[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS configuration needs client certification (why?)

To: openldap-software@openldap.org
Subject: TLS configuration needs client certification (why?)
From: Frank Cornelissen <frankc@t310.org>
Date: Wed, 15 Aug 2007 09:00:58 +0200

Hello all,

why does slapd require a peer/client certificate? I'm slapd 2.3.30 on debian (package 2.3.30-5 to be precise).

when connexting with ssl to slapd using

        ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -x

I get the following error from slapd (started with -d 8):

TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2455

When connecting to the same host but with the ldap protocol (vs ldaps) the search results correctly.

This error seems like somehow slapd wants to get a client certficate, but I did not set slapd up that way. The ldap.conf on the client machines only contains the CA certificate field:

        TLS_CACERT /usr/share/ca-certificates/t310/t310_pem.crt

relevant parts from slapd.conf (included in total at the end of message):

        TLSCertificateFile /etc/ldap/artemis-ldap-cert.pem
        TLSCertificateKeyFile /etc/ldap/artemis-ldap-key.pem
        TLSCACerticateFile /usr/share/ca-certificates/t310/t310_pem.crt
        #TLSVerifyClient never
        #TLSCRLCheck none

verification with openssl s_server and s_client:

openssl s_server -accept 12345 -cert /etc/ldap/artemis-ldap- cert.pem -key /etc/ldap/artemis-ldap-key.pem -CAfile /usr/share/ca- certificates/t310/t310_pem.crt Using default temp DH parameters Using default temp ECDH parameters ACCEPT

and the client:

openssl s_client -CAfile /etc/ssl/certs/t310_pem.pem - connect artemis.t310.org:12345

allows me to exchange data between them. However connecting the s_client to the real ldap server results in an error:

artemis:~# openssl s_client -CAfile /etc/ssl/certs/ t310_pem.pem -connect artemis.t310.org:636 CONNECTED(00000003) depth=1 /O=T310 technologies/OU=CA Division/ emailAddress=ca@t310.org/L=Amsterdam/ST=NH/C=NL/CN=T310 root CA verify return:1 depth=0 /C=NL/ST=NH/O=T310 technologies/OU=ldap/ CN=artemis.t310.org verify return:1 15612:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1057:SSL alert number 40 15612:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Any help is appreciated


Frank Cornelissen

Attachment: slapd.conf
Description: Binary data

Follow-Ups:
- libnss-ldap and slapd (was: TLS configuration needs client certification (why?))
  - From: Frank Cornelissen <frankc@t310.org>
- Re: TLS configuration needs client certification (why?)
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: High availability
Next by Date: Re: preserve value order with referential integrity overlay?
Index(es):
- Chronological
- Thread