On Sun, Oct 12, 2008 at 02:56:38PM +0200, Dieter Kluenter wrote:
[...]
Did you sign the server cerficates with this ca-cert? And how did you
create the CA and the server certificates?
I personally use the CA.pl tools from openssl, this is by no means the
best way to do, but the simplest. If you follow this path, you may
have to edit openssl.cnf to meet your requirements. Then you just do
./CA.pl -newca, which creates es self signed CA
./CA.pl -newreq, this creates a host or user certficate request
./CA.pl -sign, wwhich signs the request
openssl rsa -in newreq.pem -out foo-key.pem, this removes password
from the requested certificate and creates a key file.
mv newcert.pem foo-cert.pem
./CA.pl -verify foo-cert.pem
The CA-Cert and ldap01-Certs created with openssl.
When verifying it with openssl all seems to be ok:
# openssl s_client -connect ldap01.kleinfeld.ch:636 -CAfile /var/ldap/ca.pem -showcerts
...
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: E276B6ABD9349FDFD7EA22CCB491D3E9FE423BA1D45B0C18D4019422EF1FF607
Session-ID-ctx:
Master-Key: 758F1B898907CDA46E70E37D306517C60E21864E4119846C05597DA19572B1FDF9A4E6D1299848A2E769CA002DA76D93
Key-Arg : None
Start Time: 1223891247
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Slapd - Debug Output:
connection_get(11): got connid=9
connection_read(11): checking for input on id=9
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(11): unable to get TLS client DN, error=49 id=9
When connecting with ldapsearch (openldap) the conenction established and
continues after TLS client error:
connection_read(11): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(11): unable to get TLS client DN, error=49 id=0
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
(To renember slapd.conf - TLSVerifyClient never)
When doing the same search with ldapsearch (SUNWlldap package), it seems to be
forced for tls client verification.
connection_get(11): got connid=3
connection_read(11): checking for input on id=3
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=3
connection_read(11): checking for input on id=3
TLS trace: SSL3 alert read:fatal:bad certificate
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053
connection_read(11): TLS accept failure error=-1 id=3, closing
connection_closing: readying conn=3 sd=11 for close
connection_close: conn=3 sd=11
I will try it later today with a new-ca, but i think the problems must be at
ldapclient (SUNWlldap) or inside cerutil.