[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL / Certificates / ... Some confusion

To: Klaus Lemkau <klaus.lemkau@tu-berlin.de>
Subject: Re: SSL / Certificates / ... Some confusion
From: Götz Reinicke - IT-Koordinator <goetz.reinicke@filmakademie.de>
Date: Mon, 12 Apr 2010 16:26:23 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <4BC32836.2090505@tu-berlin.de>
Organization: Filmakademie Baden-Württemberg GmbH
References: <4BC2EEBC.7060500@filmakademie.de> <4BC32836.2090505@tu-berlin.de>
User-agent: Thunderbird 2.0.0.24 (Macintosh/20100228)

Hi Klaus,

thanks a lot. Just two minute ago I finished my two-hour-google-look up
ending in the same direction :-)

A posting from Howard Chu pointed into the right direction:

http://www.openldap.org/lists/openldap-software/200704/msg00129.html

Than of to ->

http://www.openssl.org/docs/apps/x509v3_config.html

The next minutes I'll dedicated to you doing some kowtow.

And some more if everything works ;-)


	Cheers,

		Götz


Klaus Lemkau schrieb:
> Hi,
> 
>> X509v3 extensions:
>>              X509v3 Basic Constraints:
>>                  CA:FALSE
>>              Netscape Cert Type:
>>                  SSL Server
> 
> You can use this Certificate only for Server, not  for
> Client-authentication.
> 
> Netscape Cert Type: should be
>   SSL Client, SSL Server
> 
> if You would use the Certificate as Client/Server
> (I would prefer this)
> 
> or
>  SSL Client
> 
> if You would use the Certificate only as Client
> 
> 
> Look for
>  nsCertType
> in Your Openssl configuration file
> 
> manpage : config and x509
> 
> -- Klaus Lemkau
> 
> 
> Am 12.04.2010 11:58, schrieb Götz Reinicke - IT-Koordinator:
>> Hi,
>>
>> since a couple of days I try to setup a provider and a consumer over ssl
>> following the documentation in a book [1] an dusing two servers. (Red
>> Hat 5.x, openssl-0.9.8e-12, openldap-2.3.43-3 )
>>
>> Doing so I was confronted with a lot off different warnings/messages but
>> finaly I got the replication crypted.
>>
>> The final step in the tutorial is to use the saslmech=external but the
>> messages I do get are different from the messages I should get.
>>
>> I noticed and googeled some provider debug info and wanted to ask for
>> some prove or clarification or work around:
>>
>>> From the provider log:
>>
>> TLS certificate verification: Error, unsupported certificate purpose
>> ...
>> TLS trace: SSL3 alert write:warning:bad certificate
>> connection_read(13): unable to get TLS client DN, error=49 id=1
>>
>>> From a posting from 2006 and the answere from Howard Chu [2] I think I
>> do have the same problem: My consumer server certificate "should be"
>> from the providers view a client certificate.
>>
>>> From the certificate:
>>
>> X509v3 extensions:
>>              X509v3 Basic Constraints:
>>                  CA:FALSE
>>              Netscape Cert Type:
>>                  SSL Server
>>
>> Am I wrong, right, lost, ... Is there a workaround or any step while
>> creating the certificates?
>>
>> Thanks once more and best regards,
>>
>>     Götz
>>
>>
>> [1] http://www.galileocomputing.de/katalog/buecher/titel/gp/titelID-1801
>> [2] http://www.openldap.org/lists/openldap-software/200604/msg00202.html
>>
> 
> 


-- 
Götz Reinicke
IT-Koordinator

Tel. +49 7141 969 420
Fax  +49 7141 969 55 420
E-Mail goetz.reinicke@filmakademie.de

Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner

Geschäftsführer:
Prof. Thomas Schadt

References:
- SSL / Certificates / ... Some confusion
  - From: Götz Reinicke - IT-Koordinator <goetz.reinicke@filmakademie.de>
- Re: SSL / Certificates / ... Some confusion
  - From: Klaus Lemkau <klaus.lemkau@tu-berlin.de>

Prev by Date: Re: Slapd-ldap proxy between replica and mirror
Next by Date: Problem with SSL/TLS
Index(es):
- Chronological
- Thread