# SSL/TLS LDAP connections from PHP

## Luper

I'm having trouble to make this simple example work :

```
<?php

$ldap = ldap_connect ("ldap://localhost");

ldap_set_option ($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);

ldap_start_tls ($ldap);

ldap_bind ($ldap, $myDN, $myPwd);

ldap_close ($ldap);

?>
```

Result:

```
Warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in [...] on line 4
```

And in the logs :

```
slapd[7783]: conn=9 fd=16 ACCEPT from IP=127.0.0.1:48659 (IP=0.0.0.0:389)

slapd[7783]: conn=9 op=0 STARTTLS

slapd[7783]: conn=9 op=0 RESULT oid= err=0 text=

slapd[7783]: conn=9 fd=16 closed (TLS negotiation failure)
```

Trying with SSL gives similar results (I can connect to my LDAP database using TLS/SSL with ldapsearch and other tools).

This is apparently a known bug in PHP, but putting "TLS_REQCERT never" in /etc/openldap/ldap.conf or /etc/ldap/ldap.conf does not seem to affect PHP on Gentoo.

phpldapadmin 1.0.1 also fails to connect when activating TLS.

This is with PHP 5.2.1-r3, has anyone got TLS and/or SSL to work with it or another PHP version ?

----------

## keyson

Hi,

As you state:

 *Quote:*   

> (I can connect to my LDAP database using TLS/SSL with ldapsearch and other tools). 

 

Then you may try the ssldump (in portage) to check what happens.

As you can connect you don't have the common error with the certificate.

----------

## Luper

I tried to ssldump my connections to see what happens, here are the results :

PHP/SSL dump (unsuccessful: Can't contact LDAP server) :

```
# ssldump -i lo

New TCP connection #1: localhost(53256) <-> localhost(636)

1 1  0.0001 (0.0001)  C>S SSLv2 compatible client hello

  Version 3.1 

  cipher suites

  Unknown value 0x39  

  Unknown value 0x38  

  Unknown value 0x35  

  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA  

  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA  

  TLS_RSA_WITH_3DES_EDE_CBC_SHA  

  SSL2_CK_3DES  

  Unknown value 0x33  

  Unknown value 0x32  

  Unknown value 0x2f  

  TLS_RSA_WITH_IDEA_CBC_SHA  

  SSL2_CK_IDEA  

  SSL2_CK_RC2  

  TLS_RSA_WITH_RC4_128_SHA  

  TLS_RSA_WITH_RC4_128_MD5  

  SSL2_CK_RC4  

  TLS_DHE_RSA_WITH_DES_CBC_SHA  

  TLS_DHE_DSS_WITH_DES_CBC_SHA  

  TLS_RSA_WITH_DES_CBC_SHA  

  SSL2_CK_DES  

  TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  

  TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA  

  TLS_RSA_EXPORT_WITH_DES40_CBC_SHA  

  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5  

  SSL2_CK_RC2_EXPORT40  

  TLS_RSA_EXPORT_WITH_RC4_40_MD5  

  SSL2_CK_RC4_EXPORT40  

1 2  0.0010 (0.0008)  S>C  Handshake

      ServerHello

        Version 3.1 

        session_id[32]=

          bd 67 95 b6 9e e7 c5 13 95 5c 6b 7b fc 58 48 9b 

          d8 64 92 35 8f 2b c3 b3 ba cc 27 33 cd 47 97 ab 

        cipherSuite         Unknown value 0x35

        compressionMethod                   NULL

1 3  0.0010 (0.0000)  S>C  Handshake

      Certificate

1 4  0.0010 (0.0000)  S>C  Handshake

      ServerHelloDone

1 5  0.0016 (0.0006)  C>S  Alert

    level           fatal

    value           unknown_ca

1    0.0018 (0.0001)  C>S  TCP FIN
```

PHP/TLS dump (unsuccessful: Unable to start TLS: Connect error):

```
New TCP connection #2: localhost(45321) <-> localhost(389)

[...] (same as above)
```

