[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap and ssl

To: openldap-software@OpenLDAP.org
Subject: openldap and ssl
From: Gustavo Rios <vieira.rios@gmail.com>
Date: Sat, 8 Jan 2005 19:36:09 -0200
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type; b=j9qH2UMgYDnbB1btafXZ9eele8vDeXLnstBTe/TPdloIC6KxRk/2RfD9/XoAFIsuThff1kJ4iHcqg51mNRrk33g2TkNotD1+xpPn+Dke+BMnqhMNAasIjyTtGIiy0eXFQKyNjISI9BvlZDJT23swzVZ2JIiUHk2admw44LFChis=

Dear gentleman,

as you may know now, i am trying hard to get ssl with openldap working
nicely. But i must be doing something must stupid cause for three days
i cannot get it working.

In me desperation i decide to try the same certificate i sign for
openldap ( i am my own CA). But it does not work too.

So, i respectfully request your help, if possible, in my challenge.

Here is the complete sequence of commands i issued:

The first one to build my own CA certificate, the later two to build
the openldap and apache certs (there are in the same box).

$ openssl req -new -x509 -keyout pvt/ca-key.pem -keyform PEM -out
ca-crt.pem -outform PEM -days 3650

$ openssl req -new -nodes -keyout key.pem -out csr.pem
$ openssl ca -policy policy -out crt.pem -infiles csr.pem

My openssl.conf goes attached.

I known i must be doing something very stupid, something a experienced
one could detected easy. So if possible, would you PLEASE help me.

Thanks a lot for your time and cooperation,

best regards.

PS: Log errors:

OpenLdap:
...
...
tls_read: want=5, got=5
  0000:  15 03 01 00 02                                     .....
tls_read: want=2, got=2
  0000:  02 33                                              .3
TLS: can't accept.
TLS: error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
error /usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1052



Apache :
[08/Jan/2005 19:15:02 26426] [info]  Connection to child 0 established
(server etosha.fesv.br:443, client 192.168.1.254)
[08/Jan/2005 19:15:02 26426] [info]  Seeding PRNG with 1160 bytes of entropy
[08/Jan/2005 19:15:04 26426] [error] SSL handshake failed (server
etosha.fesv.br:443, client 192.168.1.254) (OpenSSL library error
follows)
[08/Jan/2005 19:15:04 26426] [error] OpenSSL: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
in certificate not server name or identical to CA!?]

Attachment: ca.cnf
Description: Binary data

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md4WithRSAEncryption
        Issuer: C=BR, ST=Esp\xEDrito Santo, L=Vit\xF3ria, O=Sociedade de Ensino Superior Est\xE1cio de S\xE1, OU=Faculdade Est\xE1cio de S\xE1 Vit\xF3ria, CN=Certification Authority Office/emailAddress=gustavo.rios@fesv.br
        Validity
            Not Before: Jan  8 21:14:23 2005 GMT
            Not After : Jan  8 21:14:23 2006 GMT
        Subject: C=BR, ST=Esp\xEDrito Santo, L=Vit\xF3ria, O=Sociedade de Ensino Superior Est\xE1cio de S\xE1, OU=Faculdade Est\xE1cio de S\xE1 Vit\xF3ria, CN=etosha.fesv.br/emailAddress=gustavo.rios@fesv.br
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:ce:fd:ff:18:fb:e2:f5:28:5c:05:ec:3f:ff:ad:
                    4c:da:2b:ab:4a:3e:5d:fa:70:5d:ca:0e:0c:ec:de:
                    0d:fd:fb:9d:28:d7:ea:0b:d5:a0:21:2b:9d:b0:d1:
                    c1:ec:80:2e:49:32:4d:69:ff:86:51:40:a9:0f:9b:
                    8c:33:af:8c:6b:82:52:3c:46:bf:6c:72:6c:fb:1d:
                    96:63:d6:ce:16:1e:fd:24:8b:99:7e:0a:f1:93:04:
                    af:e5:e1:17:9c:54:c8:19:23:d7:2e:13:f9:72:20:
                    54:92:32:2e:fc:98:8d:7c:5c:10:2a:c0:08:e2:44:
                    ac:a5:5b:78:ac:22:ad:20:89:c1:88:0c:ea:c5:fe:
                    4d:b5:92:81:28:53:50:cf:29:a7:10:bd:c6:b1:e3:
                    e9:82:26:eb:70:b5:4c:44:d0:7d:a2:f2:5a:bb:86:
                    c9:ec:04:0b:88:f6:ad:ed:17:3e:2e:90:11:9d:90:
                    a3:a9:ee:44:5c:3f:55:6b:6b:b7:ed:7f:cd:42:31:
                    4a:a9:4e:98:49:4b:24:3a:f6:66:78:54:50:9c:59:
                    bd:dc:ad:f7:75:a4:45:f8:2c:60:1f:f4:8d:b6:75:
                    4e:dc:15:e6:77:ff:c1:5c:8a:ea:29:06:9a:4b:db:
                    82:8f:4c:a0:eb:e3:87:40:6d:a5:8e:30:ee:b4:0f:
                    2b:11
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Certificate issued by https://etosha.fesv.br/ssl/
            X509v3 Subject Key Identifier: 
                53:0F:A3:B1:19:C8:67:E3:80:C4:B4:E2:14:A1:B0:7E:7F:19:D4:9A
            X509v3 Authority Key Identifier: 
                keyid:18:D1:83:52:0C:9D:44:84:98:61:57:0B:98:E0:30:3A:37:56:D0:D6
                DirName:/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1 Vit\xF3ria/CN=Certification Authority Office/emailAddress=gustavo.rios@fesv.br
                serial:00

