I'm not so big expert with ssl connection. But I exactly know that when
you attempt to use startTLS/SSl connection you should to generate couple
of keys (public and private key). One of the keys you should copy to
server another should be on client. Without it connection won't work.
Also You didn't mention about couple of keys you only said about
selfsigned key. If i rightly understood this key hardly the same that need.
On 25.10.2014 19:34, David Boreham wrote:
I think you're on the right track with the comment that the startTLS
extended op is not needed if the connection is already native SSL on
the SSL port. First thing I'd try, given the printer's penchant for
using startTLS would be to tell it to connect to the non-SSL port (389
is the default port number). If its behavior is consistent it will
connect, initiate the startTLS op, which will succeed.
On 10/24/2014 4:20 PM, Karel Lang AFD wrote:
Hi guys,
please anyone could help me to decode error in access log?
Problem desr.:
I need to make Ricoh C3001 printer authenticate x 389 DS.
The printer stubbornly tries to start TLS inside SSL connection (if i
read the log file correct?) and the authentication fails, because 389
doesn't know what to make off it (i think) see:
The server uses ldaps:// method of connection on 636 port (with
selfsigned certificates).
[20/Oct/2014:18:31:50 +0200] conn=38 fd=70 slot=70 SSL connection
from 192.168.2.139 to 192.168.2.245
[20/Oct/2014:18:31:50 +0200] conn=38 SSL 256-bit AES
[20/Oct/2014:18:31:50 +0200] conn=38 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[20/Oct/2014:18:31:50 +0200] conn=38 op=0 RESULT err=1 tag=120
nentries=0 etime=0
[20/Oct/2014:18:31:50 +0200] conn=38 op=1 BIND dn="RICOH2-SB$"
method=128 version=3
[20/Oct/2014:18:31:50 +0200] conn=38 op=1 RESULT err=53 tag=97
nentries=0 etime=0
[20/Oct/2014:18:31:51 +0200] conn=38 op=2 UNBIND
[20/Oct/2014:18:31:51 +0200] conn=38 op=2 fd=70 closed - U1
The 'err=53' means "server is unwilling to perform" and i see same
message in the printer logs
also, you can see the printer starts 'extended operation':
EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
which i think it should not? (because it is already SSL conn from
start?)
different encryption (same result):
[root@srv-022 slapd-srv-022]# cat access | grep conn=48
[20/Oct/2014:18:35:56 +0200] conn=48 fd=68 slot=68 SSL connection
from 192.168.2.139 to 192.168.2.245
[20/Oct/2014:18:35:57 +0200] conn=48 SSL 128-bit RC4
[20/Oct/2014:18:35:57 +0200] conn=48 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[20/Oct/2014:18:35:57 +0200] conn=48 op=0 RESULT err=1 tag=120
nentries=0 etime=1
[20/Oct/2014:18:35:57 +0200] conn=48 op=1 BIND dn="RICOH2-SB$"
method=128 version=3
[20/Oct/2014:18:35:57 +0200] conn=48 op=1 RESULT err=53 tag=97
nentries=0 etime=0
[20/Oct/2014:18:35:57 +0200] conn=48 op=2 UNBIND
[20/Oct/2014:18:35:57 +0200] conn=48 op=2 fd=68 closed - U1
Please note the different encryption i tried to use - for eg. 128-bit
RC4 and 256-bit AES etc, but all produces same result.
The printer has choice for usinge of ssl:
ssl 2.0 (set to 'yes)
ssl 3.0 (set to 'yes')
tls (i set this option to "NO" - but made no difference and result is
still same)
Also, the printer has only 2options:
1.
use SSL/TLS - if i check this, port 636 is automatically used
2.
dont use SSL/TLS - if i check this option, port 389 is used
Not much else to pick on (ofc there is other LDAP things to fill up
like hostname etc.)
I think this looks like client problem? Or do you think i can try to
tune up something on the server side? - anybody had experienced
similar troubles?
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
Nickolay Bodnar | Noc Engineer
Selectica | nbodnar@xxxxxxxxxxxxx
2/4 Observatorny ln. | Ukraine, Odessa
+380 097 439 2176
skype: bodnar_n
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
