[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP and SSL
In response to questions by another list reader -
> 2: 'man s_server': do 'openssl s_server -accept 390 -cert
> /path/to/server-public-cert -key /path/to/server-private-key -CAfile
> /path/to/CA-cert www' and point a browser at https://yourserver:390 and
> see what the browser feeds back. Look at the different debug options for
> s_server;
(I posted the output of this to the openldap-software listserv already.)
> 3: 'man s_client': if that works, do 'openssl s_client -connect
> localhost:390'
Tested:
debian:/etc/ssl# openssl s_client -connect localhost:390
CONNECTED(00000003)
depth=0 /C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
i:/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEwzCCBCygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCVVMx
... blah blah ...
eT/41rpZUObT4uQfS/C44uHqteI5SB0=
-----END CERTIFICATE-----
subject=/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
issuer=/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
---
No client certificate CA names sent
---
SSL handshake has read 1659 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2FED925EDE9DD6093322187CC0AB0D99F66B9396A1189515EA5DCA5EB9755D59
Session-ID-ctx:
Master-Key:
2AFC0783F832D85C83848568C2063C7C64D5BF65EB42B46003C3C77504F37D40ADCE5E85338E3D59F86FB4002EB84A81
Key-Arg : None
Start Time: 1101754395
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
This is where I am...
> The above two should indicate a. whether you certs are good, then check
> the perms on server-cert and server-key - can the slapd user read the
> path? Can *everyone* read the path to the CA-cert?
Yes, the CACert is publically readable.
> Did you make the certs so that the Subject id the FQDN of your machine
> as given by 'hostname -f'?
I created the certs as best I could to match (hostname -f)
debian.insecurity.org -
publically seen as 68.214.83.106 and privately seen as 192.168.2.2
--
WC -Sx- Jones
http://insecurity.org/