[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Error in certificate
For the s_client, excuse my stupid error :)
you were right, with the -CAfile option it works.
now I am going to recompile the openldap package with the current openssl
one, to check if it is the problem
thank you for the advice
François Beretti
> -----Message d'origine-----
> De : Howard Chu [mailto:hyc@highlandsun.com]
> Envoyé : mardi 16 septembre 2003 10:21
> À : 'François Beretti'; openldap-software@OpenLDAP.org
> Objet : RE: Error in certificate
>
>
> Judging from the info you've given so far, I'd guess that the
> OpenSSL library
> that OpenLDAP is linked with is a different version from the one
> the openssl
> application is using, but it's just a guess. Also, I have not
> used OpenLDAP
> with OpenSSL 0.9.7b, there may be something wrong in the OpenSSL library.
>
> Your s_client test failed because you didn't tell it where to find the CA
> cert. try it again with -CAfile <cacert.pem pathname> added to
> the arguments.
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
> François Beretti
>
> > Hi Brian,
> >
> > > If you're running LDAPS on port 636, you can do ...
> > > openssl s_client -connect hostname:636 -showcerts
> > > where hostname is the hostname of your box (must be the FQDN that is
> > > listed in the certificate). Even if you're not running
> > LDAPS, it'd be
> > > worth doing so just to debug it and then turn it off.
> > >
> > > If you're only doing STARTTLS, you can't use s_client to verify the
> > > certificate. You'd have to do what Howard suggested.
> >
> > I started slapd with
> > slapd -d 7 -h ldaps://
> >
> > I did
> > debian-ldap:/etc/ldap# openssl s_client -connect
> > debian-ldap.enatel.local:636 -showcerts
> >
> > and I got :
> > debian-ldap:/etc/ldap# openssl s_client -connect
> > debian-ldap.enatel.local:636 -showcerts
> > CONNECTED(00000003)
> > depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
> > verify error:num=20:unable to get local issuer certificate
> > verify return:1
> > depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
> > verify error:num=27:certificate not trusted
> > verify return:1
> > depth=0 /DC=local/DC=enatel/CN=debian-ldap.enatel.local
> > verify error:num=21:unable to verify the first certificate
> > verify return:1
> > ---
> > Certificate chain
> > 0 s:/DC=local/DC=enatel/CN=debian-ldap.enatel.local
> > i:/DC=local/DC=enatel/CN=Autorite Enatel
> > -----BEGIN CERTIFICATE-----
> > MIICCjCCAXMCAQEwDQYJKoZIhvcNAQEEBQAwSTEVMBMGCgmSJomT8ixkARkWBWxv
> > Y2FsMRYwFAYKCZImiZPyLGQBGRYGZW5hdGVsMRgwFgYDVQQDEw9BdXRvcml0ZSBF
> > bmF0ZWwwHhcNMDMwOTE1MTEwOTU2WhcNMDQwOTE0MTEwOTU2WjBSMRUwEwYKCZIm
> > iZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZlbmF0ZWwxITAfBgNVBAMT
> > GGRlYmlhbi1sZGFwLmVuYXRlbC5sb2NhbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
> > gYkCgYEAw3uSQp1CPU/3GXzeAFpXwfhxkAweOH/KX9aCn5e5eIsTCNo/rVJb3Ztc
> > fpn76maonH3AGW4xbv3+CLSqC7qktftS0evDZVAOruEy/oJoQnF5xWtrOWhjEYwh
> > Ahc0RG+x4vfla3T0W9rxQz4xg1+Zk9mWs3VTBE9B8PQxE98woDsCAwEAATANBgkq
> > hkiG9w0BAQQFAAOBgQBwmznW5BPdl4cTwrDmkhVjDRMVtEl8PrxefP4mCQjemrA9
> > JeiYdf9TozXEzDIJFbM47WzklVLoIBW2j7aKg5IIQ4lgoFW+JAGoAjV14kJLYyyT
> > Toky4ic7rwpgW8UiwVuCUPrhA2mNUSOZ3EVpVSXmeOiJlldjstDOFJoGOgzsgg==
> > -----END CERTIFICATE-----
> > ---
> > Server certificate
> > subject=/DC=local/DC=enatel/CN=debian-ldap.enatel.local
> > issuer=/DC=local/DC=enatel/CN=Autorite Enatel
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 1090 bytes and written 340 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> > Server public key is 1024 bit
> > SSL-Session:
> > Protocol : TLSv1
> > Cipher : DHE-RSA-AES256-SHA
> > Session-ID:
> > 41888CEE9FFC6DC8A27C6D97964B3693D1BACCA3DCFE2D8B4B7EB64039E23085
> > Session-ID-ctx:
> > Master-Key:
> > 206F1AA8C00665264C1C1F11107E75E3437ECB351CA44EE58E534389417791
> > 910BA3E1E87537
> > 60C447E9B1DA0709B434
> > Key-Arg : None
> > Start Time: 1063699267
> > Timeout : 300 (sec)
> > Verify return code: 21 (unable to verify the first certificate)
> > ---
> >
> >
> > Why do I get all these errors ?
> >
> > François Beretti
> >
> >
> > ____________
> > Virus checked by G DATA AntiVirusKit
> > Version: AVK 12.0.575 from 10.09.2003
> > Virus news: www.antiviruslab.com
> >
> >
> >
> >
>
____________
Virus checked by G DATA AntiVirusKit
Version: AVK 12.0.575 from 10.09.2003
Virus news: www.antiviruslab.com