The problem described in your log is not with your server certificate.
Did you mean to require the client to present a certificate to identify
the client? If so, your client is not doing so, and, when you provide
a proper authentication certificate from your client, things should work.
If not, then, you need to look at slapd.conf and turn off the requirement
for the client to authenticate with a certificate.
Look for a line like:
TLSVerifyClient Always
If you change that to Allow or Never, things will probably work.
Owen
--On Friday, April 1, 2005 10:43 AM +0200 Edward De Jongh
<Edwardd@discovery.co.za> wrote:
> Hi all I've managed to successfully generate a certificate using
> openssl. I've put this as well as the other two files in the correct
> places and pointed the slapd.conf correctly. This is on a RedHat ES3
> server. I have as per the openldap docs:
> http://www.openldap.org/faq/data/cache/185.html
> Copied the cacert.pem to my windows client and when trying to connect
> the ldap server returns:
>
> daemon: new connection on 10
> ldap_pvt_gethostbyname_a: host=dltinf01.discovery.co.za, r=0
> daemon: added 10r
> daemon: activity on:
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 10r
> daemon: read activity on 10
> connection_get(10)
> connection_get(10): got connid=0
> connection_read(10): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> tls_read: want=11, got=11
> 0000: 80 62 01 03 01 00 39 00 00 00 20 .b....9...
> tls_read: want=89, got=89
> 0000: 00 00 04 01 00 80 00 00 05 00 00 2f 00 00 33 00
> .........../..3.
> 0010: 00 32 00 00 0a 07 00 c0 00 00 16 00 00 13 00 00
> .2..............
> 0020: 09 06 00 40 00 00 15 00 00 12 00 00 03 02 00 80
> ...@............
> 0030: 00 00 08 00 00 14 00 00 11 42 4d 08 ec 17 df 4a
> .........BM....J
> 0040: d4 72 47 d2 78 c4 bc 94 6f 03 42 6e 41 e3 e1 f4
> .rG.x...o.BnA...
> 0050: ae 4f eb d9 35 09 f6 d0 14 .O..5....
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write certificate request A
> tls_write: want=1271, written=1271
> 0000: 16 03 01 00 4a 02 00 00 46 03 01 42 4d 0c f1 4e
> ....J...F..BM..N
> 0010: 55 dd 58 ff 68 17 87 ae 0c 6d 65 5f 8c 19 3d 9d
> U.X.h....me_..=.
> 0020: b5 36 fc b7 eb d1 96 1d 75 88 7d 20 ca c2 dc a6 .6......u.}
> ....
> 0030: a5 2e 52 c8 d9 c5 93 23 d8 cd 46 e9 e1 ec e1 5b
> ..R....#..F....[
> 0040: fa 3d 32 31 05 38 2c 0c bf fa 29 e7 00 04 00 16
> .=21.8,...).....
> 0050: 03 01 03 ee 0b 00 03 ea 00 03 e7 00 03 e4 30 82
> ..............0.
> 0060: 03 e0 30 82 03 49 a0 03 02 01 02 02 01 01 30 0d
> ..0..I........0.
> 0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 9e
> ..*.H........0..
> 0080: 31 0b 30 09 06 03 55 04 06 13 02 5a 41 31 10 30
> 1.0...U....ZA1.0
> 0090: 0e 06 03 55 04 08 13 07 47 61 75 74 65 6e 67 31
> ...U....Gauteng1
> 00a0: 15 30 13 06 03 55 04 07 13 0c 4a 6f 68 61 6e 6e
> .0...U....Johann
> 00b0: 65 73 62 75 72 67 31 12 30 10 06 03 55 04 0a 13
> esburg1.0...U...
> 00c0: 09 44 69 73 63 6f 76 65 72 79 31 17 30 15 06 03
> .Discovery1.0...
> 00d0: 55 04 0b 13 0e 44 69 73 63 6f 76 65 72 79 20 4c
> U....Discovery L
> 00e0: 69 66 65 31 11 30 0f 06 03 55 04 03 13 08 64 6c
> ife1.0...U....dl
> 00f0: 74 69 6e 66 30 31 31 26 30 24 06 09 2a 86 48 86
> tinf011&0$..*.H.
> 0100: f7 0d 01 09 01 16 17 65 64 77 61 72 64 64 40 64
> .......edwardd@d
> 0110: 69 73 63 6f 76 65 72 79 2e 63 6f 2e 7a 61 30 1e
> iscovery.co.za0.
> 0120: 17 0d 30 35 30 34 30 31 30 38 31 36 32 37 5a 17
> ..050401081627Z.
