[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SSL Help
Hi, I'm having some troubles with openldap
w/ TLS.
I can't seem to do a ldapsearch -x -LLL
-ZZ, as it is giving be back
"SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed"
On the server side log I'm getting:
TLS trace: SSL3 alert read:
fatal:unknown CA
TLS trace: SSL_accept:failed
in SSLv3 read client certificate A
TLS: can't accept
TLS: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053
I've tried and tested my ssl connection
using:
openssl s_client -connect
ldap1.mylan:636 -showcerts -state -CAfile /usr/local/etc/openldap/cacert.pem
and that works, althought if I use "TLSVerifyClient
demand" in slapd.conf, the server will reject the connection
saying that the client didn't send the
certificate.
I also tried the client authentication
ssl test and the works w/ and w/o the TLSVerifyClient demand option:
openssl s_client -connect
ldap1.mylan:636 -state \
-CAfile /usr/local/etc/openldap/cacert.pem \
-cert /usr/local/etc/openldap/slapd-cert-ldap1.pem \
-key /usr/local/etc/openldap/slapd-key-ldap1.pem
Does any know what i'm doing wrong?
Here are the tls part of my configs:
slapd.conf
....
#TLS SSL keys
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:SSLv3
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem
#TLSVerifyClient demand
....
ldap.conf
BASE dc=mylan
HOST ldap1.mylan
#URI ldaps://127.0.0.1:636
TLS_CACERT /usr/local/etc/openldap/cacert.pem
.....
/etc/ldap.conf
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1
# The distinguished name of the search
base.
#base dc=caplan,dc=org
base dc=mylan
# Another way to specify your LDAP server
is to provide an
# uri with the server name. This allows
to use
# Unix Domain Sockets to connect to
a local LDAP Server.
host ldap1.mylan
#uri ldap://127.0.0.1/
#uri ldap://127.0.0.1/ ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as
directory separator
# The LDAP version to use (defaults
to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to
the server with.
# Optional: default is to bind anonymously.
#binddn cn=NonAnon,dc=caplan,dc=org
# The credentials to bind with.
# Optional: default is no credential.
#bindpw SeCrEt
# The distinguished name to bind to
the server with
# if the effective user ID is root.
Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=root,dc=padl,dc=com
# The port.
# Optional: default is 389.
port 389
..
...
..
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal
LDAP port, LDAPS typically 636
ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate
(yes/no)
# Default is to use libldap's default
behavior, which can be configured in
# /etc/openldap/ldap.conf using the
TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no",
for 2.1 and later is "yes".
tls_checkpeer yes
# CA certificates for server certificate
verification
# At least one of these are required
if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
tls_cacertfile /usr/local/etc/openldap/cacert.pem
# Seed the PRNG if /dev/urandom is not
provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires
client authentication.
#tls_cert
#tls_key
Thanks,
Vinh
- Follow-Ups:
- RES: SSL Help
- From: "Gustavo Mendes de Carvalho" <gmcarvalho@gmail.com>