[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Syncrepl can't start ssl session because of refused 'client' certificate
Hi Rich,
Thanks for your answer.
Le 11/07/2011 17:30, Rich Megginson a écrit :
Can you do
openssl x509 -in /path/to/cert.pem -text
and paste the output here? /path/to/cert.pem is the file containing
the cert which has the Subject DN:
CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR
Is this the server cert of the remote server (i.e. not the syncrepl
client).
This is the certificate defined as my main LDAP server's certificate
(used to enable ldaps connection).
It is not the syncrepl provider's certificate, nor a certificate
intended to be used to authenticate my main LDAP server to the provider.
Be sure to obscure any sensitive data in the -text output before sending.
Here's the certificate with identication fields modified, though a
public certificate shouldn't contain such critical data (I wouldn't have
sent my private key though ;-) ).
What is interresting here, I think is the "TLS Web Server
Authentication, Code Signing" value for the "X509v3 Extended Key Usage"
extension. This means that the certificate is not to be used as a client
authentication certificate, so syncrepl is right in stating that the SSL
connection can't be established. Though the question is, why on earth is
my server trying to use my Server's certificate as a client certificate
while connecting to the syncrepl ldaps provider! It should instead only
check the provider's Server certificate and then binds using the
provided credential to authenticate to the provider.
-------------------------------------------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 221 (0xdd)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=myst, L=myloc, O=myorg, OU=myou,
CN=myCA/emailAddress=thibault.lemeur@supelec.fr
Validity
Not Before: Oct 2 16:42:15 2007 GMT
Not After : Dec 14 16:42:15 2012 GMT
Subject: C=FR, ST=myst, L=myloc, O=myorg, OU=myou,
CN=myldap.mydom.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:aa:2e:a1:15:f3:a1:50:5a:f3:8c:d8:18:07:47:
ef:37:83:b8:d6:5f:e3:ad:10:1e:8b:ce:8a:00:e3:
27:ac:75:7d:47:1a:74:31:b9:f1:9e:54:2c:44:82:
86:94:d6:36:ab:2e:88:1d:6b:b1:9c:5c:66:ad:32:
2c:46:6b:1b:fe:a2:cc:d6:30:13:8e:e8:de:c2:60:
90:73:5c:8c:e1:93:49:e8:94:ab:4b:0a:5f:8f:ff:
a6:1a:46:19:20:ab:cc:c6:69:7d:81:8c:16:90:b4:
02:bd:f8:c5:64:3f:03:d5:b6:94:a5:84:f5:58:01:
ed:79:40:a7:8b:23:99:41:23:54:43:93:fa:71:9b:
aa:5d:93:74:6c:02:e8:4c:d7:c1:99:85:19:01:5b:
d3:76:ee:f8:7e:eb:82:b1:51:4a:78:7b:7d:85:a3:
e2:8c:55:b6:93:b3:a0:f6:52:8f:8c:25:98:56:c1:
b6:86:fc:a2:07:74:00:27:56:c5:05:7f:8e:c3:f2:
4a:26:1a:9f:65:42:aa:8e:bb:62:36:f5:f7:cf:e5:
1e:97:19:27:37:33:33:3c:9c:a3:d1:0f:a7:fd:55:
c7:66:20:08:02:7c:4b:39:39:ce:9b:78:c6:33:07:
5b:41:08:e4:71:ee:a9:f4:ae:f7:03:5b:42:c0:64:
6e:81
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Key Identifier:
7C:0D:57:20:C4:AD:35:D3:ED:E3:DE:FE:83:5E:DF:A4:F0:BB:4F:84
X509v3 Authority Key Identifier:
keyid:7D:86:22:B4:83:06:D7:49:7F:9A:BF:D6:83:41:BB:69:E5:65:6C:6E
DirName:/C=FR/ST=myst/L=myloc/O=myorg/OU=myou/CN=myCA/emailAddress=thibault.lemeur@supelec.fr
serial:00
X509v3 Issuer Alternative Name:
<EMPTY>
Netscape SSL Server Name:
myldap.mydom.fr
X509v3 Subject Alternative Name:
DNS:ldap, DNS:ldapalias1, DNS:ldapalias2,
DNS:ldapalias1.mydom.fr, DNS:ldapalias2.mydom.fr, DNS:ldap.mydom.fr,
DNS:myldap, DNS:myldap.mydom.fr
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, Code Signing
Signature Algorithm: sha1WithRSAEncryption
a4:c4:58:03:f5:4f:d5:d5:4b:65:a4:6e:ca:16:21:fd:8c:49:
06:0c:ce:74:20:17:40:c7:0f:f1:3a:15:fb:9b:37:07:4b:e2:
2a:aa:1a:cc:0b:0c:f0:aa:3c:32:17:27:1f:1d:50:e9:ff:16:
55:04:90:a9:61:37:b0:f0:95:a0:c8:cf:7d:7b:0b:ed:09:a8:
92:3e:86:a5:d1:13:7b:ae:6d:d4:99:96:4f:bf:b0:d4:84:58:
94:50:91:60:75:7e:24:30:15:d6:64:70:80:09:76:df:1f:27:
4b:3d:1c:53:b7:4e:ba:5e:d2:20:11:53:ab:32:ec:27:0c:32:
53:90
-------------------------------------------------------------------
Regards,
Thibault