    Signature Algorithm: md4WithRSAEncryption
        57:32:3e:0d:fc:8f:4f:f4:b4:05:cb:0f:46:4b:47:fe:3b:6d:
        2d:01:07:17:a3:de:86:50:b0:b2:7b:fe:e8:49:3c:55:d6:c3:
        5d:21:3a:10:2a:a3:de:9c:39:04:29:22:b3:20:ca:df:17:cb:
        0e:31:d1:ac:27:80:02:ba:39:53:b6:1b:63:47:dd:d0:53:50:
        92:98:0c:7c:58:f3:91:04:08:91:72:92:d3:71:1d:39:ee:d9:
        da:fc:96:a6:eb:ba:d5:9b:44:69:c7:60:f8:b1:b3:91:ad:28:
        f9:f4:11:c9:03:18:57:a8:50:27:a3:5f:22:c0:f5:cc:38:12:
        82:f9:cf:b8:a6:2c:0b:1f:a4:e9:4f:5b:fb:c3:78:fa:b7:de:
        a9:f0:49:59:5a:6e:e1:fb:34:0a:79:94:90:b8:dc:1d:bd:6e:
        3e:71:ae:6c:a1:66:82:ce:6b:d8:b8:56:7f:1d:86:61:b3:eb:
        bc:7f:96:53:6e:43:8f:7a:ba:12:50:29:49:20:bb:0c:c7:8d:
        87:62:77:e5:b3:2a:22:28:57:1f:2e:7f:5a:a3:b7:00:fc:a0:
        5d:eb:98:4d:f8:7b:25:2b:52:4f:4c:5f:a8:2c:d2:ef:41:c3:
        57:ff:9b:40:82:ea:97:5b:1b:4c:b0:44:de:d8:c4:ef:a4:b8:
        e5:4f:27:d7
-----BEGIN CERTIFICATE-----
MIIFwTCCBKmgAwIBAgIBATANBgkqhkiG9w0BAQMFADCB5TELMAkGA1UEBhMCQlIx
FzAVBgNVBAgUDkVzcO1yaXRvIFNhbnRvMRAwDgYDVQQHFAdWaXTzcmlhMTMwMQYD
VQQKFCpTb2NpZWRhZGUgZGUgRW5zaW5vIFN1cGVyaW9yIEVzdOFjaW8gZGUgU+Ex
KDAmBgNVBAsUH0ZhY3VsZGFkZSBFc3ThY2lvIGRlIFPhIFZpdPNyaWExJzAlBgNV
BAMTHkNlcnRpZmljYXRpb24gQXV0aG9yaXR5IE9mZmljZTEjMCEGCSqGSIb3DQEJ
ARYUZ3VzdGF2by5yaW9zQGZlc3YuYnIwHhcNMDUwMTA4MjExNDIzWhcNMDYwMTA4
MjExNDIzWjCB1TELMAkGA1UEBhMCQlIxFzAVBgNVBAgUDkVzcO1yaXRvIFNhbnRv
MRAwDgYDVQQHFAdWaXTzcmlhMTMwMQYDVQQKFCpTb2NpZWRhZGUgZGUgRW5zaW5v
IFN1cGVyaW9yIEVzdOFjaW8gZGUgU+ExKDAmBgNVBAsUH0ZhY3VsZGFkZSBFc3Th
Y2lvIGRlIFPhIFZpdPNyaWExFzAVBgNVBAMTDmV0b3NoYS5mZXN2LmJyMSMwIQYJ
