[Date Prev][Date Next] [Chronological] [Thread] [Top]

Last question about SSL and certs I hope



Hi,

After removing the encryption from my cert
and removing other things in the confs that
I had put in for testing, I believe I am
now using SSL/TLS.  I am a little concerned
by a couple of messages while running this
in debug though.  I am using a cert on the
server only,  not client side and I am happy
to do things that way for now.  But when I am
running

./slapd -d 1

TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(16): got connid=47
connection_read(16): checking for input on id=47
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(16): unable to get TLS client DN error=49 id=47
connection_get(16): got connid=47
connection_read(16): checking for input on id=47
ber_get_next
TLS trace: SSL3 alert read:warning:bad certificate
ber_get_next on fd 16 failed errno=11 (Resource temporarily unavailable)
connection_get(16): got connid=47
connection_read(16): checking for input on id=47
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
do_bind

and

ldapsearch -d 1 -ZZ -x -b 'dc=emtex,dc=com' '(objectclass=*)'

yeilds

TLS certificate verification: Error, self signed certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer certificate.


I am not using client certs, so I am guessing that these errors are because I am not using a client cert? I am only asking as they seem fairly dire and I guess I wouldn't expect to see errors so much just because I am not using a client cert.

Apart from that, I have used tcpdump to watch the exchange and
if I don't request an encrypted session, I can read the data
in the packets as it goes through.. and if I do request an
encrypted session, I can't read anything in the packets... so
it sure looks like it is working, but I just wanted to make
sure as it's fairly useless thinking you are working over
an encrypted channel when you aren't .

Thanks

Bill Dossett