Hi All,
I am having trouble with a secure connection that used to work until now. I am using an stunnel connection to transfer data from an ldap server(127.0.0.1) to Win Active Directory server (machineB.domain.com) in order to update AD with updated ldap data.
I have run stunnel in high verbosity manually so I could extract a log of a connection attempt. Here it is below:
# stunnel -c -f -D 7 -P /var/ldapad/ -d 127.0.0.1:6360 -r machineB.domain.com:636
LOG5[9318:1]: Using 'machineB.domain.com.636' as tcpwrapper service name
LOG7[9318:1]: RAND_status claims sufficient entropy for the PRNG
LOG6[9318:1]: PRNG seeded successfully
LOG5[9318:1]: stunnel 3.14 on sparc-sun-solaris2.7 PTHREAD
LOG7[9318:1]: Created pid file /var/ldapad/stunnel.machineB.domain.com.636.pid
LOG7[9318:1]: machineB.domain.com.636 bound to 127.0.0.1:6360
LOG7[9318:4]: machineB.domain.com.636 started
LOG5[9318:4]: machineB.domain.com.636 connected from 127.0.0.1:55001
LOG7[9318:4]: machineB.domain.com.636 connecting 172.27.24.4:636
LOG7[9318:4]: Remote host connected
LOG7[9318:4]: before/connect initialization
LOG7[9318:4]: before/connect initialization
LOG7[9318:4]: SSLv3 write client hello A
LOG7[9318:4]: SSLv3 read server hello A
LOG7[9318:4]: SSLv3 read server certificate A
LOG7[9318:4]: SSLv3 read server key exchange A
LOG7[9318:4]: SSLv3 read server key exchange A
LOG3[9318:4]: SSL_connect: error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message size
LOG7[9318:4]: machineB.domain.com.636 finished (0 left)
I have searched for this error but to no avail and am wondering if any of you have already come across such, and if so would have the beginning of a solution, and why not The Solution ;-)
NB: When running stunnel with the "-c" operand (client mode), it is said the certificates are optional. I have captured the dialogue between the two machines, and apparently, the problem would be coming from the AD server as the DN (Distinguished Name) in the cert is ~8000 bytes long. The capture reveals other errors, checksum and more, so if needed I could append those to the problem stated here.
Again, unix-ldap side has not changed to my knowledge. The script has always been the same, and it worked until now.
The ldap server is SUN Solaris 2.8 with ssl 0.9.7b
Version of stunnel: stunnel 3.21 on sparc-sun-solaris2.8 PTHREAD
The AD server is a Windows 2000 machine.
Please enlighten me,
Olivier
Hi again,
I have resolved the issue stated here below, and thus reply to my request for wisdom.
After many hours of reading on ssl and stunnel, understanding how the ssl handshake works and should take place, after reading more posts on 'bugs' and features, I was confronted to two possibilities that could explain why the handshake was not succeeding;
1) There were too many root CA's on the server (AD)
2) The certs on the server (AD) used keys longer than 3500 bits
The fact is someone administering the win2k server had installed a new root CA, for another project.and no one was aware of this change. I removed all root CAs that would be useless to the server (there are lots ;-)) and tried the connection again. Tada, it worked great.
Cheers everyone,
Olivier
_____
From: owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org] On Behalf Of Olivier Rademakers Sent: Thursday, September 02, 2004 12:48 AM To: stunnel-users@mirt.net; openssl-users@openssl.org Subject: ssl - excessive message size
Hi All,
I am having trouble with a secure connection that used to work until now. I am using an stunnel connection to transfer data from an ldap server(127.0.0.1) to Win Active Directory server (machineB.domain.com) in order to update AD with updated ldap data.
I have run stunnel in high verbosity manually so I could extract a log of a connection attempt. Here it is below:
# stunnel -c -f -D 7 -P /var/ldapad/ -d 127.0.0.1:6360 -r machineB.domain.com:636
LOG5[9318:1]: Using 'machineB.domain.com.636' as tcpwrapper service name
LOG7[9318:1]: RAND_status claims sufficient entropy for the PRNG
LOG6[9318:1]: PRNG seeded successfully
LOG5[9318:1]: stunnel 3.14 on sparc-sun-solaris2.7 PTHREAD
LOG7[9318:1]: Created pid file /var/ldapad/stunnel.machineB.domain.com.636.pid
LOG7[9318:1]: machineB.domain.com.636 bound to 127.0.0.1:6360
LOG7[9318:4]: machineB.domain.com.636 started
LOG5[9318:4]: machineB.domain.com.636 connected from 127.0.0.1:55001
LOG7[9318:4]: machineB.domain.com.636 connecting 172.27.24.4:636
LOG7[9318:4]: Remote host connected
LOG7[9318:4]: before/connect initialization
LOG7[9318:4]: before/connect initialization
LOG7[9318:4]: SSLv3 write client hello A
LOG7[9318:4]: SSLv3 read server hello A
LOG7[9318:4]: SSLv3 read server certificate A
LOG7[9318:4]: SSLv3 read server key exchange A
LOG7[9318:4]: SSLv3 read server key exchange A
LOG3[9318:4]: SSL_connect: error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message size
LOG7[9318:4]: machineB.domain.com.636 finished (0 left)
I have searched for this error but to no avail and am wondering if any of you have already come across such, and if so would have the beginning of a solution, and why not The Solution ;-)
NB: When running stunnel with the "-c" operand (client mode), it is said the certificates are optional. I have captured the dialogue between the two machines, and apparently, the problem would be coming from the AD server as the DN (Distinguished Name) in the cert is ~8000 bytes long. The capture reveals other errors, checksum and more, so if needed I could append those to the problem stated here.
Again, unix-ldap side has not changed to my knowledge. The script has always been the same, and it worked until now.
The ldap server is SUN Solaris 2.8 with ssl 0.9.7b
Version of stunnel: stunnel 3.21 on sparc-sun-solaris2.8 PTHREAD
The AD server is a Windows 2000 machine.
Please enlighten me,
Olivier