[Date Prev][Date Next] [Chronological] [Thread] [Top]

Unable to use self-signed certs (ITS#1914)



Full_Name: Quanah Gibson-Mount
Version: 2.1.2
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (171.64.13.58)


Under the OpenLDAP-2.1.2 build, it is no longer possible to use self-signed
certs.  
It was possible to use self-signed certs in prior versions of OpenLDAP, and for
development machines, I certainly don't want to shell out $$ to verisign just so
I can use SSL for testing. :)


start_tls bombs out with the error:

ldap4:~> ldapsearch -d 65535 -H ldap://ldap4.stanford.edu/ -p 389 -b "" -s base
-LLL -ZZ supportedSASLMechanisms
ldap_create
ldap_url_parse_ext(ldap://ldap4.stanford.edu/)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldap4.stanford.edu:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 171.64.14.183:389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=ldap4.Stanford.EDU
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 4
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
ldap_write: want=31, written=31
  0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31   0....w...1.3.6.1
  0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: ldap4.stanford.edu  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Jun 27 15:51:07 2002

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
 [snip]
TLS certificate verification: depth: 0, err: 18, subject:
/C=US/ST=California/L=Stanford/O=Stanford
University/OU=ITSS/CN=ldap4.stanford.edu/Email=directory-team@lists.stanford.edu,
issuer: /C=US/ST=California/L=Stanford/O=Stanford
University/OU=ITSS/CN=ldap4.stanford.edu/Email=directory-team@lists.stanford.edu
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Regards,
Quanah Gibson-Mount
Senior Systems Administrator
Stanford University