[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: bad certificate error.



still trying to track down why TLS/SSL doesn't work.

SSL_get_verify_result() in tls.c returns 18, success is 0.

From the OpenSSL manpage 18 means...

18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates.


http://www.openssl.org/docs/apps/verify.html

seen this before?

--Kervin


Kervin L. Pierre wrote:

changed the port. I've been looking at the thing too long.

Using s_client to connect to openldap does not produce a ssl error. But using ldapsearch to connect to s_server produces the following...

# openssl s_server -accept 636 -cert /etc/openldap/slapd.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMBBAIAFgQgVLGdE+ShwXCpmz6qBiRuaRvmBHxx/loIW0BzzmYGKpME
MEgHZypDjBRwkbk4p1KETYRhlP2DmHGEH9e7+2f6hKzrAQjMevTowgZA+Q+dGrCW
aKEGAgQ80JRYogQCAgEspAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-DSS-RC4-SHA:RC4-SHA:RC4-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EXP1024-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5


CIPHER is EDH-RSA-DES-CBC3-SHA
ERROR
shutting down SSL
CONNECTION CLOSED

the ldapsearch command is...
]$ ldapsearch -x -H ldaps://bashful.eng.fit.edu/ -b 'dc=my-domain,dc=com' '(objectclass=*)'


Does that mean that the problem is with ldapsearch?

--Kervin


Howard Chu wrote:

-----Original Message-----
From: Kervin L. Pierre [mailto:kervin@blueprint-tech.com]



With s_client connecting to s_server, everything looks fine. There are no errors reported. When I try to connect to the OpenLDAP server using s_client I get...

$ openssl s_client -connect bashful.eng.fit.edu:389



You're using the cleartext port, you should be using 636 here.


CONNECTED(00000003)
26420:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:



-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support