[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS secure connection to an LDAP server
Thank you for your reply.
I've followed the indications given in the link you
suggested in addition to those given on
http://samba.idealx.org/smbldap-howto.fr.html.
I didn't ask the server to verify the client
certificate (I didn't set the "TLSVerifyClient
demand"). Also, the CA's certificate is world
readable.
I actually aim to secure connections between a samba
sever and a the ldap server. Though, I created a
certificate for the client dedicated to the accounts
creation...
Checking my SSl connection still failes. What would
you please suggest?
Thanks
--- Pierangelo Masarati <ando@sys-net.it> wrote:
> I suggest you carefully follow the indications of
>
<http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html>;
> in detail,
> make sure you use the right cipher, and that you use
> client and server
> certificate verification appropriately (e.g. if you
> ask the server to
> berufy the client's certificate, make sure the
> client has one, and if you
> ask the client to verify the server's certificate,
> make sure the client
> can see the server's CA's public key)
>
> p.
>
> > Hi there,
> >
> > I am trying to secure connections to my ldap
> server by
> > using TLS.
> > I created a certificate for my server. The
> certicate
> > verification was OK (openssl verify -CAfile
> > /path/to/ca.pem /path/to/my_ldap_srv_certificate).
> > On my slapd.conf file I set TLSCACertificateFile,
> > TLSCertificate and TLSCertificateKeyFile paths.
> > I ran my server on the two default ports 389
> (ldap)
> > and 636 (ldaps) using this command: 'slapd -d127
> -h
> > "ldap:/// ldaps:///'.
> > Once checking the SSL conection (by running the
> > command: 'openssl s_client -connect localhost:636
> > -showcerts -state -CAfile /path/to/ca.pem'), I get
> the
> > following output:
> >
> > CONNECTED(00000003)
> > SSL_connect:before/connect initialization
> > SSL_connect:SSLv2/v3 write client hello A
> > SSL3 alert read:fatal:handshake failure
> > SSL_connect:error in SSLv2/v3 read server hello
> A
> > 2338:error:14077410:SSL
> > routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake
> > failure:s23_clnt.c:470:
> >
> > My server's debug output shows:
> >
> > TLS trace: SSL3 alert write:fatal:handshake
> failure
> > TLS trace: SSL_accept:error in SSLv3 read client
> > hello B
> > TLS trace: SSL_accept:error in SSLv3 read client
> > hello B
> > TLS: can't accept.
> > TLS: error:1408A0C1:SSL
> > routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> > s3_srvr.c:882
> > connection_read(8): TLS accept error error=-1
> id=0,
> > closing
> > connection_closing: readying conn=0 sd=8 for
> close
> >
__________________________________________________________________
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/