> 0130: 0d 30 36 30 34 30 31 30 38 31 36 32 37 5a 30 81
> .060401081627Z0.
> 0140: 9e 31 0b 30 09 06 03 55 04 06 13 02 5a 41 31 10
> .1.0...U....ZA1.
> 0150: 30 0e 06 03 55 04 08 13 07 47 61 75 74 65 6e 67
> 0...U....Gauteng
> 0160: 31 15 30 13 06 03 55 04 07 13 0c 4a 6f 68 61 6e
> 1.0...U....Johan
> 0170: 6e 65 73 62 75 72 67 31 12 30 10 06 03 55 04 0a
> nesburg1.0...U..
> 0180: 13 09 44 69 73 63 6f 76 65 72 79 31 17 30 15 06
> ..Discovery1.0..
> 0190: 03 55 04 0b 13 0e 44 69 73 63 6f 76 65 72 79 20
> .U....Discovery
> 01a0: 4c 69 66 65 31 11 30 0f 06 03 55 04 03 13 08 64
> Life1.0...U....d
> 01b0: 6c 74 69 6e 66 30 31 31 26 30 24 06 09 2a 86 48
> ltinf011&0$..*.H
> 01c0: 86 f7 0d 01 09 01 16 17 65 64 77 61 72 64 64 40
> ........edwardd@
> 01d0: 64 69 73 63 6f 76 65 72 79 2e 63 6f 2e 7a 61 30
> discovery.co.za0
> 01e0: 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05
> ..0...*.H.......
> 01f0: 00 03 81 8d 00 30 81 89 02 81 81 00 e0 08 93 75
> .....0.........u
> 0200: ac 6c cc c7 44 ce c7 7d 5f 72 77 84 23 ab 3e 24
> .l..D..}_rw.#.>$
> 0210: e5 7d 4a e7 56 ac 66 a2 8c 38 e0 12 ef c0 81 0c
> .}J.V.f..8......
> 0220: 0a b8 20 53 78 ee 4d 85 e6 7a 03 08 84 94 12 32 ..
> Sx.M..z.....2
> 0230: 3e 4d 60 29 90 f8 94 db 92 fc 16 9a 0b 39 34 58
>> M`).........94X
> 0240: c3 57 f7 31 2e 25 76 95 ac 1f a3 7a 8b 42 a9 8f
> .W.1.%v....z.B..
> 0250: d2 3c 0b 03 ea a9 a6 0c 12 51 7a 25 df a1 4f 45
> .<.......Qz%..OE
> 0260: f0 7a ea 5c 16 f1 01 5e 92 fb f1 c3 4b 89 5b b8
> .z.\...^....K.[.
> 0270: 17 7c e9 65 16 ba df 61 5d 22 8e d9 02 03 01 00
> .|.e...a]"......
> 0280: 01 a3 82 01 2a 30 82 01 26 30 09 06 03 55 1d 13
> ....*0..&0...U..
> 0290: 04 02 30 00 30 2c 06 09 60 86 48 01 86 f8 42 01
> ..0.0,..`.H...B.
> 02a0: 0d 04 1f 16 1d 4f 70 65 6e 53 53 4c 20 47 65 6e .....OpenSSL
> Gen
> 02b0: 65 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 erated
> Certifica
> 02c0: 74 65 30 1d 06 03 55 1d 0e 04 16 04 14 a0 b7 f9
> te0...U.........
> 02d0: 44 93 eb de 46 d5 b9 cb 23 6a db 28 04 ec 4d d5
> D...F...#j.(..M.
> 02e0: 19 30 81 cb 06 03 55 1d 23 04 81 c3 30 81 c0 80
> .0....U.#...0...
> 02f0: 14 70 04 ec 05 aa 43 21 fe 95 a9 43 79 7a 9b 8f
> .p....C!...Cyz..
> 0300: ba d7 42 13 a4 a1 81 a4 a4 81 a1 30 81 9e 31 0b
> ..B........0..1.
> 0310: 30 09 06 03 55 04 06 13 02 5a 41 31 10 30 0e 06
> 0...U....ZA1.0..
> 0320: 03 55 04 08 13 07 47 61 75 74 65 6e 67 31 15 30
> .U....Gauteng1.0
> 0330: 13 06 03 55 04 07 13 0c 4a 6f 68 61 6e 6e 65 73
> ...U....Johannes
> 0340: 62 75 72 67 31 12 30 10 06 03 55 04 0a 13 09 44
> burg1.0...U....D
> 0350: 69 73 63 6f 76 65 72 79 31 17 30 15 06 03 55 04
> iscovery1.0...U.
