tls troubles

16 views
Skip to first unread message

Natxo Asenjo

unread,
Sep 11, 2014, 11:58:06 AM9/11/14
to perl...@perl.org
hi,

in my host (fedora 20)I have imported the root CA certificate of our corporate AD domain. Using ldapsearch it works, and visiting secure sites signed by that CA are verified.

But I do not exactly know hot to tell my script how to do the same.

This is it:

use Net::LDAP;
use Data::Dumper;

my $ldap = Net::LDAP->new( 'd01.domain.tldl' ) or die "$@";

my $mesg = $ldap->start_tls(
    verify => 'require',
    capath => '/etc/ssl/certs/',
    sslversion => 'tlsv1',
);

print Dumper $mesg;

$mesg =$ldap->bind (
    "user",
     password    => 'pwd',
     version     => 3,
);

my $search = $mesg->search(
                        base    => "dc=domain,dc=tld",
                        scope   => "sub",
                        filter  => "(samaccountname=*)",
                        attr    => ['samaccountname'],
                    );

$mesg->code ;

for my $entry ( $mesg->entries) {
    print $entry->get_value( 'samaccountname'), "\n";;
}

$ldap->unbind;

$ perl department.pl
$VAR1 = bless( {
                 'responseName' => '1.3.6.1.4.1.1466.20037',
                 'matchedDN' => '',
                 'raw' => undef,
                 'mesgid' => 1,
                 'ctrl_hash' => undef,
                 'callback' => undef,
                 'controls' => undef,
                 'resultCode' => 1,
                 'parent' => bless( {
                                      'net_ldap_rawsocket' => bless( \*Symbol::GEN0, 'IO::Socket::INET' ),
                                      'net_ldap_debug' => 0,
                                      'net_ldap_mesg' => {},
                                      'net_ldap_host' => 'dc01.domain.tld',
                                      'net_ldap_port' => 389,
                                      'net_ldap_async' => 0,
                                      'net_ldap_uri' => 'dc01.domain.tld',
                                      'net_ldap_socket' => $VAR1->{'parent'}{'net_ldap_rawsocket'},
                                      'net_ldap_resp' => {},
                                      'net_ldap_scheme' => 'ldap',
                                      'net_ldap_version' => 3,
                                      'net_ldap_refcnt' => 1
                                    }, 'Net::LDAP' ),
                 'errorMessage' => 'SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
               }, 'Net::LDAP::Extension' );
Can't locate object method "search" via package "Net::LDAP::Bind" at department.pl line 43, <DATA> line 751.


So it clearly does not trust the certificate. The certificate is in /etc/ssl/certs/ca-bundle.trust.crt.

Any tips greatyl appreciated.


--
Groeten,
natxo

Natxo Asenjo

unread,
Sep 11, 2014, 1:40:49 PM9/11/14
to perl...@perl.org

ok, solved. I removed the capath and it works. It finds the certificate automatically.

Apologies for the noise.

--
Groeten,
natxo

Natxo Asenjo

unread,
Sep 11, 2014, 3:10:02 PM9/11/14
to perl...@perl.org
Hi Daniel,

On Thu, Sep 11, 2014 at 8:57 PM, Daniel Stutz <dst...@use-strict.net> wrote:
Did you try the ‚cafile‘ option of start_tls?

Yes, I tried that as well, but it did not work either. But apparently the module is smart enough to look into the default paths for openssl and if the cert is in there, you need nothing else but verify => 'require' when using the start_tls method. I tried removing the cert from there and the script croaked inmediately. And wireshark showed that everything was nicely encrypted.

Thanks!

--
groet,
natxo

Daniel Stutz

unread,
Sep 11, 2014, 2:57:38 PM9/11/14
to Natxo Asenjo, perl...@perl.org
Did you try the ‚cafile‘ option of start_tls?

Regards,
Daniel
Reply all
Reply to author
Forward
0 new messages