[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and ssl



Dear gentleman,

CN is the complain apache does only when i try to access by means of
netscape, MS I.E. works nicely.

And about openldap error?

What do you have to say ?

Thanks once more for your time and cooperation.

Best regards.


On Sun, 9 Jan 2005 14:20:50 +0100 (CET), Tony Earnshaw
<tonye@billy.demon.nl> wrote:
> Gustavo Rios:
> 
> > as you may know now, i am trying hard to get ssl with openldap working
> > nicely. But i must be doing something must stupid cause for three days i
> > cannot get it working.
> 
> The *last* entry in your log snippet tells you quite plainly where you're
> going wrong (the server Subject CN has to be the same as the FQDN hostname
> as found by gethostbyname() name of server or 'hostname -f' on Linux).
> Please do read Kent Soper's HOWTO, referenced enough on this list.
> 
> --Tonni
> 
> 
> > In me desperation i decide to try the same certificate i sign for
> > openldap ( i am my own CA). But it does not work too.
> >
> > So, i respectfully request your help, if possible, in my challenge.
> >
> >
> > Here is the complete sequence of commands i issued:
> >
> >
> > The first one to build my own CA certificate, the later two to build
> > the openldap and apache certs (there are in the same box).
> >
> > $ openssl req -new -x509 -keyout pvt/ca-key.pem -keyform PEM -out
> > ca-crt.pem -outform PEM -days 3650
> >
> > $ openssl req -new -nodes -keyout key.pem -out csr.pem
> > $ openssl ca -policy policy -out crt.pem -infiles csr.pem
> >
> >
> > My openssl.conf goes attached.
> >
> >
> > I known i must be doing something very stupid, something a experienced
> > one could detected easy. So if possible, would you PLEASE help me.
> >
> > Thanks a lot for your time and cooperation,
> >
> >
> > best regards.
> >
> > PS: Log errors:
> >
> >
> > OpenLdap:
> > ...
> > ...
> > tls_read: want=5, got=5
> > 0000:  15 03 01 00 02                                     .....
> > tls_read: want=2, got=2
> > 0000:  02 33                                              .3
> > TLS: can't accept.
> > TLS: error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
> > error /usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1052
> >
> >
> >
> > Apache :
> > [08/Jan/2005 19:15:02 26426] [info]  Connection to child 0 established
> > (server etosha.fesv.br:443, client 192.168.1.254)
> > [08/Jan/2005 19:15:02 26426] [info]  Seeding PRNG with 1160 bytes of
> > entropy [08/Jan/2005 19:15:04 26426] [error] SSL handshake failed (server
> > etosha.fesv.br:443, client 192.168.1.254) (OpenSSL library error
> > follows) [08/Jan/2005 19:15:04 26426] [error] OpenSSL: error:14094412:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
> > in certificate not server name or identical to CA!?]
> 
> 
> --
> mail: tonye@billy.demon.nl
> http://www.billy.demon.nl
> 
>