[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and ssl

To: Tony Earnshaw <tonye@billy.demon.nl>
Subject: Re: openldap and ssl
From: Gustavo Rios <vieira.rios@gmail.com>
Date: Sun, 9 Jan 2005 12:18:19 -0200
Cc: openldap-software@OpenLDAP.org
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=kKdCV+7gw60YPzXE7WihK/FPaT4u+sUh/3Ikgi1d7cseEiFx4HhA0qdyZndCVEjl1GAKbhqDrsNb2GiHWKoAceF8olIQQL74rdWc0fUrgfRSJJYdP1NisXq8I6Tea/b4AyTFf/cVurj72aIp/A+h8nXPcO6i6YC6WKVQQlcLGDA=
In-reply-to: <44242.192.168.1.10.1105276850.squirrel@sqm.intern>
References: <77c28e74050108133670839fbc@mail.gmail.com> <44242.192.168.1.10.1105276850.squirrel@sqm.intern>

Dear gentleman,

CN is the complain apache does only when i try to access by means of
netscape, MS I.E. works nicely.

And about openldap error?

What do you have to say ?

Thanks once more for your time and cooperation.

Best regards.


On Sun, 9 Jan 2005 14:20:50 +0100 (CET), Tony Earnshaw
<tonye@billy.demon.nl> wrote:
> Gustavo Rios:
> 
> > as you may know now, i am trying hard to get ssl with openldap working
> > nicely. But i must be doing something must stupid cause for three days i
> > cannot get it working.
> 
> The *last* entry in your log snippet tells you quite plainly where you're
> going wrong (the server Subject CN has to be the same as the FQDN hostname
> as found by gethostbyname() name of server or 'hostname -f' on Linux).
> Please do read Kent Soper's HOWTO, referenced enough on this list.
> 
> --Tonni
> 
> 
> > In me desperation i decide to try the same certificate i sign for
> > openldap ( i am my own CA). But it does not work too.
> >
> > So, i respectfully request your help, if possible, in my challenge.
> >
> >
> > Here is the complete sequence of commands i issued:
> >
> >
> > The first one to build my own CA certificate, the later two to build
> > the openldap and apache certs (there are in the same box).
> >
> > $ openssl req -new -x509 -keyout pvt/ca-key.pem -keyform PEM -out
> > ca-crt.pem -outform PEM -days 3650
> >
> > $ openssl req -new -nodes -keyout key.pem -out csr.pem
> > $ openssl ca -policy policy -out crt.pem -infiles csr.pem
> >
> >
> > My openssl.conf goes attached.
> >
> >
> > I known i must be doing something very stupid, something a experienced
> > one could detected easy. So if possible, would you PLEASE help me.
> >
> > Thanks a lot for your time and cooperation,
> >
> >
> > best regards.
> >
> > PS: Log errors:
> >
> >
> > OpenLdap:
> > ...
> > ...
> > tls_read: want=5, got=5
> > 0000:  15 03 01 00 02                                     .....
> > tls_read: want=2, got=2
> > 0000:  02 33                                              .3
> > TLS: can't accept.
> > TLS: error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
> > error /usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1052
> >
> >
> >
> > Apache :
> > [08/Jan/2005 19:15:02 26426] [info]  Connection to child 0 established
> > (server etosha.fesv.br:443, client 192.168.1.254)
> > [08/Jan/2005 19:15:02 26426] [info]  Seeding PRNG with 1160 bytes of
> > entropy [08/Jan/2005 19:15:04 26426] [error] SSL handshake failed (server
> > etosha.fesv.br:443, client 192.168.1.254) (OpenSSL library error
> > follows) [08/Jan/2005 19:15:04 26426] [error] OpenSSL: error:14094412:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
> > in certificate not server name or identical to CA!?]
> 
> 
> --
> mail: tonye@billy.demon.nl
> http://www.billy.demon.nl
> 
>

Follow-Ups:
- Re: openldap and ssl
  - From: "Tony Earnshaw" <tonye@billy.demon.nl>

References:
- openldap and ssl
  - From: Gustavo Rios <vieira.rios@gmail.com>
- Re: openldap and ssl
  - From: "Tony Earnshaw" <tonye@billy.demon.nl>

Prev by Date: Re: ldap_start_tls_s deprecated: the replacement is?
Next by Date: Re: SyncRepl - no write access
Index(es):
- Chronological
- Thread