[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and SSL

To: Tony Earnshaw <tonye@billy.demon.nl>
Subject: Re: LDAP and SSL
From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
Date: Tue, 30 Nov 2004 08:52:15 -0500
Cc: openldap-software@OpenLDAP.org
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=q05bz5XYpuTCdsVcpf+ldH9uAOI7HkJgo5r8qqB+Qz/vNtiu9BLxL0WgyViuPw0nhcH0d8aYCo2yUBTh6wxmzjku9zSGxP+QAGzuoK7V0L2wzQcz5xclwH067JwY/tYUlQA6MihgHDxL1QwtSX767gslTEdYxkVlqAtREcZdNyU=
In-reply-to: <1101811667.30561.34.camel@localhost>
References: <91f88ee204112810284d745e7f@mail.gmail.com> <Pine.OSX.4.58.0411282026360.387@spud.local> <91f88ee2041128183058dc0ae6@mail.gmail.com> <20041129152907.GA25263@mtholyoke.edu> <20041129185429.GD25565@mtholyoke.edu> <91f88ee20411291117141ece3b@mail.gmail.com> <91f88ee20411291128211545e@mail.gmail.com> <1101811667.30561.34.camel@localhost>

On Tue, 30 Nov 2004 11:47:48 +0100, Tony Earnshaw <tonye@billy.demon.nl> wrote:

>  Certificate chain
>  0 s:/C=NL/ST=Zuidholland/L=Nieuwveen/O=Billy/OU=Beheer/CN=localhost/emailAddress=postmaster@billy.demon.nl
>    i:/C=NL/ST=Zuidholland/L=Nieuwveen/O=Billy/OU=Beheer/CN=tru/emailAddress=postmaster@billy.demon.nl
>  1 s:/C=NL/ST=Zuidholland/L=Nieuwveen/O=Billy/OU=Beheer/CN=tru/emailAddress=postmaster@billy.demon.nl
>    i:/C=NL/ST=Zuidholland/L=Nieuwveen/O=Billy/OU=Beheer/CN=tru/emailAddress=postmaster@billy.demon.nl
> 
> See the "s" lines? CN should reflect the FQDN of your host (instead of
> what I have).


How about this test:

debian:~# openssl s_server -accept 390 -cert /etc/ldap/servercrt.pem
-key /etc/ldap/serverkey.pem -CAfile /etc/ldap/cacert.pem -www &
[1] 3021
debian:~# Using default temp DH parameters
ACCEPT

debian:~# openssl s_client -connect 192.168.2.2:390 -showcerts -state
-CAfile /etc/ldap/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
verify return:1
depth=0 /C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
   i:/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
-----BEGIN CERTIFICATE-----
MIIEwzCCBCygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCVVMx
...deleted ...
UHr7crTK4JysKQ71oMlYpBqx64ecSvA=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
issuer=/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
---
No client certificate CA names sent
---
SSL handshake has read 1659 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: F2907D1DE50173353863871E7DD83750ADAEAE0FA5CC16E3453BCB1A66DB302C
    Session-ID-ctx: 
    Master-Key:
E7DE1B7F4FFC9D9C8507B1C647C23266FF9D65A509F6E6F9B2109B4170CD71C37993AD0A6B726093333266DA57156AE8
    Key-Arg   : None
    Start Time: 1101822372
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


-- 
WC -Sx- Jones
http://insecurity.org/

Follow-Ups:
- Re: LDAP and SSL
  - From: Tony Earnshaw <tonye@billy.demon.nl>

References:
- LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
- Re: LDAP and SSL
  - From: Steve Revilak <srevilak@speakeasy.net>
- Re: LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
- Re: LDAP and SSL
  - From: Ron Peterson <rpeterso@mtholyoke.edu>
- Re: LDAP and SSL
  - From: Ron Peterson <rpeterso@mtholyoke.edu>
- Re: LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
- Re: LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
- Re: LDAP and SSL
  - From: Tony Earnshaw <tonye@billy.demon.nl>

Prev by Date: Openldap and multiples DNS updates (multimaster)
Next by Date: Re: Openldap and multiples DNS updates (multimaster)
Index(es):
- Chronological
- Thread