How can we help you today?
Start a new topic

LDAP over TLS - Unknown CA - SNOM D785 (10.1.54.13)

Hi,


I have a problem with my LDAP over TLS configuration.

I followed the hints in https://service.snom.com/display/wiki/TLS+Support. The phone is configured with

ldap_over_tls=on
check_fqdn_against_server_cert=false

Also I installed the SNOM CA Cert from http://wiki.snom.com/Category:HowTo:Secure_Web_Client#Known_issues on the Windows Domain Controller in Trusted Root Certification Authorities.


Unfortunately the LDAP search doesnt work. In the log I can see the following lines:

Jun 15 15:26:20.909 [ERROR ] TLS: OSSL error (SSL connect setup): code 336417087, error:140D513F:SSL routines:ssl3_ctrl:ssl3 ext invalid servername
Jun 15 15:26:20.921 [ERROR ] TLS: Error 20 at depth 0: unable to get local issuer certificate
Jun 15 15:26:20.922 [ERROR ] TLS: Error 21 at depth 0: unable to verify the first certificate
Jun 15 15:26:20.923 [ERROR ] TLS: OSSL error (GetDecryptedInput ssl error): code 336134278, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Jun 15 15:26:20.923 [ERROR ] TLS: OSSL error (GetDecryptedInput ssl error): code 336085247, error:140840FF:SSL routines:ssl3_connect:unknown state
Jun 15 15:26:20.923 [ERROR ] PHN: TPL: Socket Error: 0/38/connected, Tls error, closing
Jun 15 15:26:27.911 [ERROR ] PHN: (req:14) LDAP Request Timeout: No final answer from LDAP server for request 2 

 A PCAP trace is attached.


What I am missing? A hint would be great.


Thanks a lot.


With best regards


Marcus




I forgot to mention, that I manually set the Server Certificate as an exception in the SNOM Phone.


Here you find the log in DEBUG2-Mode (with changed servernames):

Jun 15 15:50:02.298 [DEBUG2] LDAP: LdapTpl::Socket 0: Remote Tls:192.168.210.1:636, State 7/connecting
Jun 15 15:50:02.414 [DEBUG1] TLS: no session found for key: Tls::192.168.210.1:636
Jun 15 15:50:02.415 [ERROR ] TLS: OSSL error (SSL connect setup): code 336417087, error:140D513F:SSL routines:ssl3_ctrl:ssl3 ext invalid servername
Jun 15 15:50:02.415 [DEBUG2] TLS: 0x1005948 handshake start
Jun 15 15:50:02.415 [DEBUG2] TLS: 0x1005948 SSL_connect/0 before/connect initialization (0)
Jun 15 15:50:02.416 [DEBUG2] TLS: 0x1005948 SSL_connect/0 SSLv2/v3 write client hello A (0)
Jun 15 15:50:02.416 [NOTICE] TLS: new session
Jun 15 15:50:02.416 [DEBUG2] LDAP: LdapTpl::Socket 0: Remote Tls:192.168.210.1:636, State 8/connected
Jun 15 15:50:02.425 [DEBUG2] TLS: 0x1005948 SSL_connect/0 SSLv3 read server hello A (0)
Jun 15 15:50:02.427 [ERROR ] TLS: Error 20 at depth 0: unable to get local issuer certificate
Jun 15 15:50:02.427 [INFO ] TLS: Cert s: /CN=ServerDC5.Domain
Jun 15 15:50:02.427 [INFO ] TLS: Cert i: /DC=DE/DC=Domain/DC=AD/CN=AD-ServerDC1-CA
Jun 15 15:50:02.428 [DEBUG1] TLS: Found trusted cert, fingerprint 5b01xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfeb
Jun 15 15:50:02.429 [DEBUG1] TLS: Continue with cert due to explicit trust
Jun 15 15:50:02.429 [ERROR ] TLS: Error 21 at depth 0: unable to verify the first certificate
Jun 15 15:50:02.429 [INFO ] TLS: Cert s: /CN=ServerDC5.Domain
Jun 15 15:50:02.429 [INFO ] TLS: Cert i: /DC=DE/DC=Domain/DC=AD/CN=AD-ServerDC1-CA
Jun 15 15:50:02.430 [DEBUG1] TLS: 0x1005948 SSL Alert write/21:fatal:unknown CA
Jun 15 15:50:02.430 [DEBUG2] TLS: 0x1005948 SSL_connect/21 error in error
Jun 15 15:50:02.430 [DEBUG2] TLS: 0x1005948 SSL_connect/21 error in error
Jun 15 15:50:02.431 [ERROR ] TLS: OSSL error (GetDecryptedInput ssl error): code 336134278, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Jun 15 15:50:02.431 [DEBUG2] TLS: 0x1005948 SSL_connect/21 error in error
Jun 15 15:50:02.431 [ERROR ] TLS: OSSL error (GetDecryptedInput ssl error): code 336085247, error:140840FF:SSL routines:ssl3_connect:unknown state
Jun 15 15:50:02.432 [DEBUG2] LDAP: LdapTpl::Socket 0: Remote Tls:192.168.210.1:636, State 10/disconnected 

 

 

Hi, 


Maybe the server's certificate chain is incomplete because of missed intermediate certificate. 

I guess that your certificate doesn't accomplish the whole  chain cycle, so you would have to configure your provisioning server  certificate correctly. 


best regards

snom support


Login or Signup to post a comment