[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSL3 alert read:warning:bad certificate
Tony Earnshaw wrote:
tir, 24.08.2004 kl. 15.42 skrev Artur Kokoszka:
[...]
When I use :
openssl s_server -accept 636 -cert /etc/ldap/ldapcert.pem -key
/etc/ldap/ldapkey.pem
and then
openssl s_client -connect ldap.example.com:636 -showcerts -state -CAfile
/etc/ldap/cacert.pem
All it's OK. There are no errors.
But when I start slapd with configuration:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ldap/ldapcert.pem
TLSCertificateKeyFile /etc/ldap/ldapkey.pem
TLSCACertificateFile /etc/ldap/cacert.pem
TLSVerifyClient 0 or never
There is a string:
SSL3 alert read:warning:bad certificate - full listing below
Maybe it ok yet (I.'m not sure - ldapsearch with tls works good). But,
when I try to authentificate users, it is not possible. All the time
I've got massages that:
No client certificate CA names sent
[...]
Since properly made certificates work for me (on several sites) and 1000
others with the above parameters, we have to look somewhere else.
As what user are you running 'openssl s_client' and 'ldapsearch'? As
what user are you running slapd? What are the permissions on
/etc/ldap/cacert.pem and the two other certs?
--Tonni
Both s_server and slapd are run by root, and in both cases the client
in run by a common user.
The permissions are (the /etc/ldap directory is rx for all)
-rw-r--r-- 1 root root 1237 Jul 24 14:19 cacert.pem
-rw-r--r-- 1 root root 365 Jul 23 23:37 ldap.conf
-rw-r--r-- 1 root root 3593 Jul 24 14:56 ldapcert.pem
-r-------- 1 root root 1587 Jul 24 14:50 ldapkey.pem
-rw------- 1 root root 3747 Jul 24 14:33 slapd.conf
Ldap client configuration is not valid in the case of s_client, but I
put it below additionally.
The client configuration:
~/.ldaprc
BINDDN cn=admin,dc=example,dc=com
TLS_CACERT /etc/ldap/cacert.pem
TLS_CERT /home/artur/cert/newcert.pem
TLS_KEY /home/artur/cert/newreq.pem
ldap.conf
BASE dc=example,dc=com
URI ldaps://ldap.example.com
TLS_CACERT /etc/ldap/cacert.pem
Thanks for attention
Artur