[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP and SSL
- To: openldap-software@OpenLDAP.org
- Subject: Re: LDAP and SSL
- From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
- Date: Wed, 1 Dec 2004 01:57:22 -0500
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=qZ37TRMM0oU5fxpTOEfYVf8dI90ELnLmLJpC0n+7cyWFg0hEFArO4PGE0OszNk1n0zxNilSazRLemnxsGaM1TQSVIc2jTyhj89TK2Z3pwS5UkbfZfPrD0dgxQEfPJbKyPolLyAswzswJ1qoeZnKJjPkUhLmZLy125+f3h2zjZQM=
- In-reply-to: <m3653mr1ck.fsf@marin.l4b.de>
- References: <91f88ee204112810284d745e7f@mail.gmail.com> <91f88ee2041130055298cc51d@mail.gmail.com> <1101825984.874.19.camel@localhost> <91f88ee204113008267b58d0d5@mail.gmail.com> <1101843349.4634.22.camel@localhost> <91f88ee2041130133053273c4f@mail.gmail.com> <91f88ee2041130133526288008@mail.gmail.com> <91f88ee2041130141335739ad@mail.gmail.com> <91f88ee2041130154229e592e0@mail.gmail.com> <m3653mr1ck.fsf@marin.l4b.de>
On Wed, 01 Dec 2004 07:15:07 +0100, Dieter Kluenter <dieter@dkluenter.de> wrote:
> As you are using Debian, AFAIK Debian openldap packages are compiled
> with gnuTLS and not with openssl.
Debian 3.1 main/testing section
Making sure that my LDAP database was created with the correct DN; and
using this series of steps to create the certs with the correct CN:
mkdir -p /var/myCA
cd /var/myCA
rm -fR /var/myCA/*
CA.sh -newca
openssl req -newkey rsa:1024 -nodes -keyout newreq.pem
-out newreq.pem
CA.sh -sign
CA.sh -verify
#############
# Server side
openssl x509 -in cacert.pem -outform DER -out
cacert.der
rm -f /etc/ldap/cacert.der
rm -f /etc/ldap/cacert.pem
rm -f /etc/ldap/servercrt.pem
rm -f /etc/ldap/serverkey.pem
cp /var/myCA/cacert.pem /etc/ldap/cacert.pem
cp /var/myCA/cacert.der /etc/ldap/cacert.der
mv /var/myCA/newcert.pem /etc/ldap/servercrt.pem
mv /var/myCA/newreq.pem /etc/ldap/serverkey.pem
chmod 0400 /etc/ldap/serverkey.pem
#############
# Client side
cd /var/myCA
openssl req -new -nodes -keyout newreq.pem -out
newreq.pem
CA.sh -sign
CA.sh -verify
# Install the client key onto the client LDAP
software.
mkdir -p ~/certs/keys
rm -f ~/certs/ldap.client.pem
rm -f ~/certs/keys/ldap.client.key.pem
mv newcert.pem ~/certs/ldap.client.pem
mv newreq.pem ~/certs/keys/ldap.client.key.pem
chmod 0400 ~/certs/keys/ldap.client.key.pem
Now, I think I got it working; it is dog slow in getting TLS/SSL
going, but here is the output:
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
verify return:1
depth=0 /C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
i:/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
-----BEGIN CERTIFICATE-----
MIIEsjCCBBugAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCVVMx
...
sx11ZZKX
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
issuer=/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
---
No client certificate CA names sent
---
SSL handshake has read 1706 bytes and written 308 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 7B63DDE5D20305550F3C34684D272CC2DCBEE5A55E8C0BFE679568B5E1A67815
Session-ID-ctx:
Master-Key:
102CBCDA213A74787B189533ECD0EBB50540ECAE37ABE61BFE2D878512AEA790BE67752AE24D5AC533B9199D2F7CBDA7
Key-Arg : None
Start Time: 1101882671
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
What WinXP-based client software can be used to test TLS/SSL ? I have
been using JXplorer -- any suggestions would be most welcome.
--
WC -Sx- Jones
http://insecurity.org/