'ldapsearch -v -x "(objectClass=*)" -H ldaps://localhost' dump (successful) :

```
New TCP connection #12: localhost(40652) <-> localhost(636)

12 1  0.0032 (0.0032)  C>S SSLv2 compatible client hello

  Version 3.1

  cipher suites

  Unknown value 0x39

  Unknown value 0x38

  Unknown value 0x35

  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

  TLS_RSA_WITH_3DES_EDE_CBC_SHA

  SSL2_CK_3DES

  Unknown value 0x33

  Unknown value 0x32

  Unknown value 0x2f

  TLS_RSA_WITH_IDEA_CBC_SHA

  SSL2_CK_IDEA

  SSL2_CK_RC2

  TLS_RSA_WITH_RC4_128_SHA

  TLS_RSA_WITH_RC4_128_MD5

  SSL2_CK_RC4

  TLS_DHE_RSA_WITH_DES_CBC_SHA

  TLS_DHE_DSS_WITH_DES_CBC_SHA

  TLS_RSA_WITH_DES_CBC_SHA

  SSL2_CK_DES

  TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

  TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

  TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

  SSL2_CK_RC2_EXPORT40

  TLS_RSA_EXPORT_WITH_RC4_40_MD5

  SSL2_CK_RC4_EXPORT40

12 2  0.0035 (0.0002)  S>C  Handshake

      ServerHello

        Version 3.1

        session_id[32]=

          c2 72 13 b6 d3 be 3d c9 84 db 01 40 68 d8 0c 48

          f1 a2 fd 9d 90 bd 95 f0 7c 05 a3 a7 e2 8f 93 66

        cipherSuite         Unknown value 0x35

        compressionMethod                   NULL

12 3  0.0035 (0.0000)  S>C  Handshake

      Certificate

12 4  0.0035 (0.0000)  S>C  Handshake

      ServerHelloDone

12 5  0.0044 (0.0008)  C>S  Handshake

      ClientKeyExchange

12 6  0.0044 (0.0000)  C>S  ChangeCipherSpec

12 7  0.0044 (0.0000)  C>S  Handshake

12 8  0.0069 (0.0025)  S>C  ChangeCipherSpec

12 9  0.0069 (0.0000)  S>C  Handshake

12 10 0.0073 (0.0003)  C>S  application_data

12 11 0.0073 (0.0000)  C>S  application_data

12 12 0.0074 (0.0001)  S>C  application_data

12 13 0.0074 (0.0000)  S>C  application_data

12 14 0.0085 (0.0011)  C>S  application_data

12 15 0.0085 (0.0000)  C>S  application_data

12 16 0.0088 (0.0002)  S>C  application_data

12 17 0.0088 (0.0000)  S>C  application_data

12 18 0.0095 (0.0006)  C>S  application_data

12 19 0.0095 (0.0000)  C>S  application_data

12 20 0.0097 (0.0001)  S>C  Alert

12    0.0097 (0.0000)  S>C  TCP FIN

12 21 0.0099 (0.0002)  C>S  Alert

12    0.0100 (0.0000)  C>S  TCP RST
```

So we get a "unknown_ca" error when trying to connect via PHP. Quoting the TLS protocol documentation : *Quote:*   

>        A valid certificate chain or partial chain was received, but the
> 
>        certificate was not accepted because the CA certificate could not
> 
>        be located or couldn`t be matched with a known, trusted CA.  This
> ...

 

So the solution given in the PHP's bug report makes sense (putting "TLS_REQCERT never" in ldap.conf), but it does not work on Gentoo.

----------

## Luper

Well forget about that, I realize that this is more related to PHP than Gentoo. This bug has been open since 2002 and there is not even a beginning of documentation in the PHP documentation about LDAP and TLS. 

phpldapadmin is simply not the good tool for me (I am trying to deploy a secured OpenLDAP), because it is written in PHP. JXPlorer seems to be a more serious solution  :Smile: 

----------

