[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL problem - unsupported certificate



Tony Earnshaw wrote:
Antonio Camacho wrote, on 10. apr 2007 17:20:

[...]

My slapd.conf configuration:
#
TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
TLSCertificateFile /etc/openldap/cacerts/master.pem
TLSCertificateKeyFile /etc/openldap/cacerts/master- key.pem
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem

Don't use this:

TLSVerifyClient demand
#

If he's trying to use certificate-based authentication, then he needs that statement.

My ldap.conf configuration:
#
Base=mydomain
SIZELIMIT       0
TIMELIMIT       0

TLS_CACERT /etc/openldap/cacerts/cacert.pem

Don't use these:

TLS_CERT /etc/openldap/cacerts/master.pem
TLS_KEY  /etc/openldap/cacerts/master-key.pem

Those two are ignored in ldap.conf anyway.

TLS_REQCERT demand

This is the default for a client, and in most cases it ought to remain with that setting.


My .ldaprc configuration:

~/.ldaprc is redundant; scrap it.

No. If he is trying to use certificate-based authentication, then the TLS_CERT and TLS_KEY directives belong in the ~/.ldaprc.


Since he didn't actually state whether he is trying to use cert-based authentication or not, and nobody has actually asked that question yet, you're offering advice without any factual basis for your suggestions.

Find out what the real problem is before offering advice. Find out what the real goal is first.

From the information provided so far, all that's certain is that he has a TLS certificate that is intended for use as a web server authentication certificate. The fact that he's trying to use it in both the server and the client configuration is the problem; the TLS library checks the certificate purpose. The client sent a server cert to the server, and the server won't allow it to be used for client authentication.

So, if the goal is to use certificate-based authentication, then the solution is to generate a proper certificate without any usage restrictions on it, or one that says it can be used for client authentication.

If the goal isn't to use certificate-based authentication, then some of your advice is correct. But you don't know enough at this point to say for certain. Ask for clarification before offering advice.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/