[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSL3 alert read:warning:bad certificate



Hello list
As I see the problem is very popular on the web, but I can't find any solution there.
When I use :


openssl s_server -accept 636 -cert /etc/ldap/ldapcert.pem -key /etc/ldap/ldapkey.pem

and then

openssl s_client -connect ldap.example.com:636 -showcerts -state -CAfile /etc/ldap/cacert.pem

All it's OK. There are no errors.
But when I start slapd with configuration:

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ldap/ldapcert.pem
TLSCertificateKeyFile /etc/ldap/ldapkey.pem
TLSCACertificateFile /etc/ldap/cacert.pem
TLSVerifyClient 0                                             or never

There is a string:

SSL3 alert read:warning:bad certificate  - full listing below

Maybe it ok yet (I.'m not sure - ldapsearch with tls works good). But, when I try to authentificate users, it is not possible. All the time I've got massages that:

No client certificate CA names sent

As I known it means that the server certificate was not accepted.

Full result of  s_client command witch slapd started:

CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=AU/ST=Some-State/L=war/O=ite/OU=z9/CN=example.com/emailAddress=kokoszka@ite.ww.pl
verify return:1
depth=0 /C=AU/ST=Some-State/L=war/O=ite/OU=z9/CN=ldap.example.com/emailAddress=kokoszka@ite.waw.pl
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=AU/ST=Some-State/L=war/O=ite/OU=z9/CN=ldap.example.com/emailAddress=kokoszka@ite.waw.pl
i:/C=AU/ST=Some-State/L=war/O=ite/OU=z9/CN=example.com/emailAddress=kokoszka@ite.ww.pl
-----BEGIN CERTIFICATE-----
MIIDmDCCAwGgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBhDELMAkGA1UEBhMCQVUx
EzARBgNVBAgTClNvbWUtU3RhdGUxDDAKBgNVBAcTA3dhcjEMMAoGA1UEChMDaXRl
MQswCQYDVQQLEwJ6OTEUMBIGA1UEAxMLZXhhbXBsZS5jb20xITAfBgkqhkiG9w0B
CQEWEmtva29zemthQGl0ZS53dy5wbDAeFw0wNDA3MjQxMjU2MzJaFw0wNTA3MjQx
MjU2MzJaMIGKMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEMMAoG
A1UEBxMDd2FyMQwwCgYDVQQKEwNpdGUxCzAJBgNVBAsTAno5MRkwFwYDVQQDExBs
ZGFwLmV4YW1wbGUuY29tMSIwIAYJKoZIhvcNAQkBFhNrb2tvc3prYUBpdGUud2F3
LnBsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnRaPqVMEvJsFAwk4QmXIA
HJXRc1y0Ba09xaMuFqBm26g/JmWi5SMl/iWm/lhP2hn3SyxuxVdXBssmHgZ3Q7sA
u19V5Rgfq6Rp9flgGlZLbhiPAuZIW87+w4FyFhI+4JTREUvTP7f9BLP0F5YQLuiM
Gr0bb9WToBnGwx9AzRxHbQIDAQABo4IBEDCCAQwwCQYDVR0TBAIwADAsBglghkgB
hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
FIsYOmhy9YIRSlIwSTWwzjRZcl1wMIGxBgNVHSMEgakwgaaAFJPIS/iLtFnvwms1
V+arDYtAyyTyoYGKpIGHMIGEMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1T
dGF0ZTEMMAoGA1UEBxMDd2FyMQwwCgYDVQQKEwNpdGUxCzAJBgNVBAsTAno5MRQw
EgYDVQQDEwtleGFtcGxlLmNvbTEhMB8GCSqGSIb3DQEJARYSa29rb3N6a2FAaXRl
Lnd3LnBsggEAMA0GCSqGSIb3DQEBBAUAA4GBAHeRW9oxA1IwAA18f/t4B4jtPkQN
k8fZAlsJVnispfkl6H4fYnVG7dh5gswFZQAzht0Amq9MCCt6sb68T2Y0Hjalmt4Z
tu9xNgVRddFIjRMacoGVKx6j1Otl5OWYeWnUUvxWj4S0fxLo2WtBoXvEkdNVIYaw
KqYuDDLxWwF6zxTt
-----END CERTIFICATE-----
---
Server certificate
subject=/C=AU/ST=Some-State/L=war/O=ite/OU=z9/CN=ldap.example.com/emailAddress=kokoszka@ite.waw.pl
issuer=/C=AU/ST=Some-State/L=war/O=ite/OU=z9/CN=example.com/emailAddress=kokoszka@ite.ww.pl
---
No client certificate CA names sent
---
SSL handshake has read 1664 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 0ABB0372AD405E858FA75CECF6E8B1A3017C42A5ADA1825C9FF7E0ACCDCFD89C
Session-ID-ctx:
Master-Key: FE45BA56FC97803457B05A47252D82352EBF7A61DC953B2B0B92CC05028265DBE2BF50E92E3945672CE785DA7430AD8A
Key-Arg : None
Start Time: 1090675448
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
SSL3 alert read:warning:bad certificate