[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS QUESTION

To: openldap-technical@openldap.org
Subject: Re: TLS QUESTION
From: Dieter KlÃnter <dieter@dkluenter.de>
Date: Mon, 10 Mar 2014 17:57:49 +0100
In-reply-to: <201403101518.s2AFIbPi085849@boole.openldap.org>
Organization: AVCI
References: <201403101518.s2AFIbPi085849@boole.openldap.org>

Am Mon, 10 Mar 2014 11:18:14 -0400
schrieb "Borresen, John - 0442 - MITLL" <John.Borresen@ll.mit.edu>:

> All,
> 
>  
> 
> My set up consists of three servers each syncing with each other.
> The host names are:
> 
> 1)      mm-server1.example.ldap
> 
> 2)      mm-server2.example.ldap
> 
> 3)      mm-server3.example.ldap
> 
>  
> 
> Utilizing TLSv1, on all three I have:
> 
> olcTLSCertificateFile: /usr/local/openldap/etc/openldap/CA/cacert.pem

this should be opcTLSCAcertificateFile

> 
> olcTLSCertificateKeyFile:
> /usr/local/openldap/etc/openldap/CA/private/cakey.pem

you are misssing the host certificate, something like
olcTLSCertificateFile /usr/local/openldap/etc/openldap/CA/host.pem

> 
> olcTLSCipherSuite: HIGH:MEDIUM+TLSv1+SSLv3
> 
>  
> 
> Configured with self-signed wild-card certs, originally configured
> (using openssl 0.9.8) on mm-server2 and exported to the other servers.
> 
>  
> 
> When running ldapmodify, ldapsearch, etc with a "-Z", and openssl
> s_client on mm-server1 or mm-server3 or any client pointing back to
> mm-server1 or 3, I receive the following error:
> 
>  
> 
> TLS certificate verification: Error, self signed certificate
> 
> TLS: can't connect: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
> signed certificate).
> 
> ldap_start_tls: Connect error (-11)
> 
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
> signed certificate)
> 
>  
> 
> Running any of those to mm-server2, it works with no such error.
> 
>  
> 
> I am guessing, that since the certs were created on mm-server2,
> originally, that is why it works this way.  Also, guessing I missed a
> step somewhere.
> 
>  
> 
> I read online a post from 2005 with a good explanation of self-signed
> from Howard Chu about a similar problem.  
> 
>  
> 
> What is the best procedure for creating wild-card certs and sharing
> those out to other servers?  The procedure that was used was from
> openssl.org so it was not a fly-by-night weblog.
> 
>  
> 
> What did I miss (besides: a lot)?
> 
>  
> 
> Thanks in advance,
> 
>  
> 
>  
> 
> John D. Borresen (Dave)
> 
> Linux/Unix Systems Administrator
> 
> MIT  Lincoln Laboratory
> 
> Surveillance Systems Group
> 
> 244 Wood St
> 
> Lexington, MA  02420
> 
> Ph: (781) 981-1609
> 
> Email: john.borresen@ll.mit.edu
> 
>  
> 



-- 
Dieter KlÃnter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53Â37'09,95"N
10Â08'02,42"E

Follow-Ups:
- RE: TLS QUESTION
  - From: "Borresen, John - 0442 - MITLL" <John.Borresen@ll.mit.edu>

References:
- TLS QUESTION
  - From: "Borresen, John - 0442 - MITLL" <John.Borresen@ll.mit.edu>

Prev by Date: Re: ppolicy not verifying password length (not active !!)
Next by Date: RE: TLS QUESTION
Index(es):
- Chronological
- Thread