[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can't get TLS working.



# making clientkey
openssl genrsa -out client.key 2048
# making certificate request
openssl req -new -key client.key -out client.csr
# signing
openssl x509 -req -days 1024 -CA ../ssl/rootcrt.pem -CAkey
../ssl/rootkey.pem -in client.csr -out client.crt -CAserial
../ssl/root.seq

# configuring on client
TLS_CACERT /usr/local/etc/openldap/ssl-client/rootcrt.pem
TLS_CERT /usr/local/etc/openldap/ssl-client/client.crt
and
TLS_KEY /usr/local/etc/openldap/ssl-client/client.key

Trying again with slapd debug and client calling "id test"

slap_listener_activate(7):
>>> slap_listener(ldap:///)
connection_get(11): got connid=1000
connection_read(11): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
op tag 0x77, time 1284616840
ber_get_next
conn=1000 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 11
connection_get(11): got connid=1000
connection_read(11): checking for input on id=1000
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(11): got connid=1000
connection_read(11): checking for input on id=1000
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(11): unable to get TLS client DN, error=49 id=1000
connection_get(11): got connid=1000
connection_read(11): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
op tag 0x42, time 1284616840
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 11 failed errno=0 (Undefined error: 0)
conn=1000 op=1 do_unbind
connection_close: conn=1000 sd=11
TLS trace: SSL3 alert write:warning:close notify


All the same.

Okay. Looking at /usr/local/etc/nss_ldap.conf and I see

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

So client certificate is not required?

Looking at faq about TLS
http://www.openldap.org/faq/data/cache/185.html I do not see any
client certificate generation and configuring.


BTW, must say, that configuring TLS_CACERT in nss_ldap.conf make no sense.
Configuring tls_cacertfile directive instead TLS_CACERT works OK.

openldap version is 2.4.23

2010/9/15 Wallus, Harald Dr. <Harald.Wallus@eon.com>:
> In ldap.conf
>
> You must define
>
> TLS_CACERT with the CA-Chain
>
> and
>
> TLS_CERT with your client cert
>
> Harald
>
>