[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS errors out



The cert that was used to sign your server's cert is not contained in the
cacert file that you specified for your client. Try putting the correct certs
in place. Since your server cert is self-signed that means your server cert
must be present in the cacert file. Note that using self-signed certs for
individual servers is extremely unwise.

Also note that host and port directives in ldap.conf are ignored when a URI
directive is present. For clarity you should delete those host and port
directives. The "ssl on"/"ssl start_tls" lines are not valid ldap.conf
directives. They should be deleted. That keyword may be used for configuring
nss_ldap and and pam_ldap but in Symas CDS that configuration is stored in
/opt/symas/etc/nsspam.conf, not ldap.conf.

If you want to use LDAP over SSL you should just use ldaps:// URIs.

(Unfortunately there is no corresponding ldap.conf directive to make the
library automatically perform a StartTLS on all sessions. I believe this is a
glaring omission, but so it goes.)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: pjoshi%charjiv.com@pop.business.earthlink.net
> [mailto:pjoshi%charjiv.com@pop.business.earthlink.net]
> Sent: Thursday, October 24, 2002 8:05 AM
> To: hyc@highlandsun.com; openldap-software@openldap.org
> Subject: RE: TLS errors out
>
>
> Dear Sir,
>
> Thanks for the reply. I have already done the settings as:
> 1. File: '/opt/symas/etc/openldap/SLAPD.conf'
> TLSRandFile     /var/symas/egd-pool
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /opt/symas/bin/ldapcert.pem
> TLSCertificateKeyFile /opt/symas/bin/ldapkey.pem
> TLSCACertificateFile /opt/symas/bin/cacert.pem
>
> 2. File: '/opt/symas/etc/openldap/LDAP.conf'
> BASE dc=TEST3,dc=TEST2,dc=mydomain,dc=com
> URI ldap://TEST3.TEST2.mydomain.com
> ldap://TEST3.TEST2.mydomain.com:636
> ldap://TEST3.TEST2.mydomain.com:666
>
> host TEST3.TEST2.mydomain.com
> port 636
> ssl yes           # statement 'ssl start_tls' also cause ssl problem
> TLS_CACERT /opt/symas/bin/cacert.pem
>
>
>
> Original Message:
> -----------------
> From: Howard Chu hyc@highlandsun.com
> Date: Thu, 24 Oct 2002 01:28:43 -0700
> To: openldap-software@OpenLDAP.org
> Subject: RE: TLS errors out
>
>
> Try reading the Admin Guide a little more carefully:
> http://www.openldap.org/doc/admin21/tls.html
>
> This is also specifically addressed in the FAQ:
> http://www.openldap.org/faq/data/cache/185.html
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
>
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
> Pravin Joshi
>
> > Dear All,
> >
> > I queried as follows:
> > /opt/symas/bin/ldapsearch -d 9 -Z -w mypass -D
> > "cn=Manager,dc=test3,dc=test2,dc=mydomain,dc=com" -b ""
> > "(objectClass=*)"
> >
> > Afte initial success messages, when it starts with TLS, I got
> > following
> > errors:
> >
> > # Start
> > ldap_msgfree
> > TLS trace: SSL_connect:before/connect initialization
> > TLS trace: SSL_connect:SSLv2/v3 write client hello A
> > TLS trace: SSL_connect:SSLv3 read server hello A
> > TLS certificate verification: depth: 0, err: 20, subject:
> > /C=AU/ST=Some-State/O=
> > Internet Widgits Pty Ltd/CN=test3.test2.mydomain.com, issuer: /C=A
> > U/ST=Some-State/O=Internet Widgits Pty
> Ltd/CN=test3.test2.mydomain.com
> > TLS certificate verification: Error, unable to get local
> > issuer certificate
> > TLS trace: SSL3 alert write:fatal:unknown CA
> > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > TLS: can't connect.
> > ldap_perror
> > ldap_start_tls: Connect error (91)
> >         additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE
> > # End (There are other error messages after this)
> >
> > Now, what I feel is it is trying to do client authentication or else
> > comparing the issuer. And it fails there. I am stucked since
> > last two days
> > on this. Please guide. Thanks in advance.
> >
> >
> > Regards
> > Pravin Joshi
> >
> >
>
>
> --------------------------------------------------------------------
> mail2web - Check your email from the web at
> http://mail2web.com/ .
>
>