[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Replication in v2.1.2: TLS-error
Your problem is with how to use OpenSSL correctly. It is no longer
relevant to this mailing list.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Harry Ruter
> Sent: Sunday, July 07, 2002 5:39 AM
> To: OpenLDAP-software@OpenLDAP.org
> Subject: Re: Replication in v2.1.2: TLS-error
>
>
> Hi ,
>
> i'm using LDAP for testing purposes,
> there's no security-problem,
> as i'm the only one with access to test-net.
>
> Each sever (master & replica) gets its
> own certificat ..
>
> Of course i'm generating my certificates myself,
> as it's free ..
>
> I'm making this with the following script :
>
> ---snipp---
>
> #!/bin/sh
>
> if [ "$1" == "" ]
> then
> echo "usage: $0 certname (without .pem)"
> exit
> fi
>
> openssl req -new -x509 -nodes -days 3650 -out $1.pem -keyout
> $1.pem
> ---snipp---
>
> Can i modificate it, so it seems not to be "self-signed" ?
>
>
> greets Harry
>
> Howard Chu wrote:
> >
> > You cannot use self-signed certificates for TLS services. You must create
> > one self-signed CA certificate and use that certificate to sign
> your server
> > certificates. On each machine, you must install the CA
> certificate and tell
> > the LDAP library where the CA cert is. You must also install and
> configure
> > the individual server certificates for each server.
> >
> > Public key certificates require a mutually trusted 3rd party to
> ensure any
> > type of
> > security. That mutually trusted 3rd party is represented by the
> self-signed
> > CA cert that you create and install. Only CAs are allowed to
> assert their own
> > identity via self-signing. Every other entity in a PKI must derive its
> > identity from a known CA.
> >
> > If you bypass this requirement then you have no assurance that a
> particular
> > server is who it claims to be, which means you have no security
> at all. If
> > you
> > were using TLS in the manner you've described, you should fix
> this issue at
> > your earliest opportunity.
> >
> > -- Howard Chu
> > Chief Architect, Symas Corp. Director, Highland Sun
> > http://www.symas.com http://highlandsun.com/hyc
> > Symas: Premier OpenSource Development and Support
> >
> > > -----Original Message-----
> > > From: owner-openldap-software@OpenLDAP.org
> > > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Harry Ruter
> > > Sent: Sunday, July 07, 2002 3:40 AM
> > > To: OpenLDAP-software@OpenLDAP.org
> > > Subject: Replication in v2.1.2: TLS-error
> > >
> > >
> > > Hi,
> > >
> > > i'm trying to do replication with v2.1.2.
> > >
> > > The twao serves are installed on the same machine,
> > > with different ports (master:3389,3636;replica: 4389,4636).
> > >
> > > Both servers are running,
> > > but when it come's to replication slurpd says :
> > >
> > > --------------snipp-------------------------------------
> > >
> > > ber_flush: 31 bytes to sd 10
> > > request 1 done
> > > TLS certificate verification: Error, self signed certificate
> > > TLS: can't connect.
> > > Warning: ldap_start_tls failed: Connect error (91)
> > > ber_flush: 761 bytes to sd 10
> > > Error: LDAP SASL for ldap.hrnet.de:5389 failed: Can't
> > > contact LDAP server
> > > ber_flush: 7 bytes to sd 10
> > > --------------snipp-------------------------------------
> > >
> > > The replica-server says :
> > >
> > > --------------snipp-------------------------------------
> > > ber_flush: 14 bytes to sd 15
> > > TLS: can't accept.
> > > TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> > > unknown ca s3_pkt.c:956
> > > conn=4 fd=15 closed
> > > --------------snipp-------------------------------------
> > >
> > > I made two different certificates, one for the
> > > master- one for the replica-server.
> > >
> > > I've done this before with version 2.0.25,
> > > where it works fine ...
> > >
> > > Any suggestions ?
> > >
> > >
> > > greets Harry