[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Replication in v2.1.2: TLS-error
Hi ,
i'm using LDAP for testing purposes,
there's no security-problem,
as i'm the only one with access to test-net.
Each sever (master & replica) gets its
own certificat ..
Of course i'm generating my certificates myself,
as it's free ..
I'm making this with the following script :
---snipp---
#!/bin/sh
if [ "$1" == "" ]
then
echo "usage: $0 certname (without .pem)"
exit
fi
openssl req -new -x509 -nodes -days 3650 -out $1.pem -keyout
$1.pem
---snipp---
Can i modificate it, so it seems not to be "self-signed" ?
greets Harry
Howard Chu wrote:
>
> You cannot use self-signed certificates for TLS services. You must create
> one self-signed CA certificate and use that certificate to sign your server
> certificates. On each machine, you must install the CA certificate and tell
> the LDAP library where the CA cert is. You must also install and configure
> the individual server certificates for each server.
>
> Public key certificates require a mutually trusted 3rd party to ensure any
> type of
> security. That mutually trusted 3rd party is represented by the self-signed
> CA cert that you create and install. Only CAs are allowed to assert their own
> identity via self-signing. Every other entity in a PKI must derive its
> identity from a known CA.
>
> If you bypass this requirement then you have no assurance that a particular
> server is who it claims to be, which means you have no security at all. If
> you
> were using TLS in the manner you've described, you should fix this issue at
> your earliest opportunity.
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Harry Ruter
> > Sent: Sunday, July 07, 2002 3:40 AM
> > To: OpenLDAP-software@OpenLDAP.org
> > Subject: Replication in v2.1.2: TLS-error
> >
> >
> > Hi,
> >
> > i'm trying to do replication with v2.1.2.
> >
> > The twao serves are installed on the same machine,
> > with different ports (master:3389,3636;replica: 4389,4636).
> >
> > Both servers are running,
> > but when it come's to replication slurpd says :
> >
> > --------------snipp-------------------------------------
> >
> > ber_flush: 31 bytes to sd 10
> > request 1 done
> > TLS certificate verification: Error, self signed certificate
> > TLS: can't connect.
> > Warning: ldap_start_tls failed: Connect error (91)
> > ber_flush: 761 bytes to sd 10
> > Error: LDAP SASL for ldap.hrnet.de:5389 failed: Can't
> > contact LDAP server
> > ber_flush: 7 bytes to sd 10
> > --------------snipp-------------------------------------
> >
> > The replica-server says :
> >
> > --------------snipp-------------------------------------
> > ber_flush: 14 bytes to sd 15
> > TLS: can't accept.
> > TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> > unknown ca s3_pkt.c:956
> > conn=4 fd=15 closed
> > --------------snipp-------------------------------------
> >
> > I made two different certificates, one for the
> > master- one for the replica-server.
> >
> > I've done this before with version 2.0.25,
> > where it works fine ...
> >
> > Any suggestions ?
> >
> >
> > greets Harry