[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: openldap and ssl
Dear gentleman,
CN is the complain apache does only when i try to access by means of
netscape, MS I.E. works nicely.
And about openldap error?
What do you have to say ?
Thanks once more for your time and cooperation.
Best regards.
On Sun, 9 Jan 2005 14:20:50 +0100 (CET), Tony Earnshaw
<tonye@billy.demon.nl> wrote:
> Gustavo Rios:
>
> > as you may know now, i am trying hard to get ssl with openldap working
> > nicely. But i must be doing something must stupid cause for three days i
> > cannot get it working.
>
> The *last* entry in your log snippet tells you quite plainly where you're
> going wrong (the server Subject CN has to be the same as the FQDN hostname
> as found by gethostbyname() name of server or 'hostname -f' on Linux).
> Please do read Kent Soper's HOWTO, referenced enough on this list.
>
> --Tonni
>
>
> > In me desperation i decide to try the same certificate i sign for
> > openldap ( i am my own CA). But it does not work too.
> >
> > So, i respectfully request your help, if possible, in my challenge.
> >
> >
> > Here is the complete sequence of commands i issued:
> >
> >
> > The first one to build my own CA certificate, the later two to build
> > the openldap and apache certs (there are in the same box).
> >
> > $ openssl req -new -x509 -keyout pvt/ca-key.pem -keyform PEM -out
> > ca-crt.pem -outform PEM -days 3650
> >
> > $ openssl req -new -nodes -keyout key.pem -out csr.pem
> > $ openssl ca -policy policy -out crt.pem -infiles csr.pem
> >
> >
> > My openssl.conf goes attached.
> >
> >
> > I known i must be doing something very stupid, something a experienced
> > one could detected easy. So if possible, would you PLEASE help me.
> >
> > Thanks a lot for your time and cooperation,
> >
> >
> > best regards.
> >
> > PS: Log errors:
> >
> >
> > OpenLdap:
> > ...
> > ...
> > tls_read: want=5, got=5
> > 0000: 15 03 01 00 02 .....
> > tls_read: want=2, got=2
> > 0000: 02 33 .3
> > TLS: can't accept.
> > TLS: error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
> > error /usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1052
> >
> >
> >
> > Apache :
> > [08/Jan/2005 19:15:02 26426] [info] Connection to child 0 established
> > (server etosha.fesv.br:443, client 192.168.1.254)
> > [08/Jan/2005 19:15:02 26426] [info] Seeding PRNG with 1160 bytes of
> > entropy [08/Jan/2005 19:15:04 26426] [error] SSL handshake failed (server
> > etosha.fesv.br:443, client 192.168.1.254) (OpenSSL library error
> > follows) [08/Jan/2005 19:15:04 26426] [error] OpenSSL: error:14094412:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
> > in certificate not server name or identical to CA!?]
>
>
> --
> mail: tonye@billy.demon.nl
> http://www.billy.demon.nl
>
>