[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl can't start ssl session because of refused 'client' certificate



Hi Rich,

Thanks for your answer.

Le 11/07/2011 17:30, Rich Megginson a écrit :
Can you do
openssl x509 -in /path/to/cert.pem -text
and paste the output here? /path/to/cert.pem is the file containing the cert which has the Subject DN: CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR

Is this the server cert of the remote server (i.e. not the syncrepl client).

This is the certificate defined as my main LDAP server's certificate (used to enable ldaps connection). It is not the syncrepl provider's certificate, nor a certificate intended to be used to authenticate my main LDAP server to the provider.

Be sure to obscure any sensitive data in the -text output before sending.

Here's the certificate with identication fields modified, though a public certificate shouldn't contain such critical data (I wouldn't have sent my private key though ;-) ).

What is interresting here, I think is the "TLS Web Server Authentication, Code Signing" value for the "X509v3 Extended Key Usage" extension. This means that the certificate is not to be used as a client authentication certificate, so syncrepl is right in stating that the SSL connection can't be established. Though the question is, why on earth is my server trying to use my Server's certificate as a client certificate while connecting to the syncrepl ldaps provider! It should instead only check the provider's Server certificate and then binds using the provided credential to authenticate to the provider.


-------------------------------------------------------------------
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 221 (0xdd)
        Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=myst, L=myloc, O=myorg, OU=myou, CN=myCA/emailAddress=thibault.lemeur@supelec.fr
        Validity
            Not Before: Oct  2 16:42:15 2007 GMT
            Not After : Dec 14 16:42:15 2012 GMT
Subject: C=FR, ST=myst, L=myloc, O=myorg, OU=myou, CN=myldap.mydom.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:aa:2e:a1:15:f3:a1:50:5a:f3:8c:d8:18:07:47:
                    ef:37:83:b8:d6:5f:e3:ad:10:1e:8b:ce:8a:00:e3:
                    27:ac:75:7d:47:1a:74:31:b9:f1:9e:54:2c:44:82:
                    86:94:d6:36:ab:2e:88:1d:6b:b1:9c:5c:66:ad:32:
                    2c:46:6b:1b:fe:a2:cc:d6:30:13:8e:e8:de:c2:60:
                    90:73:5c:8c:e1:93:49:e8:94:ab:4b:0a:5f:8f:ff:
                    a6:1a:46:19:20:ab:cc:c6:69:7d:81:8c:16:90:b4:
                    02:bd:f8:c5:64:3f:03:d5:b6:94:a5:84:f5:58:01:
                    ed:79:40:a7:8b:23:99:41:23:54:43:93:fa:71:9b:
                    aa:5d:93:74:6c:02:e8:4c:d7:c1:99:85:19:01:5b:
                    d3:76:ee:f8:7e:eb:82:b1:51:4a:78:7b:7d:85:a3:
                    e2:8c:55:b6:93:b3:a0:f6:52:8f:8c:25:98:56:c1:
                    b6:86:fc:a2:07:74:00:27:56:c5:05:7f:8e:c3:f2:
                    4a:26:1a:9f:65:42:aa:8e:bb:62:36:f5:f7:cf:e5:
                    1e:97:19:27:37:33:33:3c:9c:a3:d1:0f:a7:fd:55:
                    c7:66:20:08:02:7c:4b:39:39:ce:9b:78:c6:33:07:
                    5b:41:08:e4:71:ee:a9:f4:ae:f7:03:5b:42:c0:64:
                    6e:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                TinyCA Generated Certificate
            X509v3 Subject Key Identifier:
                7C:0D:57:20:C4:AD:35:D3:ED:E3:DE:FE:83:5E:DF:A4:F0:BB:4F:84
            X509v3 Authority Key Identifier:
keyid:7D:86:22:B4:83:06:D7:49:7F:9A:BF:D6:83:41:BB:69:E5:65:6C:6E DirName:/C=FR/ST=myst/L=myloc/O=myorg/OU=myou/CN=myCA/emailAddress=thibault.lemeur@supelec.fr
                serial:00

            X509v3 Issuer Alternative Name:
<EMPTY>

            Netscape SSL Server Name:
                myldap.mydom.fr
            X509v3 Subject Alternative Name:
DNS:ldap, DNS:ldapalias1, DNS:ldapalias2, DNS:ldapalias1.mydom.fr, DNS:ldapalias2.mydom.fr, DNS:ldap.mydom.fr, DNS:myldap, DNS:myldap.mydom.fr
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication, Code Signing
    Signature Algorithm: sha1WithRSAEncryption
        a4:c4:58:03:f5:4f:d5:d5:4b:65:a4:6e:ca:16:21:fd:8c:49:
        06:0c:ce:74:20:17:40:c7:0f:f1:3a:15:fb:9b:37:07:4b:e2:
        2a:aa:1a:cc:0b:0c:f0:aa:3c:32:17:27:1f:1d:50:e9:ff:16:
        55:04:90:a9:61:37:b0:f0:95:a0:c8:cf:7d:7b:0b:ed:09:a8:
        92:3e:86:a5:d1:13:7b:ae:6d:d4:99:96:4f:bf:b0:d4:84:58:
        94:50:91:60:75:7e:24:30:15:d6:64:70:80:09:76:df:1f:27:
        4b:3d:1c:53:b7:4e:ba:5e:d2:20:11:53:ab:32:ec:27:0c:32:
        53:90
-------------------------------------------------------------------



Regards,
Thibault