[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: bad certificate error.



Howard,

Thanks for the info.

I tried changing the permissions of the cert to 777 even, but that did not work.

With s_client connecting to s_server, everything looks fine. There are no errors reported. When I try to connect to the OpenLDAP server using s_client I get...

$ openssl s_client -connect bashful.eng.fit.edu:389
CONNECTED(00000003)
26420:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:


Under the debugger, tls_get_cert((SSL *)s) in ldap_pvt_tls_check_hostname() returns 0. I don't know the significances of that though.

Here's the output from s_client connecting to s_server...

[kervin@bashful ldap]$ openssl s_client -connect bashful.eng.fit.edu:4433
CONNECTED(00000003)
depth=0 /C=US/ST=FLORIDA/L=MELBOURNE/O=TXX/OU=IT/CN=bashful.eng.fit.edu
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=FLORIDA/L=MELBOURNE/O=TXX/OU=IT/CN=bashful.eng.fit.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=FLORIDA/L=MELBOURNE/O=TXX/OU=IT/CN=bashful.eng.fit.edu
i:/C=US/ST=FLORIDA/L=MELBOURNE/O=TXX/OU=IT/CN=bashful.eng.fit.edu
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDGDCCAoGgAwIBAgIBADANBgkqhkiG9w0BAQQFADBsMQswCQYDVQQGEwJVUzEQ
MA4GA1UECBMHRkxPUklEQTESMBAGA1UEBxMJTUgMQk9VUk5FMQwwCgYDVQQKEwNG
SVQxCzAJBgNVBAsTAklUMRwwGgYDVQQDExNiYXNoZnVsLmVuZy5maXQuZWR1MB4X
DTAyMDUwMTIwMzMxOFoXDTAzMDUwMTIwMzMxOFowbDELMAkGA1UEBhMCVVMxEDAO
BgNVBAgTB0ZMT1JJREExEjAQBgNVBAcTCU1FTEJPVVJORTEMMAoGA1UEChMDRklU
MQswCQYDVQQLEwJJVDEcMBoGA1UEAxMTYmFzaGZ1bC5lbmcuZml0LmVkdTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA28SB0mlTzKlZ1eXZ60zwH7Ow3oz152HU
Xko2b3i2c2J5g364ovnRCOAkDUXPW8fwORswwGpC52ijithSUCEEkHDYl69rc2rA
eA61glfwxb/wQKS5+WGBK6olxUvo6grl1iMiF646qjuurAq4aLebjrqmhEHvHXyo
JXG173M2LksCAwEAAaOByTCBxjAdBgNVHQ4EFgQUIK43AyUeYclZHiKR/jLBGYUU
TjYwgZYGA1UdIwSBjjCBi4AUIK43AyUeYclZHiKR/jLBGYUUTjahcKRuMGwxCzAJ
BgNVBAYTAlVTMRAwDgYDVQQIEwdGTE9SSURBMRIwEAYDVQQHEwlNRUxCT1VSTkUx
DDAKBgNVBAoTA0ZJVDELMAkGA1UECxMCSVQxHDAaBgNVBAMTE2Jhc2hmdWwuZW5n
LmZpdC5lZHWCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBQEuCc
6+HBSFUJDEj0RgskJ+Q5sktuGtDSUcBJDXgHHcjUBvexenuGUof2A6TzLbjyOcZu
wClu+8+YGfzD3XvOZdqb+gctdKtij1gVdRf+0oXlN422oibim2XEG0x+nKTl++GG
Wz1qXb0uW1oEFY4eQkmaJp3/65AwDeQPb8Y8LQ==
-----END CERTIFICATE-----
subject=/C=US/ST=FLORIDA/L=MELBOURNE/O=TXX/OU=IT/CN=bashful.eng.fit.edu
issuer=/C=US/ST=FLORIDA/L=MELBOURNE/O=TXX/OU=IT/CN=bashful.eng.fit.edu
---
No client certificate CA names sent
---
SSL handshake has read 1224 bytes and written 250 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 1BED40E36B65A1CD19CE5DA81A4CC95BBF22AE977341090814601001EB43DE34
Session-ID-ctx:
Master-Key: 1DBBAB410273D2F9E7820B121B5EE726B50616A64AC87C448CE4BA927C9291897B57975D5AC0627E18ECCF99C6066E7D
Key-Arg : None
Start Time: 1020295810
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---


--Kervin


Howard Chu wrote:
Are you sure the certificate file is readable by slapd? Have you tried using
the OpenSSL s_client or s_server with your cert to make sure it's correct?

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support


-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kervin L.
Pierre


I'm trying to setup TLS to be used with a simple auth.

I keep getting "alert: bad certificate error" with 2.0.23 and also with
CVS.  I've tried everything I could find in the mail archives but
nothing seems to work.  I'm on Redhat 7.2 and I use
make -C /usr/share/ssl/certs/ slapd.pem
to generate the certificate.  I tried the openssl command from the
LDAPv3 howto as well.

On the client side ( ldapsearch ) the error is either "local error (82)"
or "cannot connect (91)".

Does anyone know what the problem can be?  I generated my cert with the
fully qualified domain name of the server.

The server command was
./slapd -d 4095 -h "ldap:/// ldaps://ldapxxx.eng.fit.edu" -f
../etc/openldap/slapd.conf

And the ldapsearch command was
ldapsearch -x -d 4095 -H ldaps://ldapxxx.eng.fit.edu/ -b
'dc=my-domain,dc=com' -ZZ '(objectclass=*)'

From the ldapsearch
...
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer certificate.
ldap_perror
ldap_start_tls: Can't contact LDAP server (81)

From the server
...
TLS trace: SSL3 alert read:warning:bad certificate
tls_read: want=5, got=0

ldap_read: want=1, got=0

ber_get_next on fd 10 failed errno=0 (Success)
...

Any clues?

Thanks
--Kervin