[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP, OpenSSL, TLS trace: SSL_accept:error in SSLv3 read clie nt certificate A

To: pjoshi@CHARJIV.com
Subject: Re: OpenLDAP, OpenSSL, TLS trace: SSL_accept:error in SSLv3 read clie nt certificate A
From: Richard Levitte - VMS Whacker <levitte@stacken.kth.se>
Date: Thu, 31 Oct 2002 08:38:07 +0100 (CET)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <E1DA42CDF67DD61195200080AD7B2D990FC843@rockets.CHARJIV>
References: <E1DA42CDF67DD61195200080AD7B2D990FC843@rockets.CHARJIV>

In message <E1DA42CDF67DD61195200080AD7B2D990FC843@rockets.CHARJIV> on Thu, 31 Oct 2002 12:07:51 +0530, Pravin Joshi <pjoshi@CHARJIV.com> said:

pjoshi> TLS trace: SSL_accept:error in SSLv3 read client certificate A
pjoshi> TLS trace: SSL_accept:error in SSLv3 read client certificate A
pjoshi> connection_get(14): got connid=1
pjoshi> connection_read(14): checking for input on id=1
pjoshi> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
pjoshi> TLS: can't accept.
pjoshi> connection_read(14): TLS accept error error=-1 id=1, closing
pjoshi> connection_closing: readying conn=1 sd=14 for close
pjoshi> connection_close: conn=1 sd=14
[...]
pjoshi> Or is it that, the certificate installed from internet explorer and
pjoshi> netsccape is just a copy of server certificate where as my openldap is
pjoshi> asking for client side certificate too? If that is the case, then what
pjoshi> should I do next?

Since it stops when trying to read a client certificate, it's a pretty
safe bet to assume that's where the problem is.

So, the next question is how slapd is configured.  Look in slapd.conf,
and check the TLS* settings.  I'm guessing that TLSClientVerify has a
value like "demand".

pjoshi> 1. How do I create and export client side certificate? 

The really important thing to check here is what CA's slapd trusts.
If you check for the settings TLSCAcertificateFile or TLSCAcerificatePath
and look at the file(s) those refer to (probably using the command
'openssl x509 -in $file -issuer -subject -noout'), you can find out
what CA's you can use to create a user certificate for yourself.  If
you don't recognise a particular one, you might want to ask someone
who knows, or create your own CA (quite easily done using the OpenSSL
CA.pl script), create a user certificate and sign it (also easily done
with CA.pl).  In the latter case, you need to tell slapd where the
certificate of your new CA is (or give it a copy) using the setting
TLSCAcertificateFile...

pjoshi> 2. How do I install client side certificate on windows based machine?

You probably need to make a PKCS#12 copy of your certificate+key+CAcert
(again, easily done with CA.pl), copy the result to your Windows
machine and double-click on that copy.  At least, that's how I
remembered doing it...

-- 
Richard Levitte   \ Spannvägen 38, II \ LeViMS@stacken.kth.se
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis                -- poei@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.

References:
- OpenLDAP, OpenSSL, TLS trace: SSL_accept:error in SSLv3 read clie nt certificate A
  - From: Pravin Joshi <pjoshi@CHARJIV.com>

Prev by Date: A Beginer Question .. HELP!
Next by Date: RE: OpenLDAP, OpenSSL, TLS trace: SSL_accept:error in SSLv3 read clie nt certificate A
Index(es):
- Chronological
- Thread