Hi again,

 

I have resolved the issue stated here below, and thus reply to my request for wisdom.

After many hours of reading on ssl and stunnel, understanding how the ssl handshake works and should take place, after reading more posts on ‘bugs’ and features, I was confronted to two possibilities that could explain why the handshake was not succeeding;

 

1)       There were too many root CA’s on the server (AD)

2)       The certs on the server (AD) used keys longer than 3500 bits

 

The fact is someone administering the win2k server had installed a new root CA, for another project…and no one was aware of this change. I removed all root CAs that would be useless to the server (there are lots ;-)) and tried the connection again. Tada, it worked great.

 

Cheers everyone,

Olivier

 


From: owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org] On Behalf Of Olivier Rademakers
Sent: Thursday, September 02, 2004 12:48 AM
To: stunnel-users@mirt.net; openssl-users@openssl.org
Subject: ssl - excessive message size

 

Hi All,

 

I am having trouble with a secure connection that used to work until now. I am using an stunnel connection to transfer data from an ldap server(127.0.0.1) to Win Active Directory server (machineB.domain.com) in order to update AD with updated ldap data.

 

I have run stunnel in high verbosity manually so I could extract a log of a connection attempt. Here it is below:

 

# stunnel -c -f -D 7 -P /var/ldapad/ -d 127.0.0.1:6360 -r machineB.domain.com:636

 

LOG5[9318:1]: Using 'machineB.domain.com.636' as tcpwrapper service name

LOG7[9318:1]: RAND_status claims sufficient entropy for the PRNG

LOG6[9318:1]: PRNG seeded successfully

LOG5[9318:1]: stunnel 3.14 on sparc-sun-solaris2.7 PTHREAD

LOG7[9318:1]: Created pid file /var/ldapad/stunnel.machineB.domain.com.636.pid

LOG7[9318:1]: machineB.domain.com.636 bound to 127.0.0.1:6360

LOG7[9318:4]: machineB.domain.com.636 started

LOG5[9318:4]: machineB.domain.com.636 connected from 127.0.0.1:55001

LOG7[9318:4]: machineB.domain.com.636 connecting 172.27.24.4:636

LOG7[9318:4]: Remote host connected

LOG7[9318:4]: before/connect initialization

LOG7[9318:4]: before/connect initialization

LOG7[9318:4]: SSLv3 write client hello A

LOG7[9318:4]: SSLv3 read server hello A

LOG7[9318:4]: SSLv3 read server certificate A

LOG7[9318:4]: SSLv3 read server key exchange A

LOG7[9318:4]: SSLv3 read server key exchange A

LOG3[9318:4]: SSL_connect: error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message size

LOG7[9318:4]: machineB.domain.com.636 finished (0 left)

 

I have searched for this error but to no avail and am wondering if any of you have already come across such, and if so would have the beginning of a solution, and why not The Solution ;-)

 

NB: When running stunnel with the “-c” operand (client mode), it is said the certificates are optional. I have captured the dialogue between the two machines, and apparently, the problem would be coming from the AD server as the DN (Distinguished Name) in the cert is ~8000 bytes long… The capture reveals other errors, checksum and more, so if needed I could append those to the problem stated here.

 

Again, unix-ldap side has not changed to my knowledge. The script has always been the same, and it worked until now.

 

The ldap server is SUN Solaris 2.8 with ssl 0.9.7b

 

Version of stunnel: stunnel 3.21 on sparc-sun-solaris2.8 PTHREAD

 

The AD server is a Windows 2000 machine.

 

Please enlighten me,

Olivier