[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: openldap-2.0/TLS certificate error



How about on the client side? That is, how does
a client present certificate to slapd when requested?
and, how does a client verify server certificate
when presented?

Thanks

-Ted C. Cheng

-----Original Message-----
From: Mark Valence [mailto:kurash@sassafras.com]
Sent: Tuesday, June 13, 2000 11:02 AM
To: Scott Kelley
Cc: openldap-devel@OpenLDAP.org
Subject: Re: openldap-2.0/TLS certificate error



The problem is that you need to specify a CA file, i.e.,

     TLSCACertificateFile    /usr/local/ssl/certs/ca.pem

You also might need to use pem-format files for the 
TLSCertificateFile and TLSCertificateKeyFile entries.


>I've been trying to get the 2.0/dev version to talk SSL/TLS and am having
>trouble with the certificates. I read through the TLS faq
>(http://www.openldap.org/faq/index.cgi?_highlightWords=ssl&file=185) and
set
>up the certificates the following way:
>
>openssl req -new > new.cert.csr
>openssl rsa -in privkey.pem -out ldap.key
>openssl x509 -in new.cert.csr -out ldap.cert -req -signkey ldap.key -days
365
>
>Then added to slapd.conf:
>
>TLSCertificateFile      /usr/local/ssl/certs/ldap.cert
>TLSCertificateKeyFile   /usr/local/ssl/certs/ldap.key
>
>Started slapd: /usr/local/libexec/slapd -h "ldap:/// ldaps:///" -d 9
>
>Then if I try and fire of an ldapsearch:
>
>ldapsearch -b o=mp3.com,c=us -Z uid=scottk
>
>ldapsearch error:
>
>ldap_bind: Local error additional info: error:14090086:SSL
>routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
>The slapd debug output is as follows:
>
>do_extended
>ber_scanf fmt ({a) ber:
>send_ldap_extended 0: (0)
>send_ldap_response: msgid=1 tag=120 err=0
>ber_flush: 14 bytes to sd 10
>daemon: activity on 1 descriptors
>daemon: activity on: 10r
>daemon: read activity on 10
>connection_get(10): got connid=2
>connection_read(10): checking for input on id=2
>TLS trace: SSL_accept:before/accept initialization
>TLS trace: SSL_accept:SSLv3 read client hello A
>TLS trace: SSL_accept:SSLv3 write server hello A
>TLS trace: SSL_accept:SSLv3 write certificate A
>TLS trace: SSL_accept:SSLv3 write certificate request A
>TLS trace: SSL_accept:SSLv3 flush data
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>TLS trace: SSL_accept:error in SSLv3 read client certificate A
>daemon: select: listen=6 active_threads=0 tvp=NULL
>daemon: select: listen=7 active_threads=0 tvp=NULL
>daemon: activity on 1 descriptors
>daemon: activity on: 10r
>daemon: read activity on 10
>connection_get(10): got connid=2
>connection_read(10): checking for input on id=2
>TLS trace: SSL3 alert read:fatal:unknown
>TLS trace: SSL_accept:failed in SSLv3 read client certificate A
>TLS: can't accept.
>TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>s3_pkt.c:956
>connection_read(10): TLS accept error error=-1 id=2, closing
>connection_closing: readying conn=2 sd=10 for close
>
>
>Any thoughts/suggestions as to why I can't perform a secure ldapsearch?
Thanx
>in advance.
>
>I'm using:
>
>openldap-2.0 (just updated this morning 6/12/00)
>openssl-0.9.5.a
>
>--
>Scott Kelley		      MP3.com, the Premier Music Service Provider
(MSP)
>Engineering
>MP3.com, Inc.
>scottk@mp3.com
>Office: (858)623-7336
>Cell:   (858)382-3749