[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5749) client didn't send its own certificate to the server

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5749) client didn't send its own certificate to the server
From: hyc@symas.com
Date: Mon, 3 Nov 2008 14:54:20 GMT

bugs@shiva.hostoffice.hu wrote:
> Full_Name: Gabor Mayer
> Version: 2.4.11
> OS: debian
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (91.120.131.147)
>
>
> i discovered it when i turned on the peer verification at server side.
>
> i'm using the following configuration at client side:
>
> ldap.conf:
>
> BASE    dc=example,dc=org
> URI     ldaps://ldap.example.org
>
> TLS_CACERT      /etc/ldap/server.crt
>
> /root/.ldaprc:
>
> TLS_CERT /etc/ldap/client.crt
> TLS_KEY /etc/ldap/client.key
>
> i tried TLS_CERT&  TLS_KEY in ldap.conf and in .ldaprc without success.
>
> i tested it with ldapsearch -x and i got the following debug message at server
> if the TLSVerifyClient was turned on:
>
> TLS trace: SSL3 alert write:fatal:handshake failure
> TLS trace: SSL_accept:error in SSLv3 read client certificate B
> TLS: can't accept.
> TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return
> a certificate s3_srvr.c:2455
>
> i captured the tcp flow at client side and i saw the server's certificate only.
> the client didn't send its own certificate to the server!

Works for me on Ubuntu 8.10 using GNUtls 2.4.1. I suggest you contact the 
Debian folks about this. This ITS will be closed.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#5739) "host:port" does not work
Next by Date: Re: (ITS#5701) connection.c asserting during test008
Index(es):
- Chronological
- Thread