[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS verify errors

To: openldap-software@openldap.org
Subject: TLS verify errors
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Wed, 15 Aug 2007 16:19:59 -0700
Content-disposition: inline

I've run into an interesting issue where if I set up a .ldaprc for the user running slapd with:

BASE ""
TLS_CACERT /opt/zimbra/conf/ca/ca.pem


slapd will fail to start with:

TLS: could not load client CA list (file:`/opt/zimbra/conf/ca/ca.pem',dir:`'). TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:642


It is not an issue with being able to read the cert as:

cat /opt/zimbra/conf/ca/ca.pem
-----BEGIN TRUSTED CERTIFICATE-----
.....
-----END TRUSTED CERTIFICATE-----

works just fine. If I change it to TLSCACERTDIR and adjust to a path, then slapd starts just fine, but I can't negotiate STARTTLS for the same reason.

Using openssl to verify the slapd cert (which is signed by this CA) shows everything is correct, as well:

/usr/bin/openssl verify -CAfile /opt/zimbra/conf/ca/ca.pem -purpose sslclient /opt/zimbra/conf/slapd.crt /opt/zimbra/conf/slapd.crt: OK

I'm not really sure why defining a CA cert for the client to use stops slapd from working, either. Seems rather odd to me.


Thoughts appreciated. ;)

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Follow-Ups:
- Re: TLS verify errors
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: preserve value order with referential integrity overlay?
Next by Date: x-ordered extension doesn't work (openldap2-2.3.27)
Index(es):
- Chronological
- Thread