Hello Rich,
On 04/12/2011 10:24 PM, Rich Megginson wrote:
On 04/12/2011 02:18 PM, Judith Flo Gaya wrote:
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.19.5.13:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS certificate verification: subject: -unknown-, issuer: -unknown-,
cipher: -unknown-, security level: off, secret key bits: 0, total key
bits: 0, cache hits: 0, cache misses: 0, cache not reusable: 0
TLS certificate verification: bad
TLS certificate verification: Error, -8182: Unknown code ___f 10
TLS: error: connect - force handshake failure -1 - error -8182:Unknown
code ___f 10
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
It seems that it doesn't like the certificate.
-8182 is SEC_ERROR_BAD_SIGNATURE. During the TLS/SSL handshake, the
client tries to see if the server's cert is correctly signed by the CA
cert (the local ca-cert.pem).
Now I have the same error but using the moznss certs, the certificate
was copied from the server and the cert command confirms the status of
the certificate (so it's not bad...
# ldapsearch -x -d1
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP server:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ip:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: using moznss security dir /etc/openldap/cacerts.
TLS certificate verification: subject: -unknown-, issuer: -unknown-,
cipher: -unknown-, security level: off, secret key bits: 0, total key
bits: 0, cache hits: 0, cache misses: 0, cache not reusable: 0
TLS certificate verification: bad
TLS certificate verification: Error, -8182: Unknown code ___f 10
TLS: error: connect - force handshake failure -1 - error -8182:Unknown
code ___f 10
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@curri2 ~]# certutil -d /etc/openldap/cacerts/ -L "name cert"
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
name cert CTu,u,u
# certutil -V -u V -d /etc/openldap/cacerts/ -n "name cert"
certutil: certificate is valid