[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SSL3 alert read:warning:bad certificate
- To: openldap-software@OpenLDAP.org
- Subject: SSL3 alert read:warning:bad certificate
- From: Artur Kokoszka <kokoszka@ite.waw.pl>
- Date: Tue, 24 Aug 2004 15:42:33 +0200
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4.1) Gecko/20031008
Hello list
As I see the problem is very popular on the web, but I can't find any
solution there.
When I use :
openssl s_server -accept 636 -cert /etc/ldap/ldapcert.pem -key
/etc/ldap/ldapkey.pem
and then
openssl s_client -connect ldap.example.com:636 -showcerts -state -CAfile
/etc/ldap/cacert.pem
All it's OK. There are no errors.
But when I start slapd with configuration:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ldap/ldapcert.pem
TLSCertificateKeyFile /etc/ldap/ldapkey.pem
TLSCACertificateFile /etc/ldap/cacert.pem
TLSVerifyClient 0 or never
There is a string:
SSL3 alert read:warning:bad certificate - full listing below
Maybe it ok yet (I.'m not sure - ldapsearch with tls works good). But,
when I try to authentificate users, it is not possible. All the time
I've got massages that:
No client certificate CA names sent
As I known it means that the server certificate was not accepted.
Full result of s_client command witch slapd started:
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1
/C=AU/ST=Some-State/L=war/O=ite/OU=z9/CN=example.com/emailAddress=kokoszka@ite.ww.pl
verify return:1
depth=0
/C=AU/ST=Some-State/L=war/O=ite/OU=z9/CN=ldap.example.com/emailAddress=kokoszka@ite.waw.pl
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0
s:/C=AU/ST=Some-State/L=war/O=ite/OU=z9/CN=ldap.example.com/emailAddress=kokoszka@ite.waw.pl
i:/C=AU/ST=Some-State/L=war/O=ite/OU=z9/CN=example.com/emailAddress=kokoszka@ite.ww.pl
-----BEGIN CERTIFICATE-----
MIIDmDCCAwGgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBhDELMAkGA1UEBhMCQVUx
EzARBgNVBAgTClNvbWUtU3RhdGUxDDAKBgNVBAcTA3dhcjEMMAoGA1UEChMDaXRl
MQswCQYDVQQLEwJ6OTEUMBIGA1UEAxMLZXhhbXBsZS5jb20xITAfBgkqhkiG9w0B
CQEWEmtva29zemthQGl0ZS53dy5wbDAeFw0wNDA3MjQxMjU2MzJaFw0wNTA3MjQx
MjU2MzJaMIGKMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEMMAoG
A1UEBxMDd2FyMQwwCgYDVQQKEwNpdGUxCzAJBgNVBAsTAno5MRkwFwYDVQQDExBs
ZGFwLmV4YW1wbGUuY29tMSIwIAYJKoZIhvcNAQkBFhNrb2tvc3prYUBpdGUud2F3
LnBsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnRaPqVMEvJsFAwk4QmXIA
HJXRc1y0Ba09xaMuFqBm26g/JmWi5SMl/iWm/lhP2hn3SyxuxVdXBssmHgZ3Q7sA
u19V5Rgfq6Rp9flgGlZLbhiPAuZIW87+w4FyFhI+4JTREUvTP7f9BLP0F5YQLuiM
Gr0bb9WToBnGwx9AzRxHbQIDAQABo4IBEDCCAQwwCQYDVR0TBAIwADAsBglghkgB
hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
FIsYOmhy9YIRSlIwSTWwzjRZcl1wMIGxBgNVHSMEgakwgaaAFJPIS/iLtFnvwms1
V+arDYtAyyTyoYGKpIGHMIGEMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1T
dGF0ZTEMMAoGA1UEBxMDd2FyMQwwCgYDVQQKEwNpdGUxCzAJBgNVBAsTAno5MRQw
EgYDVQQDEwtleGFtcGxlLmNvbTEhMB8GCSqGSIb3DQEJARYSa29rb3N6a2FAaXRl
Lnd3LnBsggEAMA0GCSqGSIb3DQEBBAUAA4GBAHeRW9oxA1IwAA18f/t4B4jtPkQN
k8fZAlsJVnispfkl6H4fYnVG7dh5gswFZQAzht0Amq9MCCt6sb68T2Y0Hjalmt4Z
tu9xNgVRddFIjRMacoGVKx6j1Otl5OWYeWnUUvxWj4S0fxLo2WtBoXvEkdNVIYaw
KqYuDDLxWwF6zxTt
-----END CERTIFICATE-----
---
Server certificate
subject=/C=AU/ST=Some-State/L=war/O=ite/OU=z9/CN=ldap.example.com/emailAddress=kokoszka@ite.waw.pl
issuer=/C=AU/ST=Some-State/L=war/O=ite/OU=z9/CN=example.com/emailAddress=kokoszka@ite.ww.pl
---
No client certificate CA names sent
---
SSL handshake has read 1664 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
0ABB0372AD405E858FA75CECF6E8B1A3017C42A5ADA1825C9FF7E0ACCDCFD89C
Session-ID-ctx:
Master-Key:
FE45BA56FC97803457B05A47252D82352EBF7A61DC953B2B0B92CC05028265DBE2BF50E92E3945672CE785DA7430AD8A
Key-Arg : None
Start Time: 1090675448
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
SSL3 alert read:warning:bad certificate