[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Last attempt at TLS/SSL



No dice, still gives the same error.  I had tried doing something
similar to that:

"If I add the line "tls_reqcert   never" to ldap.conf, then the ldapsearches
will work.  What could be causing openldap to think the cert can't be
verified when openssl says it's fine?  I've tried turning on tls_checkpeer
and pointing tls_cacertfile to my demoCA cacert.pem and it still fails (it
also fails
with tls_checkpeer turned off)"

One avenue I'll pursue is to install bind 9 on the host and have it do
its own forward and reverse DNS.  Right now the box doesn't use DNS at
all, but the /etc/hosts file really should be fine as it has an entry
for what I made the CN when I made the certs.  Maybe openssl is doing
its forward and reverse lookups differently than openssl and depends
on a name server running, I really don't know.

-----Original Message-----
From: Jason L W Lynn [mailto:jlwlynn@uab.edu]
Sent: Thursday, June 26, 2003 2:39 PM
To: Lawrence, Mike (White ""Plains)
Cc: openldap-software@OpenLDAP.org
Subject: Re: Last attempt at TLS/SSL


I believe your client has to know about your CA.  Try adding (instead of
"TLS_REQCERT allow"):

TLS_CACERT /path/to/cacert/cacert.pem

On Thu, 2003-06-26 at 13:03, Lawrence, Mike (White Plains) wrote:
> ldap_bind: Can't contact LDAP server (81)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 

This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged.
The information is intended only for the use of the individual(s) or entity named above.  If you are not the intended recipient, be
aware that any disclosure, copying or distribution or use of the contents of this information is prohibited.  If you have received
this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.