[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CA cert problem

Owen DeLong wrote:

The problem described in your log is not with your server certificate.
Did you mean to require the client to present a certificate to identify
the client? If so, your client is not doing so, and, when you provide
a proper authentication certificate from your client, things should work.


No, the log indicates that the client didn't recognize the server's CA certificate, which means the CA cert was not installed correctly on the client.

If not, then, you need to look at slapd.conf and turn off the requirement
for the client to authenticate with a certificate.

Look for a line like:

TLSVerifyClient		Always

If you change that to Allow or Never, things will probably work.

Owen


--On Friday, April 1, 2005 10:43 AM +0200 Edward De Jongh
<Edwardd@discovery.co.za> wrote:



Hi all I've managed to successfully generate a certificate using
openssl. I've put this as well as the other two files in the correct
places and pointed the slapd.conf correctly. This is on a RedHat ES3
server. I have as per the openldap docs:
http://www.openldap.org/faq/data/cache/185.html
Copied the cacert.pem to my windows client and when trying to connect
the ldap server returns:

daemon: new connection on 10
ldap_pvt_gethostbyname_a: host=dltinf01.discovery.co.za, r=0
daemon: added 10r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 62 01 03 01 00 39 00 00 00 20 .b....9...
tls_read: want=89, got=89
0000: 00 00 04 01 00 80 00 00 05 00 00 2f 00 00 33 00
.........../..3.
0010: 00 32 00 00 0a 07 00 c0 00 00 16 00 00 13 00 00
.2..............
0020: 09 06 00 40 00 00 15 00 00 12 00 00 03 02 00 80
...@............
0030: 00 00 08 00 00 14 00 00 11 42 4d 08 ec 17 df 4a
.........BM....J
0040: d4 72 47 d2 78 c4 bc 94 6f 03 42 6e 41 e3 e1 f4
.rG.x...o.BnA...
0050: ae 4f eb d9 35 09 f6 d0 14 .O..5....
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
tls_write: want=1271, written=1271
0000: 16 03 01 00 4a 02 00 00 46 03 01 42 4d 0c f1 4e
....J...F..BM..N
0010: 55 dd 58 ff 68 17 87 ae 0c 6d 65 5f 8c 19 3d 9d
U.X.h....me_..=.
0020: b5 36 fc b7 eb d1 96 1d 75 88 7d 20 ca c2 dc a6 .6......u.}
....
0030: a5 2e 52 c8 d9 c5 93 23 d8 cd 46 e9 e1 ec e1 5b
..R....#..F....[
