[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: help SSL on Openldap and java

To: "Brett @Google" <brett.maxfield@gmail.com>
Subject: Re: help SSL on Openldap and java
From: s g <sirisha.kmb@gmail.com>
Date: Wed, 9 Jun 2010 16:29:43 -0700
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=+P34aP2ZsRJtAPzZXMA1Kl5pdbzYZuUy6fqpBdIAxg0=; b=Ux0Z0ATevGdKS6D95cfuRi8MWNa3WCyVgl4fhedXGXQ0FlKziCkOx3p8cr+HUOGmMP VDMPes6NAi7WTVhe0UE1muTTmrRBuJlw+uhuR/y+0YbOrYttH0iucgIubGuXYZmHqr/Q 1ac80mXA7UzybdGmjtxsgJuXta64EfpboaTuI=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Xwvlv5/wT6bHujkzcxTx7qRmD7BfoiGs08vr5iCICrSXuiZBDiVWPwVzxpYxUlK47m Sf+1DWKO6sa/dWyPeJnKyXKCeyr3nID1QDgBa4bomDE4Wdg1HXghhhMQT2Gwh4d3sqQc 5E9Q/mjSq23LGtuNXsE5DiahNP3EQQz5fkvgA=
In-reply-to: <AANLkTikndSZJAaC9Ha8vhLsDjBtIr0D5oEuEkOyy-Iz1@mail.gmail.com>
References: <AANLkTimZNjiNu7i8CIWzrTM6LtDxntsOwcOfTG38CvW5@mail.gmail.com> <AANLkTikndSZJAaC9Ha8vhLsDjBtIr0D5oEuEkOyy-Iz1@mail.gmail.com>

Thanks for replying. I was a bit occupied, so I could not back soon. Going by your mail, I went through the certificate generation process again. What I found is that for some reason, the cacert.pem file(which is the certificate for the CA) shows the following -
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
I am attaching the steps I followed and the certificate files generated as per the tutorial
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.2.

Shouldn't the above field be CA:true? Also, how do I make sure that the flag that you mentioned below gets set to "SSL server".
Thanks,
Sirisha.

On Fri, May 28, 2010 at 11:44 PM, Brett @Google <brett.maxfield@gmail.com> wrote:

On Fri, May 28, 2010 at 9:39 AM, s g <sirisha.kmb@gmail.com> wrote:

javax.naming.CommunicationException: simple bind failed: vcheung-181.lab.xxxx.net:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server]
     at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
     at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
     at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)

You probably have your certs round the wrong way. The server cert (on the ldap server) should have 'SSL Server' usage flag the client cert (on the ldap client) should have 'SSL Client' usage flag.

The usage flags are embedded when you make the csr (certificate request) which will then usually be reflected in the generated certificate, unless your CA overrides them.

Do a "openssl x509 -in <cert file> -noout -text" to compare the two certificates.

Cheers
Brett

[root@vcheung-181 nextca]# /usr/local/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
...........................++++++
...++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:SantaClara
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Inc
Organizational Unit Name (eg, section) []:MyCompany Unit
Common Name (eg, YOUR name) []:vcheung-181.lab.xxxx.net
Email Address []:sirish1616@yahoo.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:secret
An optional company name []:
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:secret
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Jun  9 20:15:18 2010 GMT
            Not After : Jun  8 20:15:18 2013 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = California
            organizationName          = MyCompany Inc
            organizationalUnitName    = MyCompany Unit
            commonName                = vcheung-181.lab.xxxx.net
            emailAddress              = xyz@yahoo.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                F2:5D:25:AD:F0:46:95:71:CB:3C:DD:88:D9:77:A2:79:AC:A1:4B:57
            X509v3 Authority Key Identifier:
                keyid:F2:5D:25:AD:F0:46:95:71:CB:3C:DD:88:D9:77:A2:79:AC:A1:4B:57

Certificate is to be certified until Jun  8 20:15:18 2013 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

[root@vcheung-181 nextca]#
[root@vcheung-181 nextca]# openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
Generating a 1024 bit RSA private key
.........++++++
...................................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:SantaClara
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Inc
Organizational Unit Name (eg, section) []:MyCompany Unit
Common Name (eg, YOUR name) []:vcheung-181.lab.xxxx.net
Email Address []:xyz@yahoo.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:secret
An optional company name []:

[root@vcheung-181 nextca]#
[root@vcheung-181 nextca]# /usr/local/ssl/misc/CA.sh -sign
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun  9 20:22:20 2010 GMT
            Not After : Jun  9 20:22:20 2011 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = California
            localityName              = SantaClara
            organizationName          = MyCompany Inc
            organizationalUnitName    = MyCompany Unit
            commonName                = vcheung-181.lab.xxxx.net
            emailAddress              = xyz@yahoo.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                C5:AB:B2:D2:2B:7F:DC:B7:DE:9F:F2:AF:B1:64:45:B0:24:B5:AD:10
            X509v3 Authority Key Identifier:
                keyid:F2:5D:25:AD:F0:46:95:71:CB:3C:DD:88:D9:77:A2:79:AC:A1:4B:57

