[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS/SSL problem - unsupported certificate purpose



Hello,

I found a very similar and recent post on the Mailing List but no solution.
May be I missed something.

I migrated my openLdap server from Debian Sarge (slapd 2.2.23-8) 
to Debian Etch (slapd 2.3.30-5)

On Sarge all was working fine (LDAP server with and withouth SSL)
but now SSL acces is unusable.
Using clear access (port 389) LDAP server works fine.

With SSL, I check all my certificates (Root CA and LDAP certificate) and 
renew all of them, successless.
Always the same error message.

Althought all seems OK about certificates.

# openssl x509 -in LDAPserver-cert.pem -text -noout 
========================
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=France, O=MYDOMAIN, CN=mydomain.net Root
	CA/emailAddress=user@mydomain.net
        Validity
            Not Before: Apr 19 21:47:31 2007 GMT
            Not After : Apr 18 21:47:31 2008 GMT
        Subject: C=FR, ST=France, L=Nice, O=MYDOMAIN,
	CN=fully_qualified_name_machine.mydomain.net/emailAddress=user@mydomain.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c2:20:97:ed:17:fa:d5:87:bd:c8:1e:36:4c:e5:
                    3e:30:25:2b:e1:35:71:89:9f:68:55:38:41:e2:00:
                    .........
                    75:5b:c4:bd:62:dc:43:df:b2:9c:9f:c9:e5:bd:fb:
                    9e:bb:fc:51:ba:60:3e:53:6c:e9:b3:85:56:9a:7e:
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                Object Signing
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                CE:19:D6:9C:..............................
            X509v3 Authority Key Identifier: 
             keyid:4D:58:60:..............................

    Signature Algorithm: sha1WithRSAEncryption
        48:f0:90:2f:93:cb:ae:93:3f:ac:c9:d8:7e:2f:95:1f:9b:86:
        ca:aa:34:a7:f0:63:e4:aa:1d:47:8d:ad:6f:ed:e1:d6:58:7d:
         ....................................................
        30:b5:37:21:c5:3e:1a:f3:f6:29:1a:17:6d:c6:fb:06:d2:44:
        20:24:b4:9e
=============================



# ldapsearch -d1 -x -H ldaps://localhost:636/
gives me the following answer :
==================================
ldap_create
ldap_url_parse_ext(ldaps://localhost:636/)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 26,
subject: /C=FR/ST=France/L=Nice/O=MYDOMAIN/CN=fully_qualified_name_machine.mydomain.net
/emailAddress=user@mydomain.net,
issuer: /C=FR/ST=France/O=MYDOMAIN/CN=my domain.net
RootCA/emailAddress=user@mydomain.net 

TLS certificate verification: Error, unsupported certificate purpose 
TLS trace: SSL3 alert write:fatal:unsupported certificate 
TLS trace: SSL_connect:error in SSLv3 read server certificate B 
TLS trace: SSL_connect:error in SSLv3 read server certificate B 
TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
============================================

I'm just wondering what's wrong.
I've been searching for few days.

Is something wrong with ldap server 2.3.30 ?
Did I miss some evidence ?

If someone can give me any lights because I feel alone without any solutions.

-- 
Regards.
Jean-Claude