[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SSL handshake failure
On Mon, 18 Feb 2008, Nathan Huesken wrote:
I am trying to enable TLS on my ldap server. I executed:
openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout /etc/openldap/ldap-key.pem -days 999999
That creates a self-signed certificate. If you really do have a need to
use and issue client certificates, then you'll almost certainly want to
issue them from a common CA so that they can be validated more easily.
Whether a single CA or multiple levels of CAs is the best match for your
needs is a question beyond the scope of this list; you should check the
OpenSSL documentation and mailing lists for help on that.
and added:
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ldap-key.pem
TLSVerifyClient demand
to my slapd.conf.
You should first get TLS working without requiring client certs. Once you
have that working correctly and securely, then you can work through the
details of getting client certs working on that stable foundation.
To my ldap.conf, I added:
TLS_CERT /etc/ssl/ldap.pem
TLS_KEY /etc/openldap/ldap-key.pem
To quote the ldap.conf(5) manpage: "This is a user-only option."
TLS_REQCERT allow
You want a setup where client have to present certs, but they don't need
to validate the server's cert? That seems counter-productive. I would
expect a TLS_CACERT option here instead. Since the server's cert is
self-signed, it is its own CA:
TLS_REQCERT /etc/ssl/ldap.pem
...at least until you use separate certs for the CA and server.
Philip Guenther