[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: bad certificate error.



Sounds like you didn't specify your cert in the TLSCACertFile. Note that in
general, you should not be using self-signed certs for general
authentication purposes. When creating your own certificate framework, you
should create one self-signed cert for your Certificate Authority and create
other client and server certificates that are signed by your CA cert. The
whole basis of using certificates for security is that they are signed by a
trusted third party. When you encounter a self-signed cert, there is no 3rd
party, you have to blindly believe that the server is who it claims to be.
This is exactly what is meant by the error message - the cert involved
requires blind trust, but it is not present in your list of trusted
certificates (i.e., the CACerts).

Obviously, for manageability if nothing else, you want to keep the number of
blindly trusted certs in your system to a bare minimum, and build other
certs in terms of the few trusted ones.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: Kervin L. Pierre [mailto:kervin@blueprint-tech.com]
> Sent: Thursday, May 02, 2002 8:15 PM
> To: Kervin L. Pierre
> Cc: Howard Chu; openldap-software
> Subject: Re: bad certificate error.
>
>
> SSL_get_verify_result() in tls.c returns 18, success is 0.
>
>  From the OpenSSL manpage 18 means...
>
> 18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
>      the passed certificate is self signed and the same certificate
> cannot be found in the list of trusted certificates.
>
> http://www.openssl.org/docs/apps/verify.html
>
> seen this before?
>
> --Kervin
>
>
> Kervin L. Pierre wrote:
> >
> > changed the port.  I've been looking at the thing too long.
> >
> > Using s_client to connect to openldap does not produce a ssl
> error.  But
> > using ldapsearch to connect to s_server produces the following...
> >
> > # openssl s_server -accept 636 -cert /etc/openldap/slapd.pem
> > Using default temp DH parameters
> > ACCEPT
> > -----BEGIN SSL SESSION PARAMETERS-----
> > MHUCAQECAgMBBAIAFgQgVLGdE+ShwXCpmz6qBiRuaRvmBHxx/loIW0BzzmYGKpME
> > MEgHZypDjBRwkbk4p1KETYRhlP2DmHGEH9e7+2f6hKzrAQjMevTowgZA+Q+dGrCW
> > aKEGAgQ80JRYogQCAgEspAYEBAEAAAA=
> > -----END SSL SESSION PARAMETERS-----
> > Shared
> >
> ciphers:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE
> -DSS-RC4-SHA:RC4-SHA:RC4-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-S
> HA:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC
> -MD5:EXP1024-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-C
> BC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC
> -SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
> >
> > CIPHER is EDH-RSA-DES-CBC3-SHA
> > ERROR
> > shutting down SSL
> > CONNECTION CLOSED
> >
> > the ldapsearch command is...
> > ]$ ldapsearch -x  -H ldaps://bashful.eng.fit.edu/ -b
> > 'dc=my-domain,dc=com' '(objectclass=*)'
> >
> > Does that mean that the problem is with ldapsearch?
> >
> > --Kervin
> >
> >
> > Howard Chu wrote:
> >
> >>> -----Original Message-----
> >>> From: Kervin L. Pierre [mailto:kervin@blueprint-tech.com]
> >>
> >>
> >>
> >>> With s_client connecting to s_server, everything looks fine.  There
> >>> are no errors reported.  When I try to connect to the OpenLDAP server
> >>> using s_client I get...
> >>>
> >>> $ openssl s_client -connect bashful.eng.fit.edu:389
> >>
> >>
> >>
> >> You're using the cleartext port, you should be using 636 here.
> >>
> >>
> >>> CONNECTED(00000003)
> >>> 26420:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> >>> failure:s23_lib.c:226:
> >>
> >>
> >>
> >>>  -- Howard Chu
> >>>  Chief Architect, Symas Corp.       Director, Highland Sun
> >>>  http://www.symas.com               http://highlandsun.com/hyc
> >>>  Symas: Premier OpenSource Development and Support
> >>
> >>
> >>
> >
> >
> >
> >
>
>