# OpenLDAP/TLS stopped working after update



## NuLL3rr0r (Aug 4, 2017)

Today, I updated two of my production servers after 2-3 months. Unfortunately, the mailserver login which uses OpenLDAP for AAA stopped working. I'm using Let's Encrypt for SSL certificate generation. One of these servers has been working for years as it was working up to this morning with the same configurations intact.

Here is my /var/log/maillog:


```
Aug  4 13:42:59 babaei dovecot: auth: Error: LDAP /usr/local/etc/dovecot/ldap.conf: ldap_start_tls_s() failed: Can't contact LDAP server
Aug  4 13:43:01 babaei dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<email@example.com>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS, session=<UY/crO1VuqfHMIWG>
Aug  4 13:43:03 babaei dovecot: auth: Error: LDAP /usr/local/etc/dovecot/ldap.conf: ldap_start_tls_s() failed: Can't contact LDAP server
Aug  4 13:43:05 babaei dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<email@example.com>, method=PLAIN, rip=94.100.185.205, lip=xxx.xxx.xxx.xxx, TLS: Disconnected, session=<K3UVre1VuqNeZLnN>
```

Even a simple ldapsearch won't work anymore:


```
$ ldapsearch -cxWD "cn=root,dc=example,dc=com" -b 'dc=example,dc=com' '(cn=root)'
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
```

Here is the full log when I run slapd daemon in verbose mode:


```
$ /usr/local/libexec/slapd -V -h "ldap:/// ldaps:///" -u ldap -g ldap -d -1
.
.
.
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept: error:14035418:SSL routines:ACCEPT_SR_CERT:tlsv1 alert unknown ca
.
.
.
```

Full log from pastebin: https://pastebin.com/EC13xPAY

I'll appreciate your help. Thank you so much.


----------



## SirDice (Aug 4, 2017)

Is security/ca_root_nss installed and up to date?


----------



## NuLL3rr0r (Aug 4, 2017)

SirDice thank you for the suggestion.

It seems so:


```
$ pkg info | grep ca_root_nss
ca_root_nss-3.32               Root certificate bundle from the Mozilla Project
```

I digged a little bit more into the issue and found a bunch of these interesting warnings inside /var/log/maillog (a ~512k portion of the log is here https://pastebin.com/qmYGirRd):


```
Aug  4 11:49:03 babaei postfix/smtpd[39718]: warning: TLS library problem: error:1402710B:SSL routines:ACCEPT_SR_CLNT_HELLO_C:wrong version number:ssl_srvr.c:769:
```

I am using LibreSSL from ports instead of OpenSSL from base. I also found out that a patch for upgrading OpenLDAP submitted two months ago. And, another patch to make the new version build using LibreSSL on FreeBSD afterwards (https://svnweb.freebsd.org/ports/head/net/openldap24-server/ from ports svn).

I'm not sure if that's the root cause.


----------



## SirDice (Aug 4, 2017)

Did you build everything with DEFAULT_VERSIONS= ssl=libressl in /etc/make.conf?


----------



## NuLL3rr0r (Aug 4, 2017)

I seem to temporarily solved the issue by using a workaround. It turned out that my guess was right. This is what I did:

1. I made a backup of the port first: cd /usr/ports/net/ && tar cvJf ~/openldap24-server.tar.xz openldap24-server

2. I reverted distinfo to revision 408350 and the Makefile to 27389.

3. Then deleted the LibreSSL patch: `rm /usr/ports/net/openldap24-server/files/patch-libressl`

4. Rebuild anything depended on OpenLDAP client:


```
$ pkg info -r openldap-client
openldap-client-2.4.44:
   openldap-server-2.4.44
   sope3-3.2.10
   php70-ldap-7.0.22
   dovecot2-2.2.31_1

$ portupgrade -fr net/openldap24-client

$ service slapd restart
$ service dovecot restart
$ service php-fpm restart
```

5. I tried to login through the webinterface. But, got these errors:


```
Aug  4 15:00:59 babaei dovecot: imap(email@example.com): Error: Plugin 'antispam' not found from directory /usr/local/lib/dovecot
Aug  4 15:00:59 babaei dovecot: imap(email@example.com): Error: Internal error occurred. Refer to server log for more information.
```

To my surprise mail/dovecot2-antispam-plugin has been removed from ports without any mentioning of it inside /usr/ports/UPDATING.

6. I disabled the antispam plugin. And, viola! It works now.

I'll open a bug report on FreeBSD bugzilla.


----------



## NuLL3rr0r (Aug 4, 2017)

SirDice said:


> Did you build everything with DEFAULT_VERSIONS= ssl=libressl in /etc/make.conf?



Yes, I exactly did that. But, as I mentioned I believe it's either the patch or the new version which caused the trouble.

Thank you for your help.


----------



## NuLL3rr0r (Oct 15, 2017)

Well, for anyone comming across this. I finally had some time to play around with this and figured out what the problem is. I'm not sure what exactly changed in net/openldap-server-2.4.45 but I had to comment/remove the following line inside /usr/local/etc/openldap/ldap.conf since it cannot verifies ca anymore:


```
#tls_cacert /path/to/ca.pem
```

And also from my dovecot configuration:


```
#tls_ca_cert_file = /path/to/ca.pem
```

Since both server/client are the same machine for me, it seems redundant anyway.

Hope that helps.


----------