0040: fa 3d 32 31 05 38 2c 0c bf fa 29 e7 00 04 00 16
.=21.8,...).....
0050: 03 01 03 ee 0b 00 03 ea 00 03 e7 00 03 e4 30 82
..............0.
0060: 03 e0 30 82 03 49 a0 03 02 01 02 02 01 01 30 0d
..0..I........0.
0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 9e
..*.H........0..
0080: 31 0b 30 09 06 03 55 04 06 13 02 5a 41 31 10 30
1.0...U....ZA1.0
0090: 0e 06 03 55 04 08 13 07 47 61 75 74 65 6e 67 31
...U....Gauteng1
00a0: 15 30 13 06 03 55 04 07 13 0c 4a 6f 68 61 6e 6e
.0...U....Johann
00b0: 65 73 62 75 72 67 31 12 30 10 06 03 55 04 0a 13
esburg1.0...U...
00c0: 09 44 69 73 63 6f 76 65 72 79 31 17 30 15 06 03
.Discovery1.0...
00d0: 55 04 0b 13 0e 44 69 73 63 6f 76 65 72 79 20 4c
U....Discovery L
00e0: 69 66 65 31 11 30 0f 06 03 55 04 03 13 08 64 6c
ife1.0...U....dl
00f0: 74 69 6e 66 30 31 31 26 30 24 06 09 2a 86 48 86
tinf011&0$..*.H.
0100: f7 0d 01 09 01 16 17 65 64 77 61 72 64 64 40 64
.......edwardd@d
0110: 69 73 63 6f 76 65 72 79 2e 63 6f 2e 7a 61 30 1e
iscovery.co.za0.
0120: 17 0d 30 35 30 34 30 31 30 38 31 36 32 37 5a 17
..050401081627Z.
0130: 0d 30 36 30 34 30 31 30 38 31 36 32 37 5a 30 81
.060401081627Z0.
0140: 9e 31 0b 30 09 06 03 55 04 06 13 02 5a 41 31 10
.1.0...U....ZA1.
0150: 30 0e 06 03 55 04 08 13 07 47 61 75 74 65 6e 67
0...U....Gauteng
0160: 31 15 30 13 06 03 55 04 07 13 0c 4a 6f 68 61 6e
1.0...U....Johan
0170: 6e 65 73 62 75 72 67 31 12 30 10 06 03 55 04 0a
nesburg1.0...U..
0180: 13 09 44 69 73 63 6f 76 65 72 79 31 17 30 15 06
..Discovery1.0..
0190: 03 55 04 0b 13 0e 44 69 73 63 6f 76 65 72 79 20
.U....Discovery
01a0: 4c 69 66 65 31 11 30 0f 06 03 55 04 03 13 08 64
Life1.0...U....d
01b0: 6c 74 69 6e 66 30 31 31 26 30 24 06 09 2a 86 48
ltinf011&0$..*.H
01c0: 86 f7 0d 01 09 01 16 17 65 64 77 61 72 64 64 40
........edwardd@
01d0: 64 69 73 63 6f 76 65 72 79 2e 63 6f 2e 7a 61 30
discovery.co.za0
01e0: 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05
..0...*.H.......
01f0: 00 03 81 8d 00 30 81 89 02 81 81 00 e0 08 93 75
.....0.........u
0200: ac 6c cc c7 44 ce c7 7d 5f 72 77 84 23 ab 3e 24
.l..D..}_rw.#.>$
0210: e5 7d 4a e7 56 ac 66 a2 8c 38 e0 12 ef c0 81 0c
.}J.V.f..8......
0220: 0a b8 20 53 78 ee 4d 85 e6 7a 03 08 84 94 12 32 ..
Sx.M..z.....2
0230: 3e 4d 60 29 90 f8 94 db 92 fc 16 9a 0b 39 34 58


