[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Self-signed CA certificates in 2.1.8
Greetings,
I'm getting strange errors about self-signed certificates in OpenLDAP 2.1.8
with OpenSSL 0.9.6b-28. ldapsearch -Z with debugging turned on complains:
TLS trace: SSL_connect:SSLv3 read server hello A
[read certificate]
TLS certificate verification: depth: 1, err: 19, subject: /C=FI/ST=Too Cold Place/L=Espoo/O=Espoo Kingdom/CN=Universal Super Deluxe CA Service, issuer: /C=FI/ST=Too Cold Place/L=Espoo/O=Espoo Kingdom/CN=Universal Super Deluxe CA Service
TLS certificate verification: Error, self signed certificate in certificate chain
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0
TLS trace: SSL3 alert write:fatal:unknown
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
However, the server certificate in question is *not* self-signed, it is
signed by a CA known to both parties, just the way a good little certificate
should. The CA certificate is, of course, self-signed -- but all CA
certificates are! The certificate exchange also works quite nicely in 2.0.23,
so the certificate file locations etc are configured correctly. What on
earth is the problem, and how do I fix it?
Enclosed below are printouts of the CA and server certificates in question:
*** CA
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=FI, ST=Too Cold Place, L=Espoo, O=Espoo Kingdom, CN=Universal Super Deluxe CA Service
Validity
Not Before: Oct 22 09:14:36 2002 GMT
Not After : Oct 22 09:14:36 2003 GMT
Subject: C=FI, ST=Too Cold Place, L=Espoo, O=Espoo Kingdom, CN=Universal Super Deluxe CA Service
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b9:c1:b1:a9:15:74:4b:dd:bf:1c:73:d6:08:43:
8f:18:20:9b:94:6d:ba:f2:ef:0d:d4:f2:02:79:14:
31:a7:c1:de:ca:0f:30:f2:d2:c2:84:f8:1d:2e:b5:
e9:85:c9:7e:b9:33:39:ba:be:d4:de:f9:4c:8a:0c:
a7:4b:64:21:cc:30:c3:fd:28:93:09:7d:5e:59:cb:
96:32:b8:e1:de:7d:e9:e1:fa:7c:64:c3:7f:3d:a7:
42:55:f4:12:fc:d0:8f:e2:e6:f5:4f:ac:e3:75:a8:
70:f5:47:fd:e6:18:3c:f7:9b:55:dd:61:9b:a7:30:
0b:8d:9f:55:bf:15:a7:b9:1b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
AE:90:03:DF:CF:0C:3A:63:81:4B:55:BD:24:0D:56:6E:FA:3C:78:C0
X509v3 Authority Key Identifier:
keyid:AE:90:03:DF:CF:0C:3A:63:81:4B:55:BD:24:0D:56:6E:FA:3C:78:C0
DirName:/C=FI/ST=Too Cold Place/L=Espoo/O=Espoo Kingdom/CN=Universal Super Deluxe CA Service
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
6a:59:07:08:0d:08:6e:dc:a1:55:db:5c:ba:d0:0d:48:29:af:
76:94:e1:49:12:a9:6e:0f:59:8d:38:bf:a0:5d:bc:62:a8:d6:
85:40:14:45:98:d6:5a:36:9e:cf:0d:84:27:19:c3:25:71:08:
91:6f:98:ba:7f:8e:26:11:52:0c:e9:46:11:98:c1:57:1b:0e:
37:85:a0:e4:cb:66:ed:4e:3a:1c:5c:e0:2b:6b:d6:76:22:d0:
c0:0e:4d:90:72:06:a2:c0:b6:5f:9c:3d:db:ca:59:60:a1:10:
24:7b:09:f8:1a:87:62:7a:2d:8b:31:f0:13:05:95:88:18:79:
c9:34
** Server
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=FI, ST=Too Cold Place, L=Espoo, O=Espoo Kingdom, CN=Universal Super Deluxe CA Service
Validity
Not Before: Oct 22 11:10:10 2002 GMT
Not After : Oct 22 11:10:10 2003 GMT
Subject: C=FI, ST=Espoo, L=Newbury, O=My Company Ltd, CN=ldap.labra.fi
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d8:55:3c:4e:10:c6:5b:62:d2:33:14:0a:54:db:
74:f9:7b:0f:d1:df:41:a2:02:29:24:3d:7d:af:39:
08:9c:56:ec:17:ce:bf:4a:91:12:b2:5e:a4:cf:0b:
c1:e2:30:6b:00:1d:cc:18:87:80:63:cd:88:5b:4a:
e9:d0:b9:9c:da:23:56:5f:90:6b:5b:fd:b5:10:a2:
ae:2b:69:16:7d:a6:15:29:18:e5:02:c1:d2:7a:ba:
6b:dc:72:21:7a:df:53:a8:ec:f3:4c:ef:5b:02:92:
3e:16:af:f8:b1:e4:09:a2:e8:80:75:ae:bc:3a:fe:
ec:2d:2b:13:b8:e5:a2:75:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
96:8A:C5:63:A2:B4:4B:AA:11:7D:8F:60:4E:44:EA:C4:CD:B2:4B:BB
X509v3 Authority Key Identifier:
keyid:AE:90:03:DF:CF:0C:3A:63:81:4B:55:BD:24:0D:56:6E:FA:3C:78:C0
DirName:/C=FI/ST=Too Cold Place/L=Espoo/O=Espoo Kingdom/CN=Universal Super Deluxe CA Service
serial:00
Signature Algorithm: md5WithRSAEncryption
85:4b:8d:af:95:50:01:f6:c9:6a:0e:6e:1f:09:94:b0:af:c2:
0e:e0:f5:00:6e:18:17:76:76:76:cf:5a:3c:20:79:94:22:c5:
b2:aa:5d:00:73:dc:f4:15:7a:38:a6:c5:a5:b9:9e:68:36:8e:
9e:ca:ef:5d:f0:7e:af:b8:be:2c:45:f8:00:43:d2:5f:22:4f:
5c:f9:ba:b5:3a:7a:56:e9:35:1a:3f:98:da:40:6d:16:a6:a8:
91:62:1c:36:07:4c:b9:9f:97:28:10:b7:f5:b4:84:1b:b0:19:
c4:ef:fe:e6:81:51:04:9d:00:5a:10:a9:96:34:44:83:18:f8:
ec:a2
Cheers,
--
Jani Patokallio >0._, unction of my function. urge. urging of my purging.
jpatokal@iki.fi `..' nip. nip of my snip. now. now. now of my enow. NOW.