[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with TLS on OpenBSD

To: ho@risks.de
Subject: Re: Problems with TLS on OpenBSD
From: Greg Matthews <gmatt@nerc.ac.uk>
Date: Mon, 27 Sep 2004 16:29:49 +0100
Cc: openldap <openldap-software@OpenLDAP.org>
In-reply-to: <38014.217.237.184.18.1096295573.squirrel@217.237.184.18>
Organization: iTSS
References: <38014.217.237.184.18.1096295573.squirrel@217.237.184.18>

On Mon, 2004-09-27 at 15:32, Heiner Ohm wrote:
> TLSCertificateFile /etc/openldap/server.pem
> TLSCertificateKeyFile /etc/openldap/server.pem

this looks wrong - the key file is the secret key and the certificate
file is the public certificate - you dont want to be publishing your
private key!

> TLSVerifyClient never
> 
> in my slapd.conf. The slapd starts without Problems and works fine with
> non-ssl connections but when i try to use TLS the following debug message
> appears (slapd -u slapd -g slapd -d 256):
> 
> conn=1 fd=15 ACCEPT from IP=10.10.10.1:33552 (IP=0.0.0.0:389)
> TLS: can't accept.
> TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> /usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1052
> conn=1 fd=15 closed
> 
> 
> Does anyone know where my failure is?

you also need something like:
TLSCACertificateFile /etc/openldap/cacert.pem
 
which is the certificate of your Certificate Authority. See the error
"unknown ca".

GREG

> 
> 
> Regards,
> 
> Heiner Ohm
-- 
Greg Matthews
iTSS Wallingford	01491 692445

References:
- Problems with TLS on OpenBSD
  - From: "Heiner Ohm" <ho@risks.de>

Prev by Date: Re: [REPOST] Getting OpenLDAP on RedHat AS3 working properly
Next by Date: syncrepl consumer is not honoring authcid
Index(es):
- Chronological
- Thread