Re: Solaris 10 native Client with TLS to OpenLDAP

["Dieter Kluenter" <dieter@dkluenter.de>]

John Gee <john@kleinfeld.ch> writes:

> Hello,
>
> i have a problem with connecting Solaris10 native LDAP Client to a
> openLDAP Server (slapd 2.4.11) with TLS.
[...]
> TLS trace: SSL3 alert read:fatal:bad certificate
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053
> connection_read(11): TLS accept failure error=-1 id=207, closing
> connection_closing: readying conn=207 sd=11 for close
> connection_close: conn=207 sd=11

slapd refuses the client certificate

> -( solaris 10 - client )----
>
> # import the ca-cert
>   certutil -N -d /var/ldap
>   certutil -A -n "ca-cert" -i /tmp/ldap/ca-cert.pem -a -t CT -d /var/ldap/
> # import ldap-server certs
>   certutil -A -d /var/ldap/ -n "ldap01.kleinfeld.ch" -t C,, -i ldap01.kleinfeld.ch.pem
>   certutil -A -d /var/ldap/ -n "ldap02.kleinfeld.ch" -t C,, -i ldap02.kleinfeld.ch.pem
> # list cert-db
>   certutil -L -d /var/ldap
>   ca-cert                                                    CT,,
>   ldap02.kleinfeld.ch                                        C,,
>   ldap01.kleinfeld.ch                                        C,,

The server presents the server certificate (ldap01.kleinfeld.ch),
the ldap client presents the CA but the server expects a client
certificate. Change slapd.conf not to verfiy a client certificate.

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
53Â08'09,95"N
10Â08'02,42"E