[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS configuration needs client certification (why?)



Frank Cornelissen wrote:
Hello all,

why does slapd require a peer/client certificate? I'm slapd 2.3.30 on debian (package 2.3.30-5 to be precise).

when connexting with ssl to slapd using

         ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -x

I get the following error from slapd (started with -d 8):

TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2455


When connecting to the same host but with the ldap protocol (vs ldaps) the search results correctly.

This error seems like somehow slapd wants to get a client certficate, but I did not set slapd up that way. The ldap.conf on the client machines only contains the CA certificate field:

         TLS_CACERT /usr/share/ca-certificates/t310/t310_pem.crt

relevant parts from slapd.conf (included in total at the end of message):

         TLSCertificateFile /etc/ldap/artemis-ldap-cert.pem
         TLSCertificateKeyFile /etc/ldap/artemis-ldap-key.pem
         TLSCACerticateFile /usr/share/ca-certificates/t310/t310_pem.crt
         #TLSVerifyClient never
         #TLSCRLCheck none

Uncomment the "TLSVerifyClient never" directive here to work around this problem.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/