[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: bad certificate error.

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: bad certificate error.
From: "Kervin L. Pierre" <kervin@blueprint-tech.com>
Date: Wed, 01 May 2002 19:38:33 -0400
Cc: openldap-software <openldap-software@OpenLDAP.org>
References: <NMEFLNHODBAOPDKNNJALAEEGCMAA.hyc@highlandsun.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0+) Gecko/20020428

Howard,

Thanks for the info.

I tried changing the permissions of the cert to 777 even, but that did not work.

With s_client connecting to s_server, everything looks fine. There are no errors reported. When I try to connect to the OpenLDAP server using s_client I get...

$ openssl s_client -connect bashful.eng.fit.edu:389 CONNECTED(00000003) 26420:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

Under the debugger, tls_get_cert((SSL *)s) in ldap_pvt_tls_check_hostname() returns 0. I don't know the significances of that though.

Here's the output from s_client connecting to s_server...

[kervin@bashful ldap]$ openssl s_client -connect bashful.eng.fit.edu:4433 CONNECTED(00000003) depth=0 /C=US/ST=FLORIDA/L=MELBOURNE/O=TXX/OU=IT/CN=bashful.eng.fit.edu verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=FLORIDA/L=MELBOURNE/O=TXX/OU=IT/CN=bashful.eng.fit.edu verify return:1 --- Certificate chain 0 s:/C=US/ST=FLORIDA/L=MELBOURNE/O=TXX/OU=IT/CN=bashful.eng.fit.edu i:/C=US/ST=FLORIDA/L=MELBOURNE/O=TXX/OU=IT/CN=bashful.eng.fit.edu --- Server certificate -----BEGIN CERTIFICATE----- MIIDGDCCAoGgAwIBAgIBADANBgkqhkiG9w0BAQQFADBsMQswCQYDVQQGEwJVUzEQ MA4GA1UECBMHRkxPUklEQTESMBAGA1UEBxMJTUgMQk9VUk5FMQwwCgYDVQQKEwNG SVQxCzAJBgNVBAsTAklUMRwwGgYDVQQDExNiYXNoZnVsLmVuZy5maXQuZWR1MB4X DTAyMDUwMTIwMzMxOFoXDTAzMDUwMTIwMzMxOFowbDELMAkGA1UEBhMCVVMxEDAO BgNVBAgTB0ZMT1JJREExEjAQBgNVBAcTCU1FTEJPVVJORTEMMAoGA1UEChMDRklU MQswCQYDVQQLEwJJVDEcMBoGA1UEAxMTYmFzaGZ1bC5lbmcuZml0LmVkdTCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA28SB0mlTzKlZ1eXZ60zwH7Ow3oz152HU Xko2b3i2c2J5g364ovnRCOAkDUXPW8fwORswwGpC52ijithSUCEEkHDYl69rc2rA eA61glfwxb/wQKS5+WGBK6olxUvo6grl1iMiF646qjuurAq4aLebjrqmhEHvHXyo JXG173M2LksCAwEAAaOByTCBxjAdBgNVHQ4EFgQUIK43AyUeYclZHiKR/jLBGYUU TjYwgZYGA1UdIwSBjjCBi4AUIK43AyUeYclZHiKR/jLBGYUUTjahcKRuMGwxCzAJ BgNVBAYTAlVTMRAwDgYDVQQIEwdGTE9SSURBMRIwEAYDVQQHEwlNRUxCT1VSTkUx DDAKBgNVBAoTA0ZJVDELMAkGA1UECxMCSVQxHDAaBgNVBAMTE2Jhc2hmdWwuZW5n LmZpdC5lZHWCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBQEuCc 6+HBSFUJDEj0RgskJ+Q5sktuGtDSUcBJDXgHHcjUBvexenuGUof2A6TzLbjyOcZu wClu+8+YGfzD3XvOZdqb+gctdKtij1gVdRf+0oXlN422oibim2XEG0x+nKTl++GG Wz1qXb0uW1oEFY4eQkmaJp3/65AwDeQPb8Y8LQ== -----END CERTIFICATE----- subject=/C=US/ST=FLORIDA/L=MELBOURNE/O=TXX/OU=IT/CN=bashful.eng.fit.edu issuer=/C=US/ST=FLORIDA/L=MELBOURNE/O=TXX/OU=IT/CN=bashful.eng.fit.edu --- No client certificate CA names sent --- SSL handshake has read 1224 bytes and written 250 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 1BED40E36B65A1CD19CE5DA81A4CC95BBF22AE977341090814601001EB43DE34 Session-ID-ctx: Master-Key: 1DBBAB410273D2F9E7820B121B5EE726B50616A64AC87C448CE4BA927C9291897B57975D5AC0627E18ECCF99C6066E7D Key-Arg : None Start Time: 1020295810 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---

--Kervin

Howard Chu wrote:

Are you sure the certificate file is readable by slapd? Have you tried using
the OpenSSL s_client or s_server with your cert to make sure it's correct?

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kervin L.
Pierre

I'm trying to setup TLS to be used with a simple auth.

I keep getting "alert: bad certificate error" with 2.0.23 and also with
CVS.  I've tried everything I could find in the mail archives but
nothing seems to work.  I'm on Redhat 7.2 and I use
make -C /usr/share/ssl/certs/ slapd.pem
to generate the certificate.  I tried the openssl command from the
LDAPv3 howto as well.

On the client side ( ldapsearch ) the error is either "local error (82)"
or "cannot connect (91)".

Does anyone know what the problem can be?  I generated my cert with the
fully qualified domain name of the server.

The server command was
./slapd -d 4095 -h "ldap:/// ldaps://ldapxxx.eng.fit.edu" -f
../etc/openldap/slapd.conf

And the ldapsearch command was
ldapsearch -x -d 4095 -H ldaps://ldapxxx.eng.fit.edu/ -b
'dc=my-domain,dc=com' -ZZ '(objectclass=*)'

From the ldapsearch
...
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer certificate.
ldap_perror
ldap_start_tls: Can't contact LDAP server (81)

From the server
...
TLS trace: SSL3 alert read:warning:bad certificate
tls_read: want=5, got=0

ldap_read: want=1, got=0

ber_get_next on fd 10 failed errno=0 (Success)
...

Any clues?

Thanks
--Kervin

Follow-Ups:
- RE: bad certificate error.
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- RE: bad certificate error.
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: Unix auth via LDAP & now need to add Samba!
Next by Date: RE: bad certificate error.
Index(es):
- Chronological
- Thread