[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: TLS / SSL
If you only want server side authentication, then you don't need any client
certs.
The default values for TLSVerifyClient and TLS_REQCERT are set for server
side authentication so you don't need to include them in the OpenLDAP conf
files.
For server sdie authentication, all I needed was:
1. CA cert on server.
2. Server cert and key (of course cert signed by the CA cert).
3. Optional (but it makes for better debug output :) ) ... the same CA cert
on the client box.
Make sure the CN of the server cert is the FQDN of the server (not
'localhost' or "10.9.8.7").
Hope this helps. I'm not familiar with FreeRadius so I can't suggest
anything on that side. Hopefully someone else will pipe in with that info
and maybe tell me where we are both wrong!
Cheers,
Kent Soper
"You don't stop playing because you grow old ...
you grow old because you stop playing."
Linux Technology Center, Linux Security
phone: 1-512-838-9216
e-mail: dksoper@us.ibm.com
"Ron Wahler"
<ron@rovingplanet.com> To: Kent Soper/Austin/IBM@IBMUS
Sent by: cc: <openldap-software@OpenLDAP.org>
owner-openldap-software@O Subject: RE: TLS / SSL
penLDAP.org
07/01/2003 12:35 PM
That's all I want to do is Server side. I just want to keep it simple.
> -----Original Message-----
> From: Kent Soper [mailto:dksoper@us.ibm.com]
> Sent: Tuesday, July 01, 2003 11:12 AM
> To: Ron Wahler
> Cc: openldap-software@OpenLDAP.org
> Subject: RE: TLS / SSL
>
>
>
>
>
> Hi Ron,
>
> Have you tried using only server-side authentication first (no client
> cert)? If you can get that working, then adding client certs to an
ldaprc
> would be the next step.
>
> In slapd.conf, try using only these directives:
> TLSCipherSuite <settings>
> TLSCertificateFile <server cert>
> TLSCACertificateFile <ca cert>
> (no TLSVerifyClient directive)
>
> In ldap.conf:
> Nothing or "TLS_REQCERT demand" which is the default.
> You don't need a client CA cert for TLS/SSL, but you can have it
listed
> too.
>
> After success you can add client auth entries to slapd.conf and ldaprc
> (see man pages for *.conf or the document Pierre pointed you to).
>
> I don't know much about your setup, so please pardon me if this is a
> Netscape or other issue that I'm not aware of.
>
> Cheers,
> Kent Soper
>
> "You don't stop playing because you grow old ...
> you grow old because you stop playing."
>
> Linux Technology Center, Linux Security
> phone: 1-512-838-9216
> e-mail: dksoper@us.ibm.com
>
>
>
>
>
> "Ron Wahler"
> <ron@rovingplanet.com> To:
> <freeradius-users@lists.cistron.nl>, "Lawrence, Mike (White
> Sent by: Plains)"
> <Mike.Lawrence@starwoodhotels.com>,
> owner-openldap-software@O <openldap-
> software@OpenLDAP.org>
> penLDAP.org cc:
> Subject: RE:
TLS /
> SSL
>
> 07/01/2003 11:46 AM
>
>
>
>
>
>
>
> I also get this when I allow SSLv3 on the ldap side
>
> ldap_pvt_gethostbyname_a: host=fido, r=0
> put_filter: "(objectclass=*)"
> put_filter: simple
> put_simple_filter: "objectclass=*"
> ber_scanf fmt (m) ber:
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> TLS trace: SSL_accept:SSLv3 flush data
> connection_read(13): unable to get TLS client DN error=49 id=0
> connection_get(13): got connid=0
> connection_read(13): checking for input on id=0
> ber_get_next
> TLS trace: SSL3 alert read:warning:close notify
> ber_get_next on fd 13 failed errno=0 (Success)
> connection_read(13): input error=-2 id=0, closing.
