JAAS ldap issue

IAM David Bantz dabantz at alaska.edu
Wed Jun 3 04:27:09 UTC 2020 

On Tue, Jun 2, 2020 at 5:34 PM IAM David Bantz <dabantz at alaska.edu> wrote:

> Yes 6361 is using "ldaps"; it is NOT using  (is not configured for
> StartTLS).
>
> ldaps://cas-auth-t.alaska.edu:6361 establishes secure connection in
> legacy CAS server and in Apache DIrectory Studio.
>
> Both of the openssl commands return the same server cert (which is in the
> IdP trusted store
>
the second - with pointer to trusted certs - reports establishing a valid
> TLS1.2 encrypted connection;
>
>
>  openssl s_client  -showcerts -connect cas-auth-t.alaska.edu:6361
>
> CONNECTED(00000003)
>
> depth=0 C = US, postalCode = 99775, ST = Alaska, L = Fairbanks, street =
> 910 Yukon Drive, O = University of Alaska System, OU = UAS, CN =
> cas-auth-t.alaska.edu
>
> verify error:num=20:unable to get local issuer certificate
>
> verify return:1
>
> depth=0 C = US, postalCode = 99775, ST = Alaska, L = Fairbanks, street =
> 910 Yukon Drive, O = University of Alaska System, OU = UAS, CN =
> cas-auth-t.alaska.edu
>
> verify error:num=21:unable to verify the first certificate
>
> verify return:1
>
> ---
>
> Certificate chain
>
>  0 s:/C=US/postalCode=99775/ST=Alaska/L=Fairbanks/street=910 Yukon
> Drive/O=University of Alaska System/OU=UAS/CN=cas-auth-t.alaska.edu
>
>    i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA
> Server CA
>
> -----BEGIN CERTIFICATE-----
>
> •••
>
> -----END CERTIFICATE-----
>
> ---
>
> Server certificate
>
> subject=/C=US/postalCode=99775/ST=Alaska/L=Fairbanks/street=910 Yukon
> Drive/O=University of Alaska System/OU=UAS/CN=cas-auth-t.alaska.edu
>
> issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA
> Server CA
>
> ---
>
> No client certificate CA names sent
>
> Peer signing digest: SHA512
>
> Server Temp Key: ECDH, P-256, 256 bits
>
> ---
>
> SSL handshake has read 2454 bytes and written 415 bytes
>
> ---
>
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
>
> Server public key is 2048 bit
>
> Secure Renegotiation IS supported
>
> Compression: NONE
>
> Expansion: NONE
>
> No ALPN negotiated
>
> SSL-Session:
>
>     Protocol  : TLSv1.2
>
>     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
>
>     Session-ID:
> B66CC36AB9D0BEE20C8BBC39DD5CD2415CF945D9A9C985F3A22DD976BF7FACDE
>
>     Session-ID-ctx:
>
>     Master-Key:
> 47BE18926CB47F42E42510B90A08EEAD5B7004312ACA9060AD82F1447D698267F650BD5E2529CF81A584817375F3CEB2
>
>     Key-Arg   : None
>
>     Krb5 Principal: None
>
>     PSK identity: None
>
>     PSK identity hint: None
>
>     TLS session ticket lifetime hint: 300 (seconds)
>
>     TLS session ticket:
>
> •••
>
>     Start Time: 1591147289
>
>     Timeout   : 300 (sec)
>
>     Verify return code: 21 (unable to verify the first certificate)
>
> ---
>
> read:errno=0
>
>
>
>
> openssl s_client  -showcerts -connect cas-auth-t.alaska.edu:6361  -CAfile
> /opt/shibboleth-idp-D/credentials/UAADrootCAs-P-Q-D-T-InC.pem
>
>
>
> CONNECTED(00000003)
>
> depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
> Network, CN = USERTrust RSA Certification Authority
>
> verify return:1
>
> depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN =
> InCommon RSA Server CA
>
> verify return:1
>
> depth=0 C = US, postalCode = 99775, ST = Alaska, L = Fairbanks, street =
> 910 Yukon Drive, O = University of Alaska System, OU = UAS, CN =
> cas-auth-t.alaska.edu
>
> verify return:1
>
> ---
>
> Certificate chain
>
>  0 s:/C=US/postalCode=99775/ST=Alaska/L=Fairbanks/street=910 Yukon
> Drive/O=University of Alaska System/OU=UAS/CN=cas-auth-t.alaska.edu
>
>    i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA
> Server CA
>
> -----BEGIN CERTIFICATE-----
>
> ••••
>
> -----END CERTIFICATE-----
>
> ---
>
> Server certificate
>
> subject=/C=US/postalCode=99775/ST=Alaska/L=Fairbanks/street=910 Yukon
> Drive/O=University of Alaska System/OU=UAS/CN=cas-auth-t.alaska.edu
>
> issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA
> Server CA
>
> ---
>
> No client certificate CA names sent
>
> Peer signing digest: SHA512
>
> Server Temp Key: ECDH, P-256, 256 bits
>
> ---
>
> SSL handshake has read 2454 bytes and written 415 bytes
>
> ---
>
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
>
> Server public key is 2048 bit
>
> Secure Renegotiation IS supported
>
> Compression: NONE
>
> Expansion: NONE
>
> No ALPN negotiated
>
> SSL-Session:
>
>     Protocol  : TLSv1.2
>
>     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
>
>     Session-ID:
> 37F7114BA64FE4A2117DEE1E684D1735C11B49F6A9EDE654A7449438E3F6D3DB
>
>     Session-ID-ctx:
>
>     Master-Key:
> 2B5A57D5CF9222EE0EEB349E25F8FF86A53A8DBD7EF36BFD5EA5592050CE5F01DB4AABC4B263D9EF553A185D36A8657E
>
>     Key-Arg   : None
>
>     Krb5 Principal: None
>
>     PSK identity: None
>
>     PSK identity hint: None
>
>     TLS session ticket lifetime hint: 300 (seconds)
>
>     TLS session ticket:
>
>     ••••
>
>     Start Time: 1591147790
>
>     Timeout   : 300 (sec)
>
>     Verify return code: 0 (ok)
>
> ---
>
> read:errno=0
>
>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200602/99895c3b/attachment.htm>

More information about the users mailing list