[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problems with SSL

To: Open LDAP Devel <openldap-devel@OpenLDAP.org>
Subject: RE: Problems with SSL
From: Anthony Brock <abrock@georgefox.edu>
Date: Thu, 21 Mar 2002 16:28:59 -0800
Cc: "hyc@highlandsun.com" <hyc@highlandsun.com>
In-reply-to: <fc.460b358e460b358e8e350b463b9aca00.118e872@mail.georgefox .edu>

Here is a sanitized version of my configuration file:

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. #

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/krb5-kdc.schema
include         /usr/local/etc/openldap/schema/ct-calendar-schema.conf
include         /usr/local/etc/openldap/schema/gfu.schema

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
loglevel        2048

# Kerberos Information

srvtab /etc/krb5/krb5.keytab

# SASL Information

sasl-realm      GEORGEFOX.EDU
sasl-host       testhost.georgefox.edu

# We have entries of the form: uid=ABROCK,cn=GSSAPI,cn=AUTH
sasl-regexp     uid=(.*),cn=GSSAPI,cn=AUTH uid=$1,dc=georgefox,dc=edu

# Define global ACLs to disable default read access.

include         /usr/local/etc/openldap/slapd.access

# TLS Certificate Information

TLSCertificateFile      /etc/apache/ssl.crt/testhost.georgefox.edu.crt
TLSCertificateKeyFile   /etc/apache/ssl.key/testhost.georgefox.edu.key

#######################################################################
# ldbm database definitions
#######################################################################

database bdb index objectclass,cn,mail,sn,givenname,middleName,uid,universityID,ctCalXItemId,active pres,eq suffix "dc=georgefox,dc=edu" rootdn "cn=######,dc=georgefox,dc=edu" rootpw ##### directory /usr/local/var/openldap-ldbm cachesize 5000

At 07:48 PM 03/20/2002 -0800, you wrote:

Are you using TLSVerifyClient in your slapd.conf? The syntax of this
keyword
has changed. (Although the old behavior is supposed to still be supported,
perhaps there's a problem there.)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com              http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

>> -----Original Message-----
>> From: owner-openldap-devel@OpenLDAP.org
>> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Anthony Brock
>> Sent: Wednesday, March 20, 2002 5:50 PM
>> To: Open LDAP Devel
>> Subject: Problems with SSL
>>
>>
>> I am having two other problems now. First, I am not able to connect
>using
>> SSL (certificate issued by Thawte). This works perfectly if I
>> downgrade to
>> the 2.0.23 version of OpenLDAP. I am seeing the following in the debug
>> (level 1) log:
>>
>>
>> ********************
>> TLS trace: SSL_accept:before/accept initialization
>> TLS trace: SSL_accept:SSLv3 read client hello A
>> TLS trace: SSL_accept:SSLv3 write server hello A
>> TLS trace: SSL_accept:SSLv3 write certificate A
>> TLS trace: SSL_accept:SSLv3 write server done A
>> TLS trace: SSL_accept:SSLv3 flush data
>> TLS trace: SSL_accept:error in SSLv3 read client certificate A
>> TLS trace: SSL_accept:error in SSLv3 read client certificate A
>> connection_get(12): got connid=0
>> connection_read(12): checking for input on id=0
>> TLS trace: SSL_accept:SSLv3 read client key exchange A
>> TLS trace: SSL_accept:SSLv3 read finished A
>> TLS trace: SSL_accept:SSLv3 write change cipher spec A
>> TLS trace: SSL_accept:SSLv3 write finished A
>> TLS trace: SSL_accept:SSLv3 flush data
>> connection_get(12): got connid=0
>> connection_read(12): checking for input on id=0
>> ber_get_next
>> TLS trace: SSL3 alert read:warning:bad certificate
>> ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
>> ********************
>>
>>
>> Any ideas? I would appreciate some pointers on these. Thanks!
>>
>> Tony
>>
>> ******************************************************************
>> ************
>> * Anthony Brock
>> abrock@georgefox.edu *
>> * Director of Network Services                         George Fox
>> University *
>> ******************************************************************
>> ************


******************************************************************************
* Anthony Brock                                         abrock@georgefox.edu *
* Director of Network Services                         George Fox University *
******************************************************************************

Prev by Date: Re: [dev_ldap] RE: back-perl and password/user synchronization
Next by Date: Re: JLDAP Modify Operation bug
Index(es):
- Chronological
- Thread