M`).........94X


 0240:  c3 57 f7 31 2e 25 76 95  ac 1f a3 7a 8b 42 a9 8f
.W.1.%v....z.B..
 0250:  d2 3c 0b 03 ea a9 a6 0c  12 51 7a 25 df a1 4f 45
.<.......Qz%..OE
 0260:  f0 7a ea 5c 16 f1 01 5e  92 fb f1 c3 4b 89 5b b8
.z.\...^....K.[.
 0270:  17 7c e9 65 16 ba df 61  5d 22 8e d9 02 03 01 00
.|.e...a]"......
 0280:  01 a3 82 01 2a 30 82 01  26 30 09 06 03 55 1d 13
....*0..&0...U..
 0290:  04 02 30 00 30 2c 06 09  60 86 48 01 86 f8 42 01
..0.0,..`.H...B.
 02a0:  0d 04 1f 16 1d 4f 70 65  6e 53 53 4c 20 47 65 6e   .....OpenSSL
Gen
 02b0:  65 72 61 74 65 64 20 43  65 72 74 69 66 69 63 61   erated
Certifica
 02c0:  74 65 30 1d 06 03 55 1d  0e 04 16 04 14 a0 b7 f9
te0...U.........
 02d0:  44 93 eb de 46 d5 b9 cb  23 6a db 28 04 ec 4d d5
D...F...#j.(..M.
 02e0:  19 30 81 cb 06 03 55 1d  23 04 81 c3 30 81 c0 80
.0....U.#...0...
 02f0:  14 70 04 ec 05 aa 43 21  fe 95 a9 43 79 7a 9b 8f
.p....C!...Cyz..
 0300:  ba d7 42 13 a4 a1 81 a4  a4 81 a1 30 81 9e 31 0b
..B........0..1.
 0310:  30 09 06 03 55 04 06 13  02 5a 41 31 10 30 0e 06
0...U....ZA1.0..
 0320:  03 55 04 08 13 07 47 61  75 74 65 6e 67 31 15 30
.U....Gauteng1.0
 0330:  13 06 03 55 04 07 13 0c  4a 6f 68 61 6e 6e 65 73
...U....Johannes
 0340:  62 75 72 67 31 12 30 10  06 03 55 04 0a 13 09 44
burg1.0...U....D
 0350:  69 73 63 6f 76 65 72 79  31 17 30 15 06 03 55 04
iscovery1.0...U.
 0360:  0b 13 0e 44 69 73 63 6f  76 65 72 79 20 4c 69 66   ...Discovery
Lif
 0370:  65 31 11 30 0f 06 03 55  04 03 13 08 64 6c 74 69
e1.0...U....dlti
 0380:  6e 66 30 31 31 26 30 24  06 09 2a 86 48 86 f7 0d
nf011&0$..*.H...
 0390:  01 09 01 16 17 65 64 77  61 72 64 64 40 64 69 73
.....edwardd@dis
 03a0:  63 6f 76 65 72 79 2e 63  6f 2e 7a 61 82 01 00 30
covery.co.za...0
 03b0:  0d 06 09 2a 86 48 86 f7  0d 01 01 04 05 00 03 81
...*.H..........
 03c0:  81 00 ae e5 15 bf 43 8c  19 ce 1c ed 28 71 73 55
......C.....(qsU
 03d0:  36 49 7e b3 0a 6c 08 d2  23 83 de a6 27 c4 da f1
6I~..l..#...'...
 03e0:  6f c2 b1 f9 07 8d 56 db  cc fd 06 24 f7 52 ea 21
o.....V....$.R.!
 03f0:  bb 33 0e 8a e4 b4 26 fc  74 10 71 14 ca 0d 56 95
.3....&.t.q...V.
 0400:  6b 58 cd f5 7b 0d 36 0e  2b 7c 39 29 47 6a b9 19
kX..{.6.+|9)Gj..
 0410:  23 10 9c 8c 4d ba 50 40  8f fb 25 d5 cc e0 72 86
# ...M.P@..%...r.
 0420:  2c 4d 7f d4 ea 75 0d be  87 6e c0 36 55 f4 04 bb
,M...u...n.6U...
 0430:  19 2b 2f b0 f0 f2 85 a5  71 ef 96 64 5e 84 4e 7a
.+/.....q..d^.Nz
 0440:  fb a5 16 03 01 00 b0 0d  00 00 a8 02 01 02 00 a3
................
 0450:  00 a1 30 81 9e 31 0b 30  09 06 03 55 04 06 13 02
..0..1.0...U....
 0460:  5a 41 31 10 30 0e 06 03  55 04 08 13 07 47 61 75
ZA1.0...U....Gau
 0470:  74 65 6e 67 31 15 30 13  06 03 55 04 07 13 0c 4a
teng1.0...U....J
 0480:  6f 68 61 6e 6e 65 73 62  75 72 67 31 12 30 10 06
ohannesburg1.0..
 0490:  03 55 04 0a 13 09 44 69  73 63 6f 76 65 72 79 31
.U....Discovery1
 04a0:  17 30 15 06 03 55 04 0b  13 0e 44 69 73 63 6f 76
.0...U....Discov
 04b0:  65 72 79 20 4c 69 66 65  31 11 30 0f 06 03 55 04   ery
Life1.0...U.
 04c0:  03 13 08 64 6c 74 69 6e  66 30 31 31 26 30 24 06
...dltinf011&0$.
 04d0:  09 2a 86 48 86 f7 0d 01  09 01 16 17 65 64 77 61
.*.H........edwa
 04e0:  72 64 64 40 64 69 73 63  6f 76 65 72 79 2e 63 6f
rdd@discovery.co
 04f0:  2e 7a 61 0e 00 00 00                               .za....
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
tls_read: want=5, got=5
 0000:  15 03 01 00 02                                     .....
tls_read: want=2, got=2
 0000:  02 2e                                              ..
TLS trace: SSL3 alert read:fatal:certificate unknown
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown s3_pkt.c:1052
connection_read(10): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
daemon: removing 10
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL


This process was working fine in my previous DEV implementation. Now it
is not working from JXplorer or my custom JAVA SSL client. Any pointers
would be greatly appreciated.

Tuesday Lobsang Rampa 











--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support