> 0360: 0b 13 0e 44 69 73 63 6f 76 65 72 79 20 4c 69 66 ...Discovery
> Lif
> 0370: 65 31 11 30 0f 06 03 55 04 03 13 08 64 6c 74 69
> e1.0...U....dlti
> 0380: 6e 66 30 31 31 26 30 24 06 09 2a 86 48 86 f7 0d
> nf011&0$..*.H...
> 0390: 01 09 01 16 17 65 64 77 61 72 64 64 40 64 69 73
> .....edwardd@dis
> 03a0: 63 6f 76 65 72 79 2e 63 6f 2e 7a 61 82 01 00 30
> covery.co.za...0
> 03b0: 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81
> ...*.H..........
> 03c0: 81 00 ae e5 15 bf 43 8c 19 ce 1c ed 28 71 73 55
> ......C.....(qsU
> 03d0: 36 49 7e b3 0a 6c 08 d2 23 83 de a6 27 c4 da f1
> 6I~..l..#...'...
> 03e0: 6f c2 b1 f9 07 8d 56 db cc fd 06 24 f7 52 ea 21
> o.....V....$.R.!
> 03f0: bb 33 0e 8a e4 b4 26 fc 74 10 71 14 ca 0d 56 95
> .3....&.t.q...V.
> 0400: 6b 58 cd f5 7b 0d 36 0e 2b 7c 39 29 47 6a b9 19
> kX..{.6.+|9)Gj..
> 0410: 23 10 9c 8c 4d ba 50 40 8f fb 25 d5 cc e0 72 86
># ...M.P@..%...r.
> 0420: 2c 4d 7f d4 ea 75 0d be 87 6e c0 36 55 f4 04 bb
> ,M...u...n.6U...
> 0430: 19 2b 2f b0 f0 f2 85 a5 71 ef 96 64 5e 84 4e 7a
> .+/.....q..d^.Nz
> 0440: fb a5 16 03 01 00 b0 0d 00 00 a8 02 01 02 00 a3
> ................
> 0450: 00 a1 30 81 9e 31 0b 30 09 06 03 55 04 06 13 02
> ..0..1.0...U....
> 0460: 5a 41 31 10 30 0e 06 03 55 04 08 13 07 47 61 75
> ZA1.0...U....Gau
> 0470: 74 65 6e 67 31 15 30 13 06 03 55 04 07 13 0c 4a
> teng1.0...U....J
> 0480: 6f 68 61 6e 6e 65 73 62 75 72 67 31 12 30 10 06
> ohannesburg1.0..
> 0490: 03 55 04 0a 13 09 44 69 73 63 6f 76 65 72 79 31
> .U....Discovery1
> 04a0: 17 30 15 06 03 55 04 0b 13 0e 44 69 73 63 6f 76
> .0...U....Discov
> 04b0: 65 72 79 20 4c 69 66 65 31 11 30 0f 06 03 55 04 ery
> Life1.0...U.
> 04c0: 03 13 08 64 6c 74 69 6e 66 30 31 31 26 30 24 06
> ...dltinf011&0$.
> 04d0: 09 2a 86 48 86 f7 0d 01 09 01 16 17 65 64 77 61
> .*.H........edwa
> 04e0: 72 64 64 40 64 69 73 63 6f 76 65 72 79 2e 63 6f
> rdd@discovery.co
> 04f0: 2e 7a 61 0e 00 00 00 .za....
> TLS trace: SSL_accept:SSLv3 flush data
> tls_read: want=5 error=Resource temporarily unavailable
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 10r
> daemon: read activity on 10
> connection_get(10)
> connection_get(10): got connid=0
> connection_read(10): checking for input on id=0
> tls_read: want=5, got=5
> 0000: 15 03 01 00 02 .....
> tls_read: want=2, got=2
> 0000: 02 2e ..
> TLS trace: SSL3 alert read:fatal:certificate unknown
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> TLS: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown s3_pkt.c:1052
> connection_read(10): TLS accept error error=-1 id=0, closing
> connection_closing: readying conn=0 sd=10 for close
> connection_close: conn=0 sd=10
> daemon: removing 10
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
>
>
> This process was working fine in my previous DEV implementation. Now it
> is not working from JXplorer or my custom JAVA SSL client. Any pointers
> would be greatly appreciated.
>
> Tuesday Lobsang Rampa
>
>
--
If it wasn't crypto-signed, it probably didn't come from me.
Attachment:
pgp3rA8biPahw.pgp
Description: PGP signature