[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and SSL

On Wed, 01 Dec 2004 07:15:07 +0100, Dieter Kluenter <dieter@dkluenter.de> wrote:

> As you are using Debian, AFAIK Debian openldap packages are compiled
> with gnuTLS and not with openssl.

Debian 3.1 main/testing section

Making sure that my LDAP database was created with the correct DN; and
using this series of steps to create the certs with the correct CN:

mkdir -p /var/myCA
cd /var/myCA
rm -fR /var/myCA/*

CA.sh -newca

openssl req -newkey rsa:1024 -nodes -keyout newreq.pem
-out newreq.pem

CA.sh -sign
CA.sh -verify

#############
# Server side
openssl x509 -in cacert.pem -outform DER -out
cacert.der
rm -f /etc/ldap/cacert.der
rm -f /etc/ldap/cacert.pem
rm -f /etc/ldap/servercrt.pem
rm -f /etc/ldap/serverkey.pem
cp /var/myCA/cacert.pem /etc/ldap/cacert.pem
cp /var/myCA/cacert.der /etc/ldap/cacert.der
mv /var/myCA/newcert.pem /etc/ldap/servercrt.pem
mv /var/myCA/newreq.pem /etc/ldap/serverkey.pem
chmod 0400 /etc/ldap/serverkey.pem

#############
# Client side
cd /var/myCA
openssl req -new -nodes -keyout newreq.pem -out
newreq.pem
CA.sh -sign
CA.sh -verify

# Install the client key onto the client LDAP
software.

mkdir -p ~/certs/keys
rm -f ~/certs/ldap.client.pem
rm -f ~/certs/keys/ldap.client.key.pem
mv newcert.pem ~/certs/ldap.client.pem
mv newreq.pem ~/certs/keys/ldap.client.key.pem
chmod 0400 ~/certs/keys/ldap.client.key.pem


Now, I think I got it working; it is dog slow in getting TLS/SSL
going, but here is the output:

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
verify return:1
depth=0 /C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
   i:/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
-----BEGIN CERTIFICATE-----
MIIEsjCCBBugAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCVVMx
...
sx11ZZKX
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
issuer=/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
---
No client certificate CA names sent
---
SSL handshake has read 1706 bytes and written 308 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 7B63DDE5D20305550F3C34684D272CC2DCBEE5A55E8C0BFE679568B5E1A67815
    Session-ID-ctx: 
    Master-Key:
102CBCDA213A74787B189533ECD0EBB50540ECAE37ABE61BFE2D878512AEA790BE67752AE24D5AC533B9199D2F7CBDA7
    Key-Arg   : None
    Start Time: 1101882671
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


What WinXP-based client software can be used to test TLS/SSL ?  I have
been using JXplorer -- any suggestions would be most welcome.

-- 
WC -Sx- Jones
http://insecurity.org/