[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS secure connection to an LDAP server



Thank you for your reply.

I've followed the indications given in the link you
suggested in addition to those given on
http://samba.idealx.org/smbldap-howto.fr.html.

I didn't ask the server to verify the client
certificate (I didn't set the "TLSVerifyClient
demand"). Also, the CA's certificate is world
readable.

I actually aim to secure connections between a samba
sever and a the ldap server. Though, I created a
certificate for the client dedicated to the accounts
creation...

Checking my SSl connection still failes. What would
you please suggest?


Thanks

--- Pierangelo Masarati <ando@sys-net.it> wrote:
> I suggest you carefully follow the indications of
>
<http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html>;
> in detail,
> make sure you use the right cipher, and that you use
> client and server
> certificate verification appropriately (e.g. if you
> ask the server to
> berufy the client's certificate, make sure the
> client has one, and if you
> ask the client to verify the server's certificate,
> make sure the client
> can see the server's CA's public key)
> 
> p.
> 
> > Hi there,
> >
> > I am trying to secure connections to my ldap
> server by
> > using TLS.
> > I created a certificate for my server. The
> certicate
> > verification was OK (openssl verify -CAfile
> > /path/to/ca.pem /path/to/my_ldap_srv_certificate).
> > On my slapd.conf file I set TLSCACertificateFile,
> > TLSCertificate and TLSCertificateKeyFile paths.
> > I ran my server on the two default ports 389
> (ldap)
> > and 636 (ldaps) using this command: 'slapd -d127
> -h
> > "ldap:/// ldaps:///'.
> > Once checking the SSL conection (by running the
> > command: 'openssl s_client -connect localhost:636
> > -showcerts -state -CAfile /path/to/ca.pem'), I get
> the
> > following output:
> >
> >   CONNECTED(00000003)
> >   SSL_connect:before/connect initialization
> >   SSL_connect:SSLv2/v3 write client hello A
> >   SSL3 alert read:fatal:handshake failure
> >   SSL_connect:error in SSLv2/v3 read server hello
> A
> >   2338:error:14077410:SSL
> > routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake
> > failure:s23_clnt.c:470:
> >
> > My server's debug output shows:
> >
> >   TLS trace: SSL3 alert write:fatal:handshake
> failure
> >   TLS trace: SSL_accept:error in SSLv3 read client
> > hello B
> >   TLS trace: SSL_accept:error in SSLv3 read client
> > hello B
> >   TLS: can't accept.
> >   TLS: error:1408A0C1:SSL
> > routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> > s3_srvr.c:882
> >   connection_read(8): TLS accept error error=-1
> id=0,
> > closing
> >   connection_closing: readying conn=0 sd=8 for
> close
>  >



	

	
		
__________________________________________________________________
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! 
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/