[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP+TLS

To: Net Warrior <netwarrior863@gmail.com>
Subject: Re: LDAP+TLS
From: Howard Chu <hyc@symas.com>
Date: Mon, 06 Nov 2006 14:25:17 -0800
Cc: openldap-software@openldap.org
In-reply-to: <f66a6bc10611060953i77780edfn1ccbf0f994b495e9@mail.gmail.com>
References: <f66a6bc10611060953i77780edfn1ccbf0f994b495e9@mail.gmail.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061029 Netscape/7.2 (ax) Firefox/1.5 SeaMonkey/1.5a

Net Warrior wrote:

With this configuration everything seems to work fine, but now, what I want to do is to force my clients to use a certificate to connect, so, if I did not misundestrand it wrong, the demand options is a must.

So, when I change TLSVerifyClient never to demand. I've get the following ( alway on my server )

linux:/etc/ssl # openssl s_client -connect localhost:636 -state -showcerts -CAfile cacert.pem

This invocation of s_client didn't provide the -cert or -key options, so no client certificate was used. Naturally the handshake fails.

Learn to use the OpenSSL tools.

CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=AU/ST=Some State/L=City/O=Internet Widgits Pty Ltd/OU=Section/CN=localhost/emailAddress= test@company.com <mailto:test@company.com> verify return:1 depth=0 /C=AU/ST=Some Even State/L=City/O=Internet Widgits Pty Ltd/OU=Section/CN=localhost/emailAddress=test@company.com <mailto:test@company.com> verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read finished A 6274:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40 6274:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

Making some searches in the mailing list I found a guy who had the same problem, and he was told that with the demand option we force slapd to ask for a client certificate, and that the client certificate is a must. Well, now, I do not get it, cuz I'm authenticating against myself, with teh certificates I generated before, maybe ai have to generate a separate pair of certificates, do not know.

With never, and always it works as suggested by someone in the list, who said that first we need try a lower option (never, allow ) to test if the server works ) my problem is with the demand option.
What am I mising here?
Sorry for my stupidity, I do not get it yet.
Thanks in advance and or your valuable time.
Greets.


--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

Follow-Ups:
- Re: LDAP+TLS
  - From: "Net Warrior" <netwarrior863@gmail.com>

References:
- LDAP+TLS
  - From: "Net Warrior" <netwarrior863@gmail.com>

Prev by Date: Re: Is it safe to use slapcat for live ldap server backups?
Next by Date: Maximum number objects
Index(es):
- Chronological
- Thread