[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls key exchange

To: openldap-software@OpenLDAP.org
Subject: Re: tls key exchange
From: "Thomas Berg" <Thomas.Berg1@gmx.de>
Date: Thu, 24 Jun 2004 15:10:10 +0200 (MEST)
Cc: Buchan Milne <bgmilne@obsidian.co.za>
References: <40D88748.60005@obsidian.co.za>

> Thomas Berg wrote:
> | hi
> |
> | Ich tried for quite a long time to get tls/ssl encryption to work
> together
> | with openldap. But it didn't work. This is my configuration.
> |
> | I went the normal way to generate the CA, the req and the cert.
> |
> | CA.pl -newca
> | CA.pl -newcert
> | CA.pl -signcert
> | openssl rsa -in newreq.pem -out ldapkey.pem
> | cp newcert.pem ldapcert.pem
> | CA.pl verify ldapcert.pem (OK)
> |
> | generated a req and cert for the client (don't know if it is a must)
> 
> If all you want is encryption of the ldap traffic from php, a client
> cert is not necessary, and most likely causing your problems.
> 
> Also, ensure that you are connecting to the LDAP server with the
> hostname that is on the cert ..
> 
> Regards,
> Buchan
> 
> - --
> Buchan Milne                      Senior Support Technician
> Obsidian Systems                  http://www.obsidian.co.za
> B.Eng                                RHCE (803004789010797)

How can I get the hostname or maybe hostnames onto the cert? I was never
asked for it while generating the cert with CA.pl/openssl!

Now my server output looks like this:

connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN error=49 id=0
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 12 failed errno=0 (Success)
connection_read(12): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12
TLS trace: SSL3 alert write:warning:close notify

-- 
+++ Jetzt WLAN-Router für alle DSL-Einsteiger und Wechsler +++
GMX DSL-Powertarife zudem 3 Monate gratis* http://www.gmx.net/dsl

Follow-Ups:
- Re: tls key exchange
  - From: Buchan Milne <bgmilne@obsidian.co.za>

References:
- Re: tls key exchange
  - From: Buchan Milne <bgmilne@obsidian.co.za>

Prev by Date: how to get anon plain & login in supportedSASLMechanisms
Next by Date: Re: tls key exchange
Index(es):
- Chronological
- Thread