[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS client certificate pb
Le lun 03/03/2003 à 11:17, Francois Beretti a écrit :
> Hello all
>
> I am asking for your help again, I am trying to have TLS with client
> certificate working but it don't
>
> I generated a client certificate (signed y the CA) that I put in ~/ssl
> This certificate is valid :
>
> [francois@linux-integ francois]$ openssl verify -CAfile \
> /demoCA/cacert.pem ssl/cert.pem
> ssl/cert.pem: OK
>
> In ~/.ldaprc I put :
> TLS_CACERT /demoCA/cacert.pem
> TLS_CERT ~/ssl/cert.pem
> TLS_KEY ~/ssl/privkey.pem
>
Well, I found _one_ error, but the problem is still here
the line
TLS_KEY ~/ssl/privkey.pem
must be replaced with
TLS_KEY ~/ssl/cert.key
where cert.key is the cleartext key (privkey.pem is the encrypted one,
that I have decrypted with openssl rsa)
But I still have :
[root@linux-integ francois]# openssl s_client -cert ssl/cert.pem -key \
ssl/cert.key -CAfile /demoCA/cacert.pem -connect \
linux-integ.enatel.local:389 -tls1
CONNECTED(00000003)
2528:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:490:
Anyone can help me ?
I'm sure somebody has already used openldap with tls and client
certificate verification...
How have you done that ?
Thx
Francois Beretti
> I also have in ldap.conf :
> HOST linux-integ.enatel.local
>
> But :
>
> [francois@linux-integ francois]$ ldapsearch -ZZ -x
> ldap_start_tls: Connect error (91)
>
> I tried this to get more info :
> [francois@linux-integ francois]# openssl s_client -cert ssl/cert.pem \
> -key ssl/privkey.pem -CAfile /demoCA/cacert.pem -connect \
> linux-integ.enatel.local:389 -tls1
> Enter PEM pass phrase:
> CONNECTED(00000003)
> 1786:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:490:
>
> What do you think is going wrong ?
>
> Very thanks in advance
>
> François Beretti
>