[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS unknown CA




I hope someone could help me out.

SuSE Enterprise Linux Server 8
OpenLDAP 2.2.14

I have built two identical machines for LDAP client /server testings, and compile OpenLDAP 2.2.14 from source as follows :-

env CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" \
./configure --enable-wrpappers --enable-crypt --enable-slurpd --with-tls

I created two certificates using my self-signed CA, and passed the server testing from client as stated in OpenLDAP SSL/TLS How-To :-

openssl s_client -connect server.exmaple.com:636 -showcerts -state -CA /usr/share/ssl/cacert.pem

Client config. file /usr/local/etc/openldap/ldap.conf has the line :-

tls_cacertfile /usr/share/ssl/cacert.pem

Server config. file /usr/local/etc/openldap/slapd.conf has these lines :-

TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /etc/local/server-cert.pem
TLSCertificateKeyFile /etc/local/server-key.pem
TLSCACertificateFile /usr/share/ssl/cacert.pem

It works fine with SSL, but it failed with TLS with the following error :-

TLS certificate verification: Error, self signed certificate in certificate chain
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


It seems that the client could not locate the CA certitificate tls_cacertfile, and I have copied the ldap.conf to different locations /etc/ldap.conf, /usr/local/etc/ldap.conf and /etc/local/etc/openldap/ldap.conf, but the errors are the same. I have tried the steps on O'Reilly LDAP book and those on the newsgroup, but it does not work.

Is there anything I have done wrong?

Thanks a lot.

John