[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS problem



Hello.

> TLSVerifyClient         demand
With this line you told to slapd to request a client certificate during
handshake - and client cert is mandatory ( see
http://www.openldap.org/doc/admin22/tls.html#TLS%20Configuration )

> And these lines to /etc/ldap/ldap.conf :
> TLS_CACERT      /etc/ldap/cfg/ssl/cacert.pem
> TLS_REQCERT     demand
But in you ldap.conf, you only provide CAcert and no TLS_[CERT|KEY]
directive ( man ldap.conf )

> I got these errors :
> ldap_start_tls: Connect error (-11)
>         additional info: error:14094410:SSL
>         routines:SSL3_READ_BYTES:sslv3 alert handshake failure
CQFD ;)

To check that your SSL/TLS configuration is good, try to change
TLSVerifyClient to a lower level. Try for exemple never ( the lowest one
).
After that, you should sign create and sign ( why your previous CACert ) a
new cert for your client and check that with demand it's working.

Hope this help.

    David