[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problem verifying self signed certificate
Hi,
On Friday, 2. September 2005 08:35, James Wilde wrote:
> I've googled on this problem and found a number of situations, none of
> which has given me a lead to solving my problem.
>
> On our certificate server, running Openssl v0.9.7f, I have created a
> self signed CA certificate which so far has worked well.
>
> Now I'm setting up an Openldap server as follows: It's running RedHat
> Enterprice Linux v4, Openssl v0.9.7a and Openldap v2.2.13. I've had any
> amount of trouble making sasl work and given up in favour of TLS. Now
> I'm having problems with this and it seems to be related to the validity
> of the CA certificate.
>
> Here's the output of a test I ran:
>
> [root@log1 openldap]# openssl s_client -connect localhost:389 -showcerts
> -state -CAfile /usr/share/ssl/certs/cacert.pem
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> 24425:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:226:
>
> For a bit more detail on the possible nature of the handshake failure,
> here is a snippet from the attempt to run a replication over TLS:
>
> TLS certificate verification: depth: 1, err: 19, subject:
> /C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=Glocalnet
> Certificate Authority/emailAddress=inoc@glocalnet.com, issuer:
> /C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=Glocalnet
> Certificate Authority/emailAddress=inoc@glocalnet.com
> TLS certificate verification: Error, self signed certificate in
> certificate chain
> tls_write: want=7, written=7
> 0000: 15 03 01 00 02 02 30 ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_err2string
> Error: ldap_start_tls failed: Connect error (-11)
> ldap_unbind
> ldap_free_connection
> ldap_send_unbind
> ber_flush: 7 bytes to sd 6
> 0000: 30 05 02 01 02 42 00 0....B.
> ldap_write: want=7, written=7
> 0000: 30 05 02 01 02 42 00 0....B.
> ldap_free_connection: actually freed
> fm: exiting
>
> I'd very much appreciate a hint as to what might be the problem and how
> to fix it.
AFAIK this is expected behaviour as you cannot use a self-signed server
certificate with openLDAP.
OpenLDAP expects you to use a server certificate that is different from the
certificate of the issueing CA.
Peter
--
Peter Marschall
eMail: peter@adpm.de