[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Unable to use self-signed certs (ITS#1914)
Full_Name: Quanah Gibson-Mount
Version: 2.1.2
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (171.64.13.58)
Under the OpenLDAP-2.1.2 build, it is no longer possible to use self-signed
certs.
It was possible to use self-signed certs in prior versions of OpenLDAP, and for
development machines, I certainly don't want to shell out $$ to verisign just so
I can use SSL for testing. :)
start_tls bombs out with the error:
ldap4:~> ldapsearch -d 65535 -H ldap://ldap4.stanford.edu/ -p 389 -b "" -s base
-LLL -ZZ supportedSASLMechanisms
ldap_create
ldap_url_parse_ext(ldap://ldap4.stanford.edu/)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP ldap4.stanford.edu:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 171.64.14.183:389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=ldap4.Stanford.EDU
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 4
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_write: want=31, written=31
0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1
0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: ldap4.stanford.edu port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jun 27 15:51:07 2002
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
[snip]
TLS certificate verification: depth: 0, err: 18, subject:
/C=US/ST=California/L=Stanford/O=Stanford
University/OU=ITSS/CN=ldap4.stanford.edu/Email=directory-team@lists.stanford.edu,
issuer: /C=US/ST=California/L=Stanford/O=Stanford
University/OU=ITSS/CN=ldap4.stanford.edu/Email=directory-team@lists.stanford.edu
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Regards,
Quanah Gibson-Mount
Senior Systems Administrator
Stanford University