I've been trying to get the 2.0/dev version to talk SSL/TLS and am having
trouble with the certificates. I read through the TLS faq
(http://www.openldap.org/faq/index.cgi?_highlightWords=ssl&file=185) and set
up the certificates the following way:
openssl req -new > new.cert.csr
openssl rsa -in privkey.pem -out ldap.key
openssl x509 -in new.cert.csr -out ldap.cert -req -signkey ldap.key -days 365
Then added to slapd.conf:
TLSCertificateFile /usr/local/ssl/certs/ldap.cert
TLSCertificateKeyFile /usr/local/ssl/certs/ldap.key
Started slapd: /usr/local/libexec/slapd -h "ldap:/// ldaps:///" -d 9
Then if I try and fire of an ldapsearch:
ldapsearch -b o=mp3.com,c=us -Z uid=scottk
ldapsearch error:
ldap_bind: Local error additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The slapd debug output is as follows:
do_extended
ber_scanf fmt ({a) ber:
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 10
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=2
connection_read(10): checking for input on id=2
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10): got connid=2
connection_read(10): checking for input on id=2
TLS trace: SSL3 alert read:fatal:unknown
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:956
connection_read(10): TLS accept error error=-1 id=2, closing
connection_closing: readying conn=2 sd=10 for close
Any thoughts/suggestions as to why I can't perform a secure ldapsearch? Thanx
in advance.
I'm using:
openldap-2.0 (just updated this morning 6/12/00)
openssl-0.9.5.a
--
Scott Kelley MP3.com, the Premier Music Service Provider (MSP)
Engineering
MP3.com, Inc.
scottk@mp3.com
Office: (858)623-7336
Cell: (858)382-3749