[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS server side auth problem



On 2 September 2003, peter pan <lanwanhr@yahoo.com> wrote:
> 
> I still haven't made any progress on this.  No one
> replied to my post below, is this because:
> 
> - no one knows
> - my post is not appropriate in some way
> - I'm a berk for not spotting something obvious :)
> 
> I can't move forward with our LDAP rollout until this
> is resolved - does any one have any suggestions?
> 
> Pete.
> 
> --- peter pan <lanwanhr@yahoo.com> wrote:
[...]
> > If I put the serverkey and servercert in the .ldaprc
> > file (I know this is for the client certs but as a
> > test..) then ldapsearch -ZZ -x -h <FQDN> works.  If
> > I
> > take them out of .ldaprc it fails:
> > 
> > [root@test root]# ldapsearch -ZZ -x -H
> > ldap://test.mydomain.com
> > ldap_start_tls: Connect error
> >         additional info: error:14077410:SSL
> > routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> > handshake
> > failure
[...]

    According to "man 5 ldap.conf":

:       Some options are user-only.  Such options are  ignored  if
:       present  in the ldap.conf (or file specified by LDAPCONF).
[...]
:       TLS_CERT <filename>
:              Specifies the file that contains  the  client  cer­
:              tificate. This is a user-only option.
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^
:       TLS_KEY <filename>
:              Specifies  the  file  that contains the private key
:              that matches the certificate stored in the TLS_CERT
:              file.  Currently,  the private key must not be pro­
:              tected with a password, so it is of critical impor­
:              tance  that  the  key  file is protected carefully.
:              This is a user-only option.
               ^^^^^^^^^^^^^^^^^^^^^^^^^^

    Regards,

    Liviu Daia

-- 
Dr. Liviu Daia               e-mail:   Liviu.Daia@imar.ro
Institute of Mathematics     web page: http://www.imar.ro/~daia
of the Romanian Academy      PGP key:  http://www.imar.ro/~daia/daia.asc