[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Unable to use self-signed certs (ITS#1914)



This is not a bug and does not belong in ITS. Try discussing this on the
openldap-software list.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> quanah@stanford.edu
> Sent: Thursday, June 27, 2002 3:54 PM
> To: openldap-its@OpenLDAP.org
> Subject: Unable to use self-signed certs (ITS#1914)
>
>
> Full_Name: Quanah Gibson-Mount
> Version: 2.1.2
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (171.64.13.58)
>
>
> Under the OpenLDAP-2.1.2 build, it is no longer possible to use self-signed
> certs.
> It was possible to use self-signed certs in prior versions of
> OpenLDAP, and for
> development machines, I certainly don't want to shell out $$ to
> verisign just so
> I can use SSL for testing. :)
>
>
> start_tls bombs out with the error:
>
> ldap4:~> ldapsearch -d 65535 -H ldap://ldap4.stanford.edu/ -p 389
> -b "" -s base
> -LLL -ZZ supportedSASLMechanisms
> ldap_create
> ldap_url_parse_ext(ldap://ldap4.stanford.edu/)
> ldap_extended_operation_s
> ldap_extended_operation
> ldap_send_initial_request
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host: TCP ldap4.stanford.edu:389
> ldap_new_socket: 4
> ldap_prepare_socket: 4
> ldap_connect_to_host: Trying 171.64.14.183:389
> ldap_connect_timeout: fd: 4 tm: -1 async: 0
> ldap_ndelay_on: 4
> ldap_ndelay_off: 4
> ldap_int_sasl_open: host=ldap4.Stanford.EDU
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_flush: 31 bytes to sd 4
>   0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31
> 0....w...1.3.6.1
>   0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
> ldap_write: want=31, written=31
>   0000:  30 1d 02 01 01 77 18 80  16 31 2e 33 2e 36 2e 31
> 0....w...1.3.6.1
>   0010:  2e 34 2e 31 2e 31 34 36  36 2e 32 30 30 33 37      .4.1.1466.20037
> ldap_result msgid 1
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> wait4msg (infinite timeout), msgid 1
> wait4msg continue, msgid 1, all 1
> ** Connections:
> * host: ldap4.stanford.edu  port: 389  (default)
>   refcnt: 2  status: Connected
>   last used: Thu Jun 27 15:51:07 2002
>
> ** Outstanding Requests:
>  * msgid 1,  origid 1, status InProgress
>    outstanding referrals 0, parent count 0
> ** Response Queue:
>    Empty
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> ldap_int_select
>  [snip]
> TLS certificate verification: depth: 0, err: 18, subject:
> /C=US/ST=California/L=Stanford/O=Stanford
> University/OU=ITSS/CN=ldap4.stanford.edu/Email=directory-team@lists
> .stanford.edu,
> issuer: /C=US/ST=California/L=Stanford/O=Stanford
> University/OU=ITSS/CN=ldap4.stanford.edu/Email=directory-team@lists
> .stanford.edu
> TLS certificate verification: Error, self signed certificate
> tls_write: want=7, written=7
>   0000:  15 03 01 00 02 02 30                               ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (91)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Regards,
> Quanah Gibson-Mount
> Senior Systems Administrator
> Stanford University