[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problems with SSL



Okay,

I now have an entry in slapd.conf of:

TLSVerifyClient never

However, I am still seeing with (-d -1) a local error. Advise?

Tony

Output from debug:

TLS trace: SSL_accept:SSLv3 flush data
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 9r
daemon: read activity on 9
connection_get(9)
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
ber_get_next
tls_read: want=5, got=5
  0000:  15 03 01 00 18                                     .....
tls_read: want=24, got=24
  0000:  b0 b7 cc c2 a4 3e c1 d1  1c b9 e1 2d 9b b8 ce 16   .....>.....-....
  0010:  d8 43 ce 4b 15 2a cf da                            XC.K.*.Z
TLS trace: SSL3 alert read:warning:bad certificate
tls_read: want=5, got=0

ldap_read: want=9, got=0

ber_get_next on fd 9 failed errno=0 (Error 0)
connection_read(9): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=9 for close
connection_close: conn=0 sd=9
daemon: removing 9
conn=0 fd=9 closed
tls_write: want=29, written=29
  0000:  15 03 01 00 18 0c 25 db  88 74 7e cd 66 9b 6a cb   ......%..t~.f.j.
  0010:  19 0f 1d e5 61 59 9c 3b  3c ad 55 f5 8c            ...eaY.;<-U..
TLS trace: SSL3 alert write:warning:close notify
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
#


At 07:48 PM 03/20/2002 -0800, you wrote:
Are you using TLSVerifyClient in your slapd.conf? The syntax of this
keyword
has changed. (Although the old behavior is supposed to still be supported,
perhaps there's a problem there.)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

>> -----Original Message-----
>> From: owner-openldap-devel@OpenLDAP.org
>> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Anthony Brock
>> Sent: Wednesday, March 20, 2002 5:50 PM
>> To: Open LDAP Devel
>> Subject: Problems with SSL
>>
>>
>> I am having two other problems now. First, I am not able to connect
>using
>> SSL (certificate issued by Thawte). This works perfectly if I
>> downgrade to
>> the 2.0.23 version of OpenLDAP. I am seeing the following in the debug
>> (level 1) log:
>>
>>
>> ********************
>> TLS trace: SSL_accept:before/accept initialization
>> TLS trace: SSL_accept:SSLv3 read client hello A
>> TLS trace: SSL_accept:SSLv3 write server hello A
>> TLS trace: SSL_accept:SSLv3 write certificate A
>> TLS trace: SSL_accept:SSLv3 write server done A
>> TLS trace: SSL_accept:SSLv3 flush data
>> TLS trace: SSL_accept:error in SSLv3 read client certificate A
>> TLS trace: SSL_accept:error in SSLv3 read client certificate A
>> connection_get(12): got connid=0
>> connection_read(12): checking for input on id=0
>> TLS trace: SSL_accept:SSLv3 read client key exchange A
>> TLS trace: SSL_accept:SSLv3 read finished A
>> TLS trace: SSL_accept:SSLv3 write change cipher spec A
>> TLS trace: SSL_accept:SSLv3 write finished A
>> TLS trace: SSL_accept:SSLv3 flush data
>> connection_get(12): got connid=0
>> connection_read(12): checking for input on id=0
>> ber_get_next
>> TLS trace: SSL3 alert read:warning:bad certificate
>> ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
>> ********************
>>
>>
>> Any ideas? I would appreciate some pointers on these. Thanks!
>>
>> Tony
>>
>> ******************************************************************
>> ************
>> * Anthony Brock
>> abrock@georgefox.edu *
>> * Director of Network Services                         George Fox
>> University *
>> ******************************************************************
>> ************

****************************************************************************** * Anthony Brock abrock@georgefox.edu * * Director of Network Services George Fox University * ******************************************************************************