[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Slurpd over SSL
Tony Earnshaw wrote:
Estevam Viragh wrote:
Yes, The master and slave have both the same
certificates. I assumed it is fine given that I used
heavymetal.com as commonName, the domain name.
Each host's public cert should be issued for the FQDN of that host as
subject and as the rest of the network will see it. Not for the
domain. You cannot use a single certificate for more than one host
(unless you're into the subjectAltName game, but that's a different
story ;) Each server cert should be signed by one single CA and that
CA cert made available to each host and client.
--Tonni
pls explain me, what I doing not too.
In host1 I up CA and create cert for host2
cd /usr/local/ssl/bin
./openssl req -new -nodes -keyout newreq.pem -out newreq.pem
( cn=host2.mydomain.ru)
cp newreq.pem /usr/local/ssl/misc
./CA.sh -sign
mv newcert.pem host2cert.pem
mv newkey.pem host2key.pem
copy host2cert.pem host2key.pem and file
/usr/local/ssl/misc/demoCA/cacert.pem to host2
slapd.conf in host2
security ssf=1 tls=112
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/ssl/host2cert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/host2key.pem
TLSVerifyClient demand
ldap.conf
TLS_CACERT /usr/local/etc/openldap/ssl/cacert.pem
TLS_CERT /usr/local/etc/openldap/ssl/host2cert.pem
TLS_KEY /usr/local/etc/openldap/ssl/host2key.pem
BASE dc=mydomain,dc=ru
URI ldap://host2.mydomain.ru
In host2 openldap was compiled as
export CPPFLAGS="-I/usr/local/BerkeleyDB.4.1/include \
-I/usr/local/ssl/include"
export LDFLAGS="-L/usr/local/BerkeleyDB.4.1/lib \
-R/usr/local/BerkeleyDB.4.1/lib \
-L/usr/local/ssl/lib \
-R/usr/local/ssl/lib"
./configure --with-tls \
--enable-slapd \
--enable-cleartext
and when I attempt connect to slapd server on same computer with command
/usr/local/bin/ldapsearch -Z -x -D "cn=Manager,dc=mydomain,dc=ru" -W
"(uid=user)"
I looking next message
ldap_start_tls: Connect error (91)
additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
If CA and slapd run on same host, I can connect to him from somewhere.
Explain me pls what I didn't do.
Thanks.