[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
AW: Replication in v2.1.2: TLS-error
You do it like this:
First you create self-signed certificate like you do it always:
openssl req -new -x509 -days whatever -out CA.pem -keyout CAkey.pem
than you create sign request
openssl req -new -days whatever -out CertReq.pem -keyout CertKey.pem -nodes
than you sign it with CA created in first step
openssl ca -in CertReq.pem -out Cert.pem
Most probably you will not be able to sign certificate right away, because your openssl.cfg will contain errors, but openssl produces rather clear error messages.
I believe world is full of books on public key cryptography, they usualy explain well difference between self-signed and just signed certificates. If you don't have any of them please read here http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm
Regards, Vadim Tarassov.
-----Ursprüngliche Nachricht-----
Von: Harry Rüter [mailto:harry_rueter@gmx.de]
Gesendet am: Sonntag, 7. Juli 2002 14:39
An: OpenLDAP-software@OpenLDAP.org
Betreff: Re: Replication in v2.1.2: TLS-error
Hi ,
i'm using LDAP for testing purposes,
there's no security-problem,
as i'm the only one with access to test-net.
Each sever (master & replica) gets its
own certificat ..
Of course i'm generating my certificates myself,
as it's free ..
I'm making this with the following script :
---snipp---
#!/bin/sh
if [ "$1" == "" ]
then
echo "usage: $0 certname (without .pem)"
exit
fi
openssl req -new -x509 -nodes -days 3650 -out $1.pem -keyout
$1.pem
---snipp---
Can i modificate it, so it seems not to be "self-signed" ?
greets Harry
Howard Chu wrote:
>
> You cannot use self-signed certificates for TLS services. You must create
> one self-signed CA certificate and use that certificate to sign your server
> certificates. On each machine, you must install the CA certificate and tell
> the LDAP library where the CA cert is. You must also install and configure
> the individual server certificates for each server.
>
> Public key certificates require a mutually trusted 3rd party to ensure any
> type of
> security. That mutually trusted 3rd party is represented by the self-signed
> CA cert that you create and install. Only CAs are allowed to assert their own
> identity via self-signing. Every other entity in a PKI must derive its
> identity from a known CA.
>
> If you bypass this requirement then you have no assurance that a particular
> server is who it claims to be, which means you have no security at all. If
> you
> were using TLS in the manner you've described, you should fix this issue at
> your earliest opportunity.
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Harry Ruter
> > Sent: Sunday, July 07, 2002 3:40 AM
> > To: OpenLDAP-software@OpenLDAP.org
> > Subject: Replication in v2.1.2: TLS-error
> >
> >
> > Hi,
> >
> > i'm trying to do replication with v2.1.2.
> >
> > The twao serves are installed on the same machine,
> > with different ports (master:3389,3636;replica: 4389,4636).
> >
> > Both servers are running,
> > but when it come's to replication slurpd says :
> >
> > --------------snipp-------------------------------------
> >
> > ber_flush: 31 bytes to sd 10
> > request 1 done
> > TLS certificate verification: Error, self signed certificate
> > TLS: can't connect.
> > Warning: ldap_start_tls failed: Connect error (91)
> > ber_flush: 761 bytes to sd 10
> > Error: LDAP SASL for ldap.hrnet.de:5389 failed: Can't
> > contact LDAP server
> > ber_flush: 7 bytes to sd 10
> > --------------snipp-------------------------------------
> >
> > The replica-server says :
> >
> > --------------snipp-------------------------------------
> > ber_flush: 14 bytes to sd 15
> > TLS: can't accept.
> > TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> > unknown ca s3_pkt.c:956
> > conn=4 fd=15 closed
> > --------------snipp-------------------------------------
> >
> > I made two different certificates, one for the
> > master- one for the replica-server.
> >
> > I've done this before with version 2.0.25,
> > where it works fine ...
> >
> > Any suggestions ?
> >
> >
> > greets Harry