[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem verifying self signed certificate



Hi,

On Friday, 2. September 2005 08:35, James Wilde wrote:
> I've googled on this problem and found a number of situations, none of
> which has given me a lead to solving my problem.
>
> On our certificate server, running Openssl v0.9.7f, I have created a
> self signed CA certificate which so far has worked well.
>
> Now I'm setting up an Openldap server as follows:  It's running RedHat
> Enterprice Linux v4, Openssl v0.9.7a and Openldap v2.2.13.  I've had any
> amount of trouble making sasl work and given up in favour of TLS.  Now
> I'm having problems with this and it seems to be related to the validity
> of the CA certificate.
>
> Here's the output of a test I ran:
>
> [root@log1 openldap]# openssl s_client -connect localhost:389 -showcerts
> -state -CAfile /usr/share/ssl/certs/cacert.pem
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> 24425:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:226:
>
> For a bit more detail on the possible nature of the handshake failure,
> here is a snippet from the attempt to run a replication over TLS:
>
> TLS certificate verification: depth: 1, err: 19, subject:
> /C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=Glocalnet
> Certificate Authority/emailAddress=inoc@glocalnet.com, issuer:
> /C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=Glocalnet
> Certificate Authority/emailAddress=inoc@glocalnet.com
> TLS certificate verification: Error, self signed certificate in
> certificate chain
> tls_write: want=7, written=7
>   0000:  15 03 01 00 02 02 30                               ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_err2string
> Error: ldap_start_tls failed: Connect error (-11)
> ldap_unbind
> ldap_free_connection
> ldap_send_unbind
> ber_flush: 7 bytes to sd 6
>   0000:  30 05 02 01 02 42 00                               0....B.
> ldap_write: want=7, written=7
>   0000:  30 05 02 01 02 42 00                               0....B.
> ldap_free_connection: actually freed
> fm: exiting
>
> I'd very much appreciate a hint as to what might be the problem and how
> to fix it.

AFAIK this is expected behaviour as you cannot use a self-signed server 
certificate with openLDAP.

OpenLDAP expects you to use a server certificate that is different from the 
certificate of the issueing CA.

Peter





-- 
Peter Marschall
eMail: peter@adpm.de