[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS QUESTION

To: Dieter KlÃnter <dieter@dkluenter.de>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: TLS QUESTION
From: "Borresen, John - 0442 - MITLL" <John.Borresen@ll.mit.edu>
Date: Mon, 10 Mar 2014 13:33:53 -0400
Accept-language: en-US
Acceptlanguage: en-US
Content-language: en-US
In-reply-to: <20140310175749.3c5290af@pink.avci.de>
References: <201403101518.s2AFIbPi085849@boole.openldap.org> <20140310175749.3c5290af@pink.avci.de>
Thread-index: Ac88geXFHaYeWGZmQKqBnAgUuNb7cgAArnog
Thread-topic: TLS QUESTION

Thanks Dieter...

As I stated I saw Howard Chu's response to an individual in 2005 with a similar issue and he stated then, " For the slapd server you use the corresponding TLSCACertificateFile directive. You must use these configuration directives if you want to accept a self-signed cert." 

I did add the olcTLSCACertificateFile attribute (just forgot to list it in my original post).  Was not certain at the time if the "olcTLSCertificateFile" should be removed so I did not remove it.  So, before I do remove it, the attribute should be "olcTLSCACertificateFile" instead of "olcTLSCertificateFile" (and this should be removed), correct?

The CA directories on all three servers look like this:

# ll
total 28
lrwxrwxrwx 1 root root   10 Jan 24 11:44 600f07a1.0 -> cacert.pem --> client hash
-rw-r--r-- 1 ldap ldap 5136 Jan 17 12:15 cacert.pem --> Self-signed certificate
-rw-r--r-- 1 ldap ldap 1090 Jan 17 12:07 cert.csr  --> Certificate Signing Request
-rw-r--r-- 1 ldap ldap 1757 Jan 17 12:23 client.pem --> Client Certificate PEM
-rw-r--r-- 1 ldap ldap    0 Jan 14 16:20 index.txt
drwxr-xr-x 2 ldap ldap 4096 Jan 14 16:18 newcerts (empty)
drwxr-xr-x 2 ldap ldap 4096 Jan 17 12:06 private  --> server private key directory (cakey.pem)
-rw-r--r-- 1 ldap ldap    3 Jan 17 11:59 serial
 
This may sound like a dumb question...

I created the client.pem from the cacert.pem (as indicated on openssl.org) then copied that to each client.  Is there a step I missed in there?

If so, where?

Thanks in advance

John
-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Dieter KlÃnter
Sent: Monday, March 10, 2014 12:58 PM
To: openldap-technical@openldap.org
Subject: Re: TLS QUESTION

Am Mon, 10 Mar 2014 11:18:14 -0400
schrieb "Borresen, John - 0442 - MITLL" <John.Borresen@ll.mit.edu>:

> All,
> 
>  
> 
> My set up consists of three servers each syncing with each other.
> The host names are:
> 
> 1)      mm-server1.example.ldap
> 
> 2)      mm-server2.example.ldap
> 
> 3)      mm-server3.example.ldap
> 
>  
> 
> Utilizing TLSv1, on all three I have:
> 
> olcTLSCertificateFile: /usr/local/openldap/etc/openldap/CA/cacert.pem

this should be opcTLSCAcertificateFile

> 
> olcTLSCertificateKeyFile:
> /usr/local/openldap/etc/openldap/CA/private/cakey.pem

you are misssing the host certificate, something like olcTLSCertificateFile /usr/local/openldap/etc/openldap/CA/host.pem

> 
> olcTLSCipherSuite: HIGH:MEDIUM+TLSv1+SSLv3
> 
>  
> 
> Configured with self-signed wild-card certs, originally configured 
> (using openssl 0.9.8) on mm-server2 and exported to the other servers.
> 
>  
> 
> When running ldapmodify, ldapsearch, etc with a "-Z", and openssl 
> s_client on mm-server1 or mm-server3 or any client pointing back to
> mm-server1 or 3, I receive the following error:
> 
>  
> 
> TLS certificate verification: Error, self signed certificate
> 
> TLS: can't connect: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self 
> signed certificate).
> 
> ldap_start_tls: Connect error (-11)
> 
>         additional info: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self 
> signed certificate)
> 
>  
> 
> Running any of those to mm-server2, it works with no such error.
> 
>  
> 
> I am guessing, that since the certs were created on mm-server2, 
> originally, that is why it works this way.  Also, guessing I missed a 
> step somewhere.
> 
>  
> 
> I read online a post from 2005 with a good explanation of self-signed 
> from Howard Chu about a similar problem.
> 
>  
> 
> What is the best procedure for creating wild-card certs and sharing 
> those out to other servers?  The procedure that was used was from 
> openssl.org so it was not a fly-by-night weblog.
> 
>  
> 
> What did I miss (besides: a lot)?
> 
>  
> 
> Thanks in advance,
> 
>  
> 
>  
> 
> John D. Borresen (Dave)
> 
> Linux/Unix Systems Administrator
> 
> MIT  Lincoln Laboratory
> 
> Surveillance Systems Group
> 
> 244 Wood St
> 
> Lexington, MA  02420
> 
> Ph: (781) 981-1609
> 
> Email: john.borresen@ll.mit.edu
> 
>  
> 



--
Dieter KlÃnter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53Â37'09,95"N
10Â08'02,42"E

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References:
- TLS QUESTION
  - From: "Borresen, John - 0442 - MITLL" <John.Borresen@ll.mit.edu>
- Re: TLS QUESTION
  - From: Dieter KlÃnter <dieter@dkluenter.de>

Prev by Date: Re: TLS QUESTION
Next by Date: RE: TLS QUESTION
Index(es):
- Chronological
- Thread