[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP - Re: Outlook/Outlook Express & ldaps://



As far as I can tell, the problem is not your server configuration.
I guess Outlook XP doesn't like your certificate.

It seems Outlook XP handles certs differently than previous versions.
I'm still using Outlook 2000, so I can't help you much on this one.
After importing the self signed cert with IE, Outlook 2000 worked fine for
me.

I don't know if this is related to the problem,
but after a quick search on the web I stumbled over this:
http://www.google.de/search?q=cache:dX_jk9M4PvwC:www.rsasecurity.com/support
/guides/keonca_pdfs/Microsoft_Exchange2000_Keon.pdf+%2Boutlook+%2Bxp+%2Bssl+
%2Bcertificates+%2Bimport&hl=de

CRL Checking Mechanism

Outlook will check the status of certificates by retrieving the CRL based on
the CRLdP extension located in the certificate. (This process can cause a
delay in some environments).
For Outlook 98 and Outlook 2000 this setting is disabled by default. See the
"Keon Certificate Authority Implementation Guide for Microsoft Outlook 2000"
for more information on setting this option.
For Outlook 2002 (Office XP) the setting is enabled by default.
The registry key that controls this behavior can be set using a policy
object. See the Office XP resource kit for more information.
Retrieve a Certificate Revocation List (CRL)
Used to retrieve CRLs (Certificate Revocation Lists)
HKCU\Software\Policies\Microsoft\Office\10.0\Outlook\Security Value name:
UseCRLChasingData type: REG_DWORDValue data: [ 0 | 1 | 2 ]
Can be set to the following: 0- Use system Default 1- When online always
retrieve the CRL 2- Never retrieve the CRL

Regards,
Björn



> -----Ursprüngliche Nachricht-----
> Von: Amith Varghese [mailto:amith@xalan.com]
> Gesendet: Montag, 29. April 2002 23:20
> An: x509security.com
> Cc: openldap-software@OpenLDAP.org; b-fernhomberg@gmx.de
> Betreff: Re: LDAP - Re: Outlook/Outlook Express & ldaps://
>
>
> Here are my TLS settings.
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
> TLSCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
> TLSCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt
> TLSVerifyClient 0
>
> One thing also that I would like to mention is that Björn Fernhomberg
> suggested the following:
>
> >Are you using a self-signed certificate on the server?
> >If you certificate isn't signed by a M$ known CA, Outlook (Express)
> >will not connect.
> >To make this work you have to import your Certificate using Internet
> >Explorer.
> >
> >To do this, enter "https://your.server:636"; as URL and import the cert.
> >Having done this, Outlook should connect using ldaps.
>
> Since I have a self signed certificate I tried this and it worked...
> except it only worked only for Outlook Express.  Outlook XP still fails
> to connect to the LDAP address book with the same error.  Any help would
> be much appreciated.
>
> Thanks
> Amith
>
> On Thu, 2002-04-25 at 20:46, x509security.com wrote:
> > Are you attempting to use client authentication ?
> >
> > Send me your tls settings in sldapd.conf
> >
> > Oliver
> >
> >
> > ----- Original Message -----
> > From: "Amith Varghese" <amith@xalan.com>
> > To: "Oliver Bode" <oliver@x509security.com>
> > Cc: <openldap-software@OpenLDAP.org>
> > Sent: Friday, April 26, 2002 1:03 AM
> > Subject: LDAP - Re: Outlook/Outlook Express & ldaps://
> >
> >
> > > Just to give you some more info i'm running $OpenLDAP: slapd
> > > 2.0.23-Release.
> > >
> > > As I mentioned before when I use Outlook to connect to my address book
> > > on port 389 I have no problems.  But when I check the SSL box
> (and make
> > > sure the port is 636) I get the following error from Outlook
> > >
> > > Can't Contact LDAP Directory Server (81)
> > >
> > > I ran slapd in debug mode and I get the following error messages
> > >
> > > TLS trace: SSL_accept:SSLv3 flush data
> > > tls_read: want=5 error=Resource temporarily unavailable
> > > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > > daemon: select: listen=6 active_threads=0 tvp=NULL
> > > daemon: select: listen=7 active_threads=0 tvp=NULL
> > > daemon: activity on 1 descriptors
> > > daemon: activity on: 10r
> > > daemon: read activity on 10
> > > connection_get(10)
> > > connection_get(10): got connid=4
> > > connection_read(10): checking for input on id=4
> > > tls_read: want=5, got=0
> > >
> > > TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> > > TLS: can't accept.
> > > connection_read(10): TLS accept error error=-1 id=4, closing
> > > connection_closing: readying conn=4 sd=10 for close
> > > connection_close: conn=4 sd=10
> > > daemon: removing 10
> > >
> > > I'm running OpenLDAP with the following command
> > >
> > > /usr/local/libexec/slapd -h "ldap:/// ldaps:///"
> > >
> > > Any ideas about why this is happening?
> > >
> > > Thanks
> > > Amith
> > >
> > >
> > > On Wed, 2002-04-24 at 22:59, Oliver Bode wrote:
> > > > Hello,
> > > >
> > > > I can connect no problems using Outlook Express Address book via
> > ldaps://
> > > >
> > > > What are the errors - have you got the right port for ldaps?
> > > >
> > > > Oliver
> > > >
> > > > ----- Original Message -----
> > > > From: "Amith Varghese" <amith@xalan.com>
> > > > To: <openldap-software@OpenLDAP.org>
> > > > Sent: Thursday, April 25, 2002 2:28 PM
> > > > Subject: LDAP - Outlook/Outlook Express & ldaps://
> > > >
> > > >
> > > > > Has anyone successfully used Outlook/Outlook Express to
> connect to an
> > > > > LDAP addressbook using SSL?  I can connect fine without
> using SSL, but
> > > > > once i check the SSL box i get errors on the client side.
>  If anyone
> > has
> > > > > had any sucess with this I would appreciate hearing from you.
> > > > >
> > > > > Thanks
> > > > > Amith
> > > > >
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
>
>