[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS SSL overload
- To: openldap-software@OpenLDAP.org
- Subject: TLS SSL overload
- From: billd <bd@emtex.com>
- Date: Wed, 30 Oct 2002 14:21:48 +0000
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
Hi,
<begging>
I'm trying to get TLS/SSL working with openLDAP.
I've made some progress, but my tiny mind has gone
into overload. This might be kind of long, sorry.
I'll do server config first as the server is starting,
but I don't know if it's right or not as I can't start
a TLS session with the client ldapsearch so far anyway.
I am using self-signed certs as this is an internal to
my company only openLDAP database. It hold info for
accounts on about 6 different servers, which is why I
am trying to use openLDAP so I can reduce the chance of
forgetting or mistyping an entry in one of the servers.
All the servers are on the safe side of a firewall at this
point, however I would like to be transmitting these encrypted
just in case someone managed to get a sniffer on my network
somehow, or even if my users were playing around with a sniffer.
So, here is what I have done:
Created a private key with 3des encryption
openssl genrsa -des3 -out ncc1701a.key 1024
created a self signed certificate
openssl req -new -key ncc1701a -x509 -out ncc1701a.crt
This asked me for some input, I think the important
one is the common name, so I put emtex.com... not sure
about this, should it be ncc1701a.emtex.com or emtex.com or
dn=emtex,dn=com...
I then added the key and cert to my slapd.conf
TLSCACertificateFile /usr/local/etc/openldap/ncc1701a.crt
TLSCertificateFile /usr/local/etc/openldap/ncc1701a.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ncc1701a.key
Is this right? As I am the authority that signed my own cert,
I used the same cert file for both. Or do I even need the
TLSCACertificate line at all? As there wasn't one in the
original and it started with out it... in any case putting
it in didn't make any difference.
I only have these all in the same place for now to try and
test and get it working, the key would be in a protected directory
once I get things working.
As stated, slapd does start ok.
I am assuming the default of never for TLSVerifyClient as I
am not using client certificates yet, and may not.
Now I try to do a query of everything in the database with
ldapsearch like so:
ldapsearch -Z -x -b 'dc=emtex,dc=com''(objectclass=*)'
and get the following errors from ./slapd -d 1
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_bind: Can't contact LDAP server (81)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
which seems to be saying that getting the certificate and/or verifying
it failed.
The slapd -d1 is saying:
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(16): got connid=32
connection_read(16): checking for input on id=32
TLS trace: SSL3 alert read:fatal:unknown
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:964
this seems to be pointing at the client certificate as the problem...
however as I haven't specified to verify the client cert, it shouldn't
be asking for one should it?
I've also tried with the little java LDAP browser\editor v2.8.2 and
can't get that to work either. And I've seen dire warnings that
ldaps:// isn't compatible with V3 ldap protocol or something, yet
the URL that the editor is using is ldaps:// and it is set to version 3
and I would think these would be mutually exclusive if they don't work
together.
I have been reading tons of docs and I'm sorry but they don't all
make sense to me and maybe I'm just trying to learn this all a little
too fast. It is by far the most complex thing I've ever attempted to
configure, if anyone can tell me what I'm doing wrong at this point
I would at least get a decent nights sleep.
Further details should the be needed...
I am using openLDAP version 2.1.5 compiled with SSL suppport
I am using openssl-0.9.6b-18
I am using Redhat Linux 7.3 with stock smp kernel
I think I'm pretty close to having this working, but I could
certainly be wrong as I have been many times before and will
freely admit it.
Thanks, I'd really appreciate if anyone can tell me what I've
done wrong and any pointers on how to fix it if it isn't too
lengthy a subject.... </begging>
Thanks
Bill Dossett