[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Tls/ssl issue

cody wang wrote:

[root@accounts openldap]# openssl s_client -connect localhost:636
-showcerts
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Thousand Oaks/O=California Lutheran
University/OU=ISS/CN
=accounts.clunet.edu/emailAddress=codywang@clunet.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Thousand Oaks/O=California Lutheran
University/OU=ISS/CN
=accounts.clunet.edu/emailAddress=codywang@clunet.edu
verify error:num=21:unable to verify the first certificate
verify return:1
11712:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt
.c:1037:SSL alert number 40
11712:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:

I have no idea why, but your certs have been made incorrectly. On the above command, you should be able to see a subject - s - (the DN and RDN of the machine for which the cert. has been issued) and an issuer - i - (the CA that has issued the cert.)

Making/using your own CA cert for use within your own domain is o.k., but the command will also clearly state that this is a self-signed cert.

In slapd.conf

##SSL/TLS options for slapd
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem
TLSVerifyClient demand

In ldap.conf
TLS_CACERT /usr/local/etc/openldap/cacert.pem
TLS_REQCERT demand

Bits of the above are correct, but you are telling both server and client to insist on a client cert. as well as a server cert. This is only necessary for external SASL. Is this what you really want? Why not simply get things working with a server cert first?

Best,

Tony

--
Tony Earnshaw

Looking backwards is always easy with hindsight

http://www.billy.demon.nl
Mail: tonni@billy.demon.nl