Using StartTLS with Perl-LDAP
I'm trying to use Net::LDAP in Per开发者_JAVA百科l to do LDAPS authentication against my Server 2008 Active Directory and I'm having a hard time getting server verification to work. It works if in start_tls I useverify=> 'none', but this is not so great.
When I use verify => 'require' (which is preferable), I get this error:
SSL connect attempt failed with unknown error error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm at ./ldap.pl line 23, line 522.
When I test from the command line using Openssl s_client it works great, so I don't think it's an OpenSSL problem. I'm kind of a noob with Perl, so I'm not sure what else to debug.
Here's the relevant code snippet:
#!/usr/bin/perl
use Net::LDAP;
$ldap = Net::LDAP->new('ho.mydomain.com',
) or die "LDAP error";
$mesg = $ldap->start_tls(
sslversion => 'tlsv1',
verify => 'require',
capath => '/etc/ssl/certs/',
);
die $mesg->error if $mesg->is_error;
The output from OpenSSL s_client:
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: [removed]
Session-ID-ctx:
Master-Key: [removed]
Key-Arg : None
Start Time: 1278707544
Timeout : 300 (sec)
Verify return code: 0 (ok)
Any help would be greatly appreciated.
Thanks
Are you sure your s_client works properly when verifying the whole certificate chain (pass the -verify option)?
"unknown message digest algorithm" means that some crypto element in your chain does not support the digest hash for some certificate in the path to a trusted root.
It could be that an intermediate or root certificate is using the problematic hash algorithm (probably sha256 if you have an old openssl, or something really old if you have a new one).
Make sure you have a recent openssl library. See http://bugs.gentoo.org/294615 for one example of this happening.
加载中,请稍侯......
精彩评论