[Date Prev][Date Next] [Chronological] [Thread] [Top]

AW: Replication in v2.1.2: TLS-error



You do it like this:

First you create self-signed certificate like you do it always:

openssl req -new -x509 -days whatever -out CA.pem -keyout CAkey.pem

than you create sign request

openssl req -new -days whatever -out CertReq.pem -keyout CertKey.pem -nodes

than you sign it with CA created in first step

openssl ca -in CertReq.pem -out Cert.pem

Most probably you will not be able to sign certificate right away, because your openssl.cfg will contain errors, but openssl produces rather clear error messages.

I believe world is full of books on public key cryptography, they usualy explain well difference between self-signed and just signed certificates. If you don't have any of them please read here http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm

Regards, Vadim Tarassov.

-----Ursprüngliche Nachricht-----
Von: Harry Rüter [mailto:harry_rueter@gmx.de]
Gesendet am: Sonntag, 7. Juli 2002 14:39
An: OpenLDAP-software@OpenLDAP.org
Betreff: Re: Replication in v2.1.2: TLS-error

Hi ,

i'm using LDAP for testing purposes,
there's no security-problem,
as i'm the only one with access to test-net.

Each sever (master & replica) gets its
own certificat ..

Of course i'm generating my certificates myself,
as it's free ..

I'm making this with the following script :

---snipp---

#!/bin/sh

if [ "$1" == "" ]
then
  echo "usage: $0 certname (without .pem)"
  exit
fi

openssl req -new -x509 -nodes -days 3650 -out $1.pem -keyout
$1.pem
---snipp---

Can i modificate it, so it seems not to be "self-signed" ?


greets Harry

Howard Chu wrote:
> 
> You cannot use self-signed certificates for TLS services. You must create
> one self-signed CA certificate and use that certificate to sign your server
> certificates. On each machine, you must install the CA certificate and tell
> the LDAP library where the CA cert is. You must also install and configure
> the individual server certificates for each server.
> 
> Public key certificates require a mutually trusted 3rd party to ensure any
> type of
> security. That mutually trusted 3rd party is represented by the self-signed
> CA cert that you create and install. Only CAs are allowed to assert their own
> identity via self-signing. Every other entity in a PKI must derive its
> identity from a known CA.
> 
> If you bypass this requirement then you have no assurance that a particular
> server is who it claims to be, which means you have no security at all. If
> you
> were using TLS in the manner you've described, you should fix this issue at
> your earliest opportunity.
> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
> 
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Harry Ruter
> > Sent: Sunday, July 07, 2002 3:40 AM
> > To: OpenLDAP-software@OpenLDAP.org
> > Subject: Replication in v2.1.2: TLS-error
> >
> >
> > Hi,
> >
> > i'm trying to do replication with v2.1.2.
> >
> > The twao serves are installed on the same machine,
> > with different ports (master:3389,3636;replica: 4389,4636).
> >
> > Both servers are running,
> > but when it come's to replication slurpd says :
> >
> > --------------snipp-------------------------------------
> >
> > ber_flush: 31 bytes to sd 10
> > request 1 done
> > TLS certificate verification: Error, self signed certificate
> > TLS: can't connect.
> > Warning: ldap_start_tls failed: Connect error (91)
> > ber_flush: 761 bytes to sd 10
> > Error: LDAP SASL for ldap.hrnet.de:5389 failed: Can't
> > contact LDAP server
> > ber_flush: 7 bytes to sd 10
> > --------------snipp-------------------------------------
> >
> > The replica-server says :
> >
> > --------------snipp-------------------------------------
> > ber_flush: 14 bytes to sd 15
> > TLS: can't accept.
> > TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> > unknown ca s3_pkt.c:956
> > conn=4 fd=15 closed
> > --------------snipp-------------------------------------
> >
> > I made two different certificates, one for the
> > master- one for the replica-server.
> >
> > I've done this before with version 2.0.25,
> > where it works fine ...
> >
> > Any suggestions ?
> >
> >
> > greets Harry