[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can't get TLS working.



At last I found solution!

I turned on debug 9 in /usr/local/etc/nss_ldap.conf
and found that

...............


TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com, issuer:
/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com
TLS certificate verification: depth: 0, err: 0, subject:
/C=RU/ST=MSK/L=MSK/O=ORG/OU=IT/CN=ldap.domain.com, issuer:
/C=RU/ST=MSK/L=MSk/O=ORG/OU=IT/CN=ca.domain.com
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (127.0.0.1) does not match common name in certificate
(ldap.domain.com).
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I set host to ldap.domain.com in nss_ldap and ldap.conf and HURRAY! it work.

So problems, that I found due setting up openldap+tls:
1) CN of CA and ldap servers certificates MUST not be same.
2) variable "host" in nss_ldap.conf and ldap.conf must be exactly same
as CN in server certificate.
3) Minimum coniguration of tls in slapd.conf, ldap.conf and nss_ldap.conf:
slapd:
TLSCertificateFile    /usr/local/etc/openldap/ssl/ldap.domain.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap.domain.com.key
TLSCACertificateFile  /usr/local/etc/openldap/ssl/root.crt
ldap.conf
ssl start_tls
tls_cacertfile /usr/local/etc/openldap/ssl-client/root.crt
# TLS_CACERT not working at all
nss_ldap.conf
ssl start_tls
tls_cacertfile /usr/local/etc/openldap/ssl-client/root.crt

That's all.
Thanks to Dieter Klünter and Harald for pointing in reasonable directions!