[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: TLS secure connection to an LDAP server
fatima riadi wrote:
In fact, I used the server fully qualified domain name
to name the certificate (ldap_server.domain.com.pem).
I also used the server's dn during the connection but
it did not succed!
The name of the certificate file has nothing to do, you choose the one
you want :-)
The common name of the certificate is the "cn" field you enter when you
create the certificate
This name has to be the server's fully qualified domain name
Then, when you test the SSL connection,
instead of :
openssl s_client -connect localhost:636 -showcerts -state -CAfile /path/to/ca.pem
run this :
openssl s_client -connect ldap.domain.com:636 -showcerts -state -CAfile /path/to/ca.pem
regards,
François
kind regards
--- François Beretti <francois.beretti@enatel.com>
wrote:
fatima riadi wrote:
Hi there,
I am trying to secure connections to my ldap server
by
using TLS.
I created a certificate for my server. The
certicate
verification was OK (openssl verify -CAfile
/path/to/ca.pem /path/to/my_ldap_srv_certificate).
On my slapd.conf file I set TLSCACertificateFile,
TLSCertificate and TLSCertificateKeyFile paths.
I ran my server on the two default ports 389 (ldap)
and 636 (ldaps) using this command: 'slapd -d127 -h
"ldap:/// ldaps:///'.
Once checking the SSL conection (by running the
command: 'openssl s_client -connect localhost:636
-showcerts -state -CAfile /path/to/ca.pem'), I get
the
following output:
Hello
Assuming you used the server's Fully Qualified
Domain Name
(host.domaine.com) as the common name of the
certificate,
you have to use this FQDN to connect to the server,
instead of "localhost".
regards,
François
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
2338:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake
failure:s23_clnt.c:470:
My server's debug output shows:
TLS trace: SSL3 alert write:fatal:handshake
failure
TLS trace: SSL_accept:error in SSLv3 read client
hello B
TLS trace: SSL_accept:error in SSLv3 read client
hello B
TLS: can't accept.
TLS: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher
s3_srvr.c:882
connection_read(8): TLS accept error error=-1
id=0,
closing
connection_closing: readying conn=0 sd=8 for
close
connection_close: conn=0 sd=8
daemon: removing 8
daemon: select: listen=6 active_threads=0
tvp=NULL
daemon: select: listen=7 active_threads=0
tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0
tvp=NULL
daemon: select: listen=7 active_threads=0
tvp=NULL
I can't guess what could be the error. Do you
please
have any suggestion?
I am using OpenSSH_3.5p1 with OpenLDAP 2.1.22 on a
Red
Hat box.
Thank you in advance!
__________________________________________________________________
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace
de stockage pour vos mails !
Créez votre Yahoo! Mail sur
http://fr.mail.yahoo.com/
__________________________________________________________________
Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !
Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/