[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSL/TLS and PRNGD



re: random number generator, read the Admin Guide:
http://www.openldap.org/doc/admin21/tls.html

In this particular case, that is clearly not your problem. You are telling
ldapsearch to connect to an SSL session (ldaps server) : -H 'ldaps://....'
and then telling it to start TLS "-Z" on that session. ldaps sessions are
incompatible with the start TLS request. Use one or the other, not both.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Paul Reilly
> Sent: Friday, February 21, 2003 10:54 AM
> To: openldap-software@OpenLDAP.org
> Subject: SSL/TLS and PRNGD
>
>
>
> I've compiled OpenLDAP 2.1.12 with SSL/TLS but I suspect it is falling
> down due to the lack of a /dev/random on my OS (Tru64 Unix):
>
> ldapsearch -Z -x -D 'cn=....' -W -H 'ldaps://....' -b '....'
> ldap_start_tls: Can't contact LDAP server (81)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Testing the SSL connection to OpenLDAP 636 using openssl
> s_client works,
> but only if I specify the -rand option
>
> openssl s_client -connect server:636 -CAfile /path/toCA.pem
> -rand /dev/egd-pool -state
>
> without the -rand option it produces a 'PRNG not seeded' message. So I
> suspect OpenLDAP is having the same problem. I had a look
> through all the
> compile options for OpenLDAP but can't see anywhere where you could
> specify a random number device. Is there anywhere I can set this in
> OpenLDAP or is it a problem with my OpenSSL libraries?
>
> Paul
>
>