Certificate is to be certified until Jun  9 20:22:20 2011 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, O=MyCompany Inc, OU=MyCompany Unit, CN=vcheung-181.lab.xxxx.net/emailAddress=xyz@yahoo.com
        Validity
            Not Before: Jun  9 20:22:20 2010 GMT
            Not After : Jun  9 20:22:20 2011 GMT
        Subject: C=US, ST=California, L=SantaClara, O=MyCompany Inc, OU=MyCompany Unit, CN=vcheung-181.lab.xxxx.net/emailAddress=xyz@yahoo.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c1:3a:91:2c:16:9d:c1:70:43:bf:1e:7c:ac:5d:
                    00:af:15:9c:a8:1b:6c:37:53:c8:b7:a2:6f:68:e0:
                    2e:f3:c6:f9:ee:0c:d3:f3:90:4e:c2:68:a4:a1:d5:
                    0c:2b:2d:ac:11:48:d5:c1:2c:21:a9:ef:4e:69:e8:
                    b5:9e:31:18:aa:99:b6:7e:1d:34:a2:4e:4d:e4:53:
                    50:44:7a:6a:ef:bf:d3:9d:fd:32:c1:af:d5:21:45:
                    80:cb:12:c5:8f:70:df:49:78:7d:1a:cf:6a:2e:cb:
                    6a:17:5f:86:71:c1:c5:d6:a3:da:63:7d:80:f6:f5:
                    ce:12:5d:ad:2a:24:b9:66:a9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                C5:AB:B2:D2:2B:7F:DC:B7:DE:9F:F2:AF:B1:64:45:B0:24:B5:AD:10
            X509v3 Authority Key Identifier:
                keyid:F2:5D:25:AD:F0:46:95:71:CB:3C:DD:88:D9:77:A2:79:AC:A1:4B:57

    Signature Algorithm: sha1WithRSAEncryption
        01:ac:6f:e2:55:87:d1:20:9f:62:58:de:4b:6a:12:27:6e:22:
        fa:40:56:c3:5e:42:2b:f6:b1:68:95:c4:d1:6a:63:aa:4f:31:
        eb:f6:45:12:28:39:18:66:9d:f0:c9:f4:3f:c9:87:be:c4:e1:
        fb:71:99:12:f3:f3:c3:85:f2:d6:61:a8:51:f3:a7:e5:41:14:
        48:a2:17:f7:28:f6:87:24:8f:76:ca:2c:52:a1:1b:de:81:12:
        e6:b5:80:83:09:89:ae:41:54:5a:59:d8:05:cc:3c:72:72:e3:
        5f:22:1c:b3:1c:40:c0:7b:4c:bf:4e:45:43:6a:2c:41:83:31:
        2f:2f
-----BEGIN CERTIFICATE-----
MIIDRjCCAq+gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnzELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAoTDU15Q29tcGFueSBJbmMxFzAV
BgNVBAsTDk15Q29tcGFueSBVbml0MSUwIwYDVQQDExx2Y2hldW5nLTE4MS5sYWIu
cmVjb25uZXgubmV0MSMwIQYJKoZIhvcNAQkBFhRzaXJpc2gxNjE2QHlhaG9vLmNv
bTAeFw0xMDA2MDkyMDIyMjBaFw0xMTA2MDkyMDIyMjBaMIG0MQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKU2FudGFDbGFyYTEWMBQG
A1UEChMNTXlDb21wYW55IEluYzEXMBUGA1UECxMOTXlDb21wYW55IFVuaXQxJTAj
BgNVBAMTHHZjaGV1bmctMTgxLmxhYi5yZWNvbm5leC5uZXQxIzAhBgkqhkiG9w0B
CQEWFHNpcmlzaDE2MTZAeWFob28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDBOpEsFp3BcEO/HnysXQCvFZyoG2w3U8i3om9o4C7zxvnuDNPzkE7CaKSh
1QwrLawRSNXBLCGp705p6LWeMRiqmbZ+HTSiTk3kU1BEemrvv9Od/TLBr9UhRYDL
EsWPcN9JeH0az2ouy2oXX4ZxwcXWo9pjfYD29c4SXa0qJLlmqQIDAQABo3sweTAJ
BgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0
aWZpY2F0ZTAdBgNVHQ4EFgQUxauy0it/3Lfen/KvsWRFsCS1rRAwHwYDVR0jBBgw
FoAU8l0lrfBGlXHLPN2I2XeieayhS1cwDQYJKoZIhvcNAQEFBQADgYEAAaxv4lWH
0SCfYljeS2oSJ24i+kBWw15CK/axaJXE0Wpjqk8x6/ZFEig5GGad8Mn0P8mHvsTh
+3GZEvPzw4Xy1mGoUfOn5UEUSKIX9yj2hySPdsosUqEb3oES5rWAgwmJrkFUWlnY
Bcw8cnLjXyIcsxxAwHtMv05FQ2osQYMxLy8=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

Attachment: serverkey.pem
Description: Binary data

Attachment: cacert.pem
Description: Binary data

Attachment: servercert.pem
Description: Binary data

Follow-Ups:
- Re: help SSL on Openldap and java
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: pam_ldap doesn't bind SIMPLE for anonymous auth?
Next by Date: Re: pam_ldap doesn't bind SIMPLE for anonymous auth?
Index(es):
- Chronological
- Thread