[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS CA Chain Problem

To: openldap-technical@openldap.org
Subject: Re: TLS CA Chain Problem
From: Iruwen <iruwen@gmx.net>
Date: Mon, 12 Oct 2009 22:36:04 +0200
In-reply-to: <C39BDC1D33C64045C039F0D4@[192.168.1.199]>
References: <4AD328DE.1040704@gmx.net> <4ABAC4B5D3DE72EE651103C3@[192.168.1.199]> <C39BDC1D33C64045C039F0D4@[192.168.1.199]>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Quanah Gibson-Mount schrieb:

--On Monday, October 12, 2009 11:18 AM -0700 Quanah Gibson-Mount<quanah@zimbra.com> wrote:
--On Monday, October 12, 2009 3:02 PM +0200 Iruwen <iruwen@gmx.net>wrote:
Seems like the ca-bundle wouldn't be used at all, does slapd expect a
different format or something?

Maybe someone could shed some light on this for me, thanks a lot in
advance.
You need to provide the full train of trust when using Comodo certs.
s/train/chain/ :P


So... I'd have to change what exactly? ;)

I created the ca-bundle following the information this page:

https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=890

And the format generally seems to be correct since it works for HTTPS(and SMTP with TLS in postfix, just tried that too).


HTTPS:

office:/etc/ssl/private# openssl s_client -connect localhost:443
CONNECTED(00000003)

depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrustExternal CA Root

verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de

i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CALimited/CN=PositiveSSL CA1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CALimited/CN=PositiveSSL CAi:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUSTNetwork/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUSTNetwork/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardwarei:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrustExternal CA Root3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrustExternal CA Rooti:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrustExternal CA Root


SMTP with TLS:

office:/etc/ssl/private# openssl s_client -connect localhost:25-starttls smtp

CONNECTED(00000003)

depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrustExternal CA Root

verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de


But LDAPS:

office:/etc/ssl/private# openssl s_client -connect localhost:636
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de

i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CALimited/CN=PositiveSSL CA


I don't get it :(

Follow-Ups:
- Re: TLS CA Chain Problem
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- TLS CA Chain Problem
  - From: Iruwen <iruwen@gmx.net>
- Re: TLS CA Chain Problem
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: TLS CA Chain Problem
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: Map attributes to access LDAP addressbook with thunderbird too
Next by Date: Re: TLS CA Chain Problem
Index(es):
- Chronological
- Thread