[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Error in certificate



Judging from the info you've given so far, I'd guess that the OpenSSL library
that OpenLDAP is linked with is a different version from the one the openssl
application is using, but it's just a guess. Also, I have not used OpenLDAP
with OpenSSL 0.9.7b, there may be something wrong in the OpenSSL library.

Your s_client test failed because you didn't tell it where to find the CA
cert. try it again with -CAfile <cacert.pem pathname> added to the arguments.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of François Beretti

> Hi Brian,
>
> > If you're running LDAPS on port 636, you can do ...
> > openssl s_client -connect hostname:636 -showcerts
> > where hostname is the hostname of your box (must be the FQDN that is
> > listed in the certificate).  Even if you're not running
> LDAPS, it'd be
> > worth doing so just to debug it and then turn it off.
> >
> > If you're only doing STARTTLS, you can't use s_client to verify the
> > certificate.  You'd have to do what Howard suggested.
>
> I started slapd with
> slapd -d 7 -h ldaps://
>
> I did
> debian-ldap:/etc/ldap# openssl s_client -connect
> debian-ldap.enatel.local:636 -showcerts
>
> and I got :
> debian-ldap:/etc/ldap# openssl s_client -connect
> debian-ldap.enatel.local:636 -showcerts
> CONNECTED(00000003)
> depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/DC=local/DC=enatel/CN=debian-ldap.enatel.local
>    i:/DC=local/DC=enatel/CN=Autorite Enatel
> -----BEGIN CERTIFICATE-----
> MIICCjCCAXMCAQEwDQYJKoZIhvcNAQEEBQAwSTEVMBMGCgmSJomT8ixkARkWBWxv
> Y2FsMRYwFAYKCZImiZPyLGQBGRYGZW5hdGVsMRgwFgYDVQQDEw9BdXRvcml0ZSBF
> bmF0ZWwwHhcNMDMwOTE1MTEwOTU2WhcNMDQwOTE0MTEwOTU2WjBSMRUwEwYKCZIm
> iZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZlbmF0ZWwxITAfBgNVBAMT
> GGRlYmlhbi1sZGFwLmVuYXRlbC5sb2NhbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
> gYkCgYEAw3uSQp1CPU/3GXzeAFpXwfhxkAweOH/KX9aCn5e5eIsTCNo/rVJb3Ztc
> fpn76maonH3AGW4xbv3+CLSqC7qktftS0evDZVAOruEy/oJoQnF5xWtrOWhjEYwh
> Ahc0RG+x4vfla3T0W9rxQz4xg1+Zk9mWs3VTBE9B8PQxE98woDsCAwEAATANBgkq
> hkiG9w0BAQQFAAOBgQBwmznW5BPdl4cTwrDmkhVjDRMVtEl8PrxefP4mCQjemrA9
> JeiYdf9TozXEzDIJFbM47WzklVLoIBW2j7aKg5IIQ4lgoFW+JAGoAjV14kJLYyyT
> Toky4ic7rwpgW8UiwVuCUPrhA2mNUSOZ3EVpVSXmeOiJlldjstDOFJoGOgzsgg==
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/DC=local/DC=enatel/CN=debian-ldap.enatel.local
> issuer=/DC=local/DC=enatel/CN=Autorite Enatel
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1090 bytes and written 340 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : DHE-RSA-AES256-SHA
>     Session-ID:
> 41888CEE9FFC6DC8A27C6D97964B3693D1BACCA3DCFE2D8B4B7EB64039E23085
>     Session-ID-ctx:
>     Master-Key:
> 206F1AA8C00665264C1C1F11107E75E3437ECB351CA44EE58E534389417791
> 910BA3E1E87537
> 60C447E9B1DA0709B434
>     Key-Arg   : None
>     Start Time: 1063699267
>     Timeout   : 300 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
> ---
>
>
> Why do I get all these errors ?
>
> François Beretti
>
>
> ____________
> Virus checked by G DATA AntiVirusKit
> Version: AVK 12.0.575 from 10.09.2003
> Virus news: www.antiviruslab.com
>
>
>
>