[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Error in certificate



For the s_client, excuse my stupid error :)
you were right, with the -CAfile option it works.

now I am going to recompile the openldap package with the current openssl
one, to check if it is the problem

thank you for the advice

François Beretti

> -----Message d'origine-----
> De : Howard Chu [mailto:hyc@highlandsun.com]
> Envoyé : mardi 16 septembre 2003 10:21
> À : 'François Beretti'; openldap-software@OpenLDAP.org
> Objet : RE: Error in certificate
>
>
> Judging from the info you've given so far, I'd guess that the
> OpenSSL library
> that OpenLDAP is linked with is a different version from the one
> the openssl
> application is using, but it's just a guess. Also, I have not
> used OpenLDAP
> with OpenSSL 0.9.7b, there may be something wrong in the OpenSSL library.
>
> Your s_client test failed because you didn't tell it where to find the CA
> cert. try it again with -CAfile <cacert.pem pathname> added to
> the arguments.
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
>
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
> François Beretti
>
> > Hi Brian,
> >
> > > If you're running LDAPS on port 636, you can do ...
> > > openssl s_client -connect hostname:636 -showcerts
> > > where hostname is the hostname of your box (must be the FQDN that is
> > > listed in the certificate).  Even if you're not running
> > LDAPS, it'd be
> > > worth doing so just to debug it and then turn it off.
> > >
> > > If you're only doing STARTTLS, you can't use s_client to verify the
> > > certificate.  You'd have to do what Howard suggested.
> >
> > I started slapd with
> > slapd -d 7 -h ldaps://
> >
> > I did
> > debian-ldap:/etc/ldap# openssl s_client -connect
> > debian-ldap.enatel.local:636 -showcerts
> >
> > and I got :
> > debian-ldap:/etc/ldap# openssl s_client -connect
> > debian-ldap.enatel.local:636 -showcerts
> > CONNECTED(00000003)
> > depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
> > verify error:num=20:unable to get local issuer certificate
> > verify return:1
> > depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
> > verify error:num=27:certificate not trusted
> > verify return:1
> > depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
> > verify error:num=21:unable to verify the first certificate
> > verify return:1
> > ---
> > Certificate chain
> >  0 s:/DC=local/DC=enatel/CN=debian-ldap.enatel.local
> >    i:/DC=local/DC=enatel/CN=Autorite Enatel
> > -----BEGIN CERTIFICATE-----
> > MIICCjCCAXMCAQEwDQYJKoZIhvcNAQEEBQAwSTEVMBMGCgmSJomT8ixkARkWBWxv
> > Y2FsMRYwFAYKCZImiZPyLGQBGRYGZW5hdGVsMRgwFgYDVQQDEw9BdXRvcml0ZSBF
> > bmF0ZWwwHhcNMDMwOTE1MTEwOTU2WhcNMDQwOTE0MTEwOTU2WjBSMRUwEwYKCZIm
> > iZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZlbmF0ZWwxITAfBgNVBAMT
> > GGRlYmlhbi1sZGFwLmVuYXRlbC5sb2NhbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
> > gYkCgYEAw3uSQp1CPU/3GXzeAFpXwfhxkAweOH/KX9aCn5e5eIsTCNo/rVJb3Ztc
> > fpn76maonH3AGW4xbv3+CLSqC7qktftS0evDZVAOruEy/oJoQnF5xWtrOWhjEYwh
> > Ahc0RG+x4vfla3T0W9rxQz4xg1+Zk9mWs3VTBE9B8PQxE98woDsCAwEAATANBgkq
> > hkiG9w0BAQQFAAOBgQBwmznW5BPdl4cTwrDmkhVjDRMVtEl8PrxefP4mCQjemrA9
> > JeiYdf9TozXEzDIJFbM47WzklVLoIBW2j7aKg5IIQ4lgoFW+JAGoAjV14kJLYyyT
> > Toky4ic7rwpgW8UiwVuCUPrhA2mNUSOZ3EVpVSXmeOiJlldjstDOFJoGOgzsgg==
> > -----END CERTIFICATE-----
> > ---
> > Server certificate
> > subject=/DC=local/DC=enatel/CN=debian-ldap.enatel.local
> > issuer=/DC=local/DC=enatel/CN=Autorite Enatel
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 1090 bytes and written 340 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> > Server public key is 1024 bit
> > SSL-Session:
> >     Protocol  : TLSv1
> >     Cipher    : DHE-RSA-AES256-SHA
> >     Session-ID:
> > 41888CEE9FFC6DC8A27C6D97964B3693D1BACCA3DCFE2D8B4B7EB64039E23085
> >     Session-ID-ctx:
> >     Master-Key:
> > 206F1AA8C00665264C1C1F11107E75E3437ECB351CA44EE58E534389417791
> > 910BA3E1E87537
> > 60C447E9B1DA0709B434
> >     Key-Arg   : None
> >     Start Time: 1063699267
> >     Timeout   : 300 (sec)
> >     Verify return code: 21 (unable to verify the first certificate)
> > ---
> >
> >
> > Why do I get all these errors ?
> >
> > François Beretti
> >
> >
> > ____________
> > Virus checked by G DATA AntiVirusKit
> > Version: AVK 12.0.575 from 10.09.2003
> > Virus news: www.antiviruslab.com
> >
> >
> >
> >
>


____________
Virus checked by G DATA AntiVirusKit
Version: AVK 12.0.575 from 10.09.2003
Virus news: www.antiviruslab.com