[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL3 alert read:warning:bad certificate



Tony Earnshaw wrote:

tir, 24.08.2004 kl. 15.42 skrev Artur Kokoszka:
[...]



When I use :

openssl s_server -accept 636 -cert /etc/ldap/ldapcert.pem -key /etc/ldap/ldapkey.pem

and then

openssl s_client -connect ldap.example.com:636 -showcerts -state -CAfile /etc/ldap/cacert.pem

All it's OK. There are no errors.
But when I start slapd with configuration:

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ldap/ldapcert.pem
TLSCertificateKeyFile /etc/ldap/ldapkey.pem
TLSCACertificateFile /etc/ldap/cacert.pem
TLSVerifyClient 0                                             or never

There is a string:

SSL3 alert read:warning:bad certificate  - full listing below

Maybe it ok yet (I.'m not sure - ldapsearch with tls works good). But, when I try to authentificate users, it is not possible. All the time I've got massages that:

No client certificate CA names sent


[...]

Since properly made certificates work for me (on several sites) and 1000
others with the above parameters, we have to look somewhere else.

As what user are you running 'openssl s_client' and 'ldapsearch'? As
what user are you running slapd? What are the permissions on
/etc/ldap/cacert.pem and the two other certs?

--Tonni


Both s_server and slapd are run by root, and in both cases the client in run by a common user.
The permissions are (the /etc/ldap directory is rx for all)


-rw-r--r--    1 root     root         1237 Jul 24 14:19 cacert.pem
-rw-r--r--    1 root     root          365 Jul 23 23:37 ldap.conf
-rw-r--r--    1 root     root         3593 Jul 24 14:56 ldapcert.pem
-r--------    1 root     root         1587 Jul 24 14:50 ldapkey.pem
-rw-------    1 root     root         3747 Jul 24 14:33 slapd.conf

Ldap client configuration is not valid in the case of s_client, but I put it below additionally.

The client configuration:

~/.ldaprc

BINDDN cn=admin,dc=example,dc=com
TLS_CACERT /etc/ldap/cacert.pem
TLS_CERT /home/artur/cert/newcert.pem
TLS_KEY /home/artur/cert/newreq.pem

ldap.conf

BASE    dc=example,dc=com
URI     ldaps://ldap.example.com
TLS_CACERT /etc/ldap/cacert.pem

Thanks for attention
Artur