[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS configuration needs client certification (why?)
Hello all,
why does slapd require a peer/client certificate? I'm slapd 2.3.30 on
debian (package 2.3.30-5 to be precise).
when connexting with ssl to slapd using
ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -x
I get the following error from slapd (started with -d 8):
TLS: can't accept.
TLS: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
certificate s3_srvr.c:2455
When connecting to the same host but with the ldap protocol (vs
ldaps) the search results correctly.
This error seems like somehow slapd wants to get a client certficate,
but I did not set slapd up that way. The ldap.conf on the client
machines only contains the CA certificate field:
TLS_CACERT /usr/share/ca-certificates/t310/t310_pem.crt
relevant parts from slapd.conf (included in total at the end of
message):
TLSCertificateFile /etc/ldap/artemis-ldap-cert.pem
TLSCertificateKeyFile /etc/ldap/artemis-ldap-key.pem
TLSCACerticateFile /usr/share/ca-certificates/t310/t310_pem.crt
#TLSVerifyClient never
#TLSCRLCheck none
verification with openssl s_server and s_client:
openssl s_server -accept 12345 -cert /etc/ldap/artemis-ldap-
cert.pem -key /etc/ldap/artemis-ldap-key.pem -CAfile /usr/share/ca-
certificates/t310/t310_pem.crt
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
and the client:
openssl s_client -CAfile /etc/ssl/certs/t310_pem.pem -
connect artemis.t310.org:12345
allows me to exchange data between them. However connecting the
s_client to the real ldap server results in an error:
artemis:~# openssl s_client -CAfile /etc/ssl/certs/
t310_pem.pem -connect artemis.t310.org:636
CONNECTED(00000003)
depth=1 /O=T310 technologies/OU=CA Division/
emailAddress=ca@t310.org/L=Amsterdam/ST=NH/C=NL/CN=T310 root CA
verify return:1
depth=0 /C=NL/ST=NH/O=T310 technologies/OU=ldap/
CN=artemis.t310.org
verify return:1
15612:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:s3_pkt.c:1057:SSL alert number 40
15612:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
Any help is appreciated
Frank Cornelissen
Attachment:
slapd.conf
Description: Binary data