KoZIhvcNAQkBFhRndXN0YXZvLnJpb3NAZmVzdi5icjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAM79/xj74vUoXAXsP/+tTNorq0o+XfpwXcoODOzeDf37
nSjX6gvVoCErnbDRweyALkkyTWn/hlFAqQ+bjDOvjGuCUjxGv2xybPsdlmPWzhYe
/SSLmX4K8ZMEr+XhF5xUyBkj1y4T+XIgVJIyLvyYjXxcECrACOJErKVbeKwirSCJ
wYgM6sX+TbWSgShTUM8ppxC9xrHj6YIm63C1TETQfaLyWruGyewEC4j2re0XPi6Q
EZ2Qo6nuRFw/VWtrt+1/zUIxSqlOmElLJDr2ZnhUUJxZvdyt93WkRfgsYB/0jbZ1
TtwV5nf/wVyK6ikGmkvbgo9MoOvjh0BtpY4w7rQPKxECAwEAAaOCAYgwggGEMAkG
A1UdEwQCMAAwQAYJYIZIAYb4QgENBDMWMUNlcnRpZmljYXRlIGlzc3VlZCBieSBo
dHRwczovL2V0b3NoYS5mZXN2LmJyL3NzbC8wHQYDVR0OBBYEFFMPo7EZyGfjgMS0
4hShsH5/GdSaMIIBFAYDVR0jBIIBCzCCAQeAFBjRg1IMnUSEmGFXC5jgMDo3VtDW
oYHrpIHoMIHlMQswCQYDVQQGEwJCUjEXMBUGA1UECBQORXNw7XJpdG8gU2FudG8x
EDAOBgNVBAcUB1ZpdPNyaWExMzAxBgNVBAoUKlNvY2llZGFkZSBkZSBFbnNpbm8g
U3VwZXJpb3IgRXN04WNpbyBkZSBT4TEoMCYGA1UECxQfRmFjdWxkYWRlIEVzdOFj
aW8gZGUgU+EgVml083JpYTEnMCUGA1UEAxMeQ2VydGlmaWNhdGlvbiBBdXRob3Jp
dHkgT2ZmaWNlMSMwIQYJKoZIhvcNAQkBFhRndXN0YXZvLnJpb3NAZmVzdi5icoIB
ADANBgkqhkiG9w0BAQMFAAOCAQEAVzI+DfyPT/S0BcsPRktH/jttLQEHF6PehlCw
snv+6Ek8VdbDXSE6ECqj3pw5BCkisyDK3xfLDjHRrCeAAro5U7YbY0fd0FNQkpgM
fFjzkQQIkXKS03EdOe7Z2vyWpuu61ZtEacdg+LGzka0o+fQRyQMYV6hQJ6NfIsD1
zDgSgvnPuKYsCx+k6U9b+8N4+rfeqfBJWVpu4fs0CnmUkLjcHb1uPnGubKFmgs5r
2LhWfx2GYbPrvH+WU25Dj3q6ElApSSC7DMeNh2J35bMqIihXHy5/WqO3APygXeuY
Tfh7JStST0xfqCzS70HDV/+bQILql1sbTLBE3tjE76S45U8n1w==
-----END CERTIFICATE-----

Follow-Ups:
- Re: openldap and ssl
  - From: "Tony Earnshaw" <tonye@billy.demon.nl>

Prev by Date: Re: SyncRepl - no write access
Next by Date: Re: multiway replication
Index(es):
- Chronological
- Thread