[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls key exchange



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Berg wrote:
|>Thomas Berg wrote:
|>| hi
|>|
|>| Ich tried for quite a long time to get tls/ssl encryption to work
|>together
|>| with openldap. But it didn't work. This is my configuration.
|>|
|>| I went the normal way to generate the CA, the req and the cert.
|>|
|>| CA.pl -newca
|>| CA.pl -newcert
|>| CA.pl -signcert
|>| openssl rsa -in newreq.pem -out ldapkey.pem
|>| cp newcert.pem ldapcert.pem
|>| CA.pl verify ldapcert.pem (OK)
|>|
|>| generated a req and cert for the client (don't know if it is a must)
|>
|>If all you want is encryption of the ldap traffic from php, a client
|>cert is not necessary, and most likely causing your problems.
|>
|>Also, ensure that you are connecting to the LDAP server with the
|>hostname that is on the cert ..
|>
|>Regards,
|>Buchan
|>
|>- --
|>Buchan Milne                      Senior Support Technician
|>Obsidian Systems                  http://www.obsidian.co.za
|>B.Eng                                RHCE (803004789010797)
|
|
| How can I get the hostname or maybe hostnames onto the cert? I was never
| asked for it while generating the cert with CA.pl/openssl!
|

I mean the Subject's CN should be the hostname you are trying to connect
to. Never used CA.pl before, but it is usually the only critical
parameter ...

| Now my server output looks like this:

Well, it still seems to be using a client cert, which is unnecessary.

|
| connection_get(12): got connid=0
| connection_read(12): checking for input on id=0
| TLS trace: SSL_accept:before/accept initialization
| TLS trace: SSL_accept:SSLv3 read client hello A
| TLS trace: SSL_accept:SSLv3 write server hello A
| TLS trace: SSL_accept:SSLv3 write certificate A
| TLS trace: SSL_accept:SSLv3 write server done A
| TLS trace: SSL_accept:SSLv3 flush data
| TLS trace: SSL_accept:error in SSLv3 read client certificate A
| TLS trace: SSL_accept:error in SSLv3 read client certificate A
| connection_get(12): got connid=0
| connection_read(12): checking for input on id=0
| TLS trace: SSL_accept:SSLv3 read client key exchange A
| TLS trace: SSL_accept:SSLv3 read finished A
| TLS trace: SSL_accept:SSLv3 write change cipher spec A
| TLS trace: SSL_accept:SSLv3 write finished A
| TLS trace: SSL_accept:SSLv3 flush data
| connection_read(12): unable to get TLS client DN error=49 id=0
| connection_get(12): got connid=0
| connection_read(12): checking for input on id=0
| ber_get_next
| TLS trace: SSL3 alert read:warning:close notify
| ber_get_next on fd 12 failed errno=0 (Success)
| connection_read(12): input error=-2 id=0, closing.
| connection_closing: readying conn=0 sd=12 for close
| connection_close: conn=0 sd=12
| TLS trace: SSL3 alert write:warning:close notify
|


- -- Buchan Milne Senior Support Technician Obsidian Systems http://www.obsidian.co.za B.Eng RHCE (803004789010797) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA2tburJK6UGDSBKcRAuY4AKC7ANjE7pGUJIiOb51bVC1ywDFhawCbB1TA
jCgXm4tHvbK1FzZm4k3aQKw=
=Wqn2
-----END PGP SIGNATURE-----