[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server - client certificate not read
Hello everybody,
I'm just trying to set up a LDAPS server using my own
certification authority, but the ldap server does not
accept/understand my client certificate. Instead, the server
sais:
TLS: can't accept: The peer did not send any certificate..
What I did:
1.) I set up LDAP without SSL/TLS to make sure that it is
configured properly. This worked out fine so far, I can
use ldapsearch, ldapadd, phpldapadmin ...
2.) I created a self signed certificate for my RootCA, used
it to sign my ServerCA and used the ServerCA to sign the
certificates for my ldap server and client.
The certificates of RootCA and ServerCA have been concatenated
into one file <name of ca>.chain.crt
3.) Changed ldap.conf and slapd.conf as described below
4.) Tried to do an ldapsearch on the client -> failed
5.) Tried openssl client -> success
Here are the details:
Client:
=======
# ldapsearch -x -LLL -ZZ -d 1
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP <serverip>:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <serverip>:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_err2string
ldap_start_tls: Can't contact LDAP server (-1)
Server:
========
# slapd -VV
@(#) $OpenLDAP: slapd 2.4.9 (Aug 1 2008 01:09:46) $
buildd@king:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd
# slapd -h "ldaps://<ip>/" -u openldap -g openldap -d 127
...
...
connection_get(13): got connid=32
connection_read(13): checking for input on id=32
tls_read: want=5, got=5
0000: 16 03 02 00 07 .....
tls_read: want=7, got=7
0000: 0b 00 00 03 00 00 00 .......
TLS: can't accept: The peer did not send any certificate..
connection_read(13): TLS accept failure error=-1 id=32, closing
connection_closing: readying conn=32 sd=13 for close
connection_close: conn=32 sd=13
daemon: removing 13
But if I use openssl s_client, I get a differnet result:
Client:
=======
openssl s_client -showcerts -connect <serverfqdn>:636 \
-CAfile cacerts/<ca>.chain.crt -cert certs/<clientfqdn>.cert.pem \
-key private/<clientfqdn>.key.pem
CONNECTED(00000003)
depth=2 /C=...
verify return:1
depth=1 /C=...
verify return:1
depth=0 /C=...
verify return:1
---
Certificate chain
0 s:/C=...
i:/C=...
-----BEGIN CERTIFICATE-----
<Certificate data>
-----END CERTIFICATE-----
---
Server certificate
subject=/C=...
issuer=/C=...
---
Acceptable client certificate CA names
/C=...
/C=...
---
SSL handshake has read 1806 bytes and written 4358 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: F63D4DB4A918CC3BC8F8617AD49F6C6EFCB316203466EC91DBCF0C2E3700DE1E
Session-ID-ctx:
Master-Key: <master key>
Key-Arg : None
Start Time: 1219848938
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
And on server side, everything seems to be o.k. There is no error and the last lines
of output are:
=> ldap_dn2bv(16)
<= ldap_dn2bv(cn=<cn of client>,ou=<ou>,o=<o>,st=<st>,c=<c>)=0
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
ldap.conf (partially)
---------------------
uri ldaps://132.176.4.6/
ssl yes
tls_cacertfile /usr/lib/ssl/cacartes/<ca>.chain.crt
tls_ciphers TLSv1
tls_cert /usr/lib/ssl/certs/<clientfqdn>.cert.pem
tls_key /usr/lib/ssl/private/<clientfqdn>.key.pem
ldap.conf (partially)
---------------------
TLSCACertificateFile /usr/lib/ssl/certs/<ca>.chain.crt
TLSCertificateFile /usr/lib/ssl/openldap/<serverfqdn>.cert.pem
TLSCertificateKeyFile /usr/lib/ssl/openldap/private/<serverfqdn>.key.pem
TLSVerifyClient demand
What did I do wrong?
Best regards,
Hauke Coltzau
--