> connection_closing: readying conn=0 sd=13 for close
> connection_close: conn=0 sd=13
> TLS trace: SSL3 alert write:warning:close notify
>
>
>
>
> > -----Original Message-----
> > From: Ron Wahler
> > Sent: Tuesday, July 01, 2003 10:30 AM
> > To: Lawrence, Mike (White Plains);
freeradius-users@lists.cistron.nl;
> > openldap-software@OpenLDAP.org
> > Subject: RE: TLS / SSL
> >
> >
> >
> > Getting this but the client can't connect at port 636
> >
> > CLIENT
> > m_ldap: setting TLS mode to 1
> > rlm_ldap: bind as cn=Manager,dc=fido,dc=com/secret to 10.0.0.94:636
> > rlm_ldap: cn=Manager,dc=fido,dc=com bind to 10.0.0.94:636 failed:
> Can't
> > contact LDAP server
> > rlm_ldap: (re)connection attempt failed
> >
> >
> >
> > SERVER:
> >
> > ldap_pvt_gethostbyname_a: host=fido, r=0
> > put_filter: "(objectclass=*)"
> > put_filter: simple
> > put_simple_filter: "objectclass=*"
> > ber_scanf fmt (m) ber:
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:before/accept initialization
> > TLS trace: SSL_accept:SSLv3 read client hello A
> > TLS trace: SSL_accept:SSLv3 write server hello A
> > TLS trace: SSL_accept:SSLv3 write certificate A
> > TLS trace: SSL_accept:SSLv3 write server done A
> > TLS trace: SSL_accept:SSLv3 flush data
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > TLS trace: SSL_accept:SSLv3 read finished A
> > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > TLS trace: SSL_accept:SSLv3 write finished A
> > TLS trace: SSL_accept:SSLv3 flush data
> > connection_read(13): unable to get TLS client DN error=49 id=0
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > ber_get_next
> > TLS trace: SSL3 alert read:warning:close notify
> > ber_get_next on fd 13 failed errno=0 (Success)
> > connection_read(13): input error=-2 id=0, closing.
> > connection_closing: readying conn=0 sd=13 for close
> > connection_close: conn=0 sd=13
> > TLS trace: SSL3 alert write:warning:close notify
> >
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Lawrence, Mike (White Plains)
> > > [mailto:Mike.Lawrence@starwoodhotels.com]
> > > Sent: Tuesday, July 01, 2003 9:01 AM
> > > To: Ron Wahler
> > > Subject: RE: TLS / SSL
> > >
> > >
> > > Hi Ron - I see that error as well and what it means is that
> > > the server was unable to get a client certificate. It doesn't
> > > need one to do ssl/tls, but it will still give the error if
> > > it doesn't have one, so it's basically a noise error and not
> > > a big deal unless you do have a client cert and are trying to
> > > use it.
> > >
> > > -----Original Message-----
> > > From: Ron Wahler [mailto:ron@rovingplanet.com]
> > > Sent: Monday, June 30, 2003 4:01 PM
> > > To: openldap-software@OpenLDAP. org
> > > Subject: TLS / SSL
> > >
> > >
> > >
> > > I am getting the following error when trying to connect
> > > From FreeRadius to OpenLDAP on SSL port 636. Is there
> > > Something here I can look at in the configuration files?
> > >
> > > Ron.
> > >
> > >
> > >
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > > TLS trace: SSL_accept:SSLv3 read finished A
> > > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > > TLS trace: SSL_accept:SSLv3 write finished A
> > > TLS trace: SSL_accept:SSLv3 flush data
> > > connection_read(13): unable to get TLS client DN error=49 id=0
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > ber_get_next
> > > TLS trace: SSL3 alert read:warning:close notify
> > > ber_get_next on fd 13 failed errno=0 (Success)
> > > connection_read(13): input error=-2 id=0, closing.
> > > connection_closing: readying conn=0 sd=13 for close
> > > connection_close: conn=0 sd=13
> > > TLS trace: SSL3 alert write:warning:close notify
> > >
> > >
> > > This electronic message transmission contains information from the
> > Company
> > > that may be proprietary, confidential and/or privileged.
> > > The information is intended only for the use of the individual(s)
or
> > > entity named above. If you are not the intended recipient, be
> > > aware that any disclosure, copying or distribution or use of the
> > contents
> > > of this information is prohibited. If you have received
> > > this electronic transmission in error, please notify the sender
> > > immediately by replying to the address listed in the "From:"
field.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
>