[Date Prev][Date Next] [Chronological] [Thread] [Top]

Self-signed CA certificates in OpenLDAP 2.1.8



Greetings,

I'm getting strange errors about self-signed certificates in OpenLDAP 2.1.8
with OpenSSL 0.9.6b-28.  ldapsearch -Z with debugging turned on complains:

TLS trace: SSL_connect:SSLv3 read server hello A
[read certificate]
TLS certificate verification: depth: 1, err: 19, subject: /C=FI/ST=Too Cold Place/L=Espoo/O=Espoo Kingdom/CN=Universal Super Deluxe CA Service, issuer: /C=FI/ST=Too Cold Place/L=Espoo/O=Espoo Kingdom/CN=Universal Super Deluxe CA Service
TLS certificate verification: Error, self signed certificate in certificate chain
tls_write: want=7, written=7
  0000:  15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
	additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

However, the server certificate in question is *not* self-signed, it is
signed by a CA known to both parties just the way a good little certificate
should.   The CA certificate is, of course, self-signed -- but all CA
certificates are!  The certificate exchange also works quite nicely in 2.0.23,
so the certificate file locations etc are configured correctly.  What on
earth is is the problem, and how do I fix it?

Enclosed below are printouts of the CA and server certificates in question:

*** CA

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=FI, ST=Too Cold Place, L=Espoo, O=Espoo Kingdom, CN=Universal Super Deluxe CA Service
        Validity
            Not Before: Oct 22 09:14:36 2002 GMT
            Not After : Oct 22 09:14:36 2003 GMT
        Subject: C=FI, ST=Too Cold Place, L=Espoo, O=Espoo Kingdom, CN=Universal Super Deluxe CA Service
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b9:c1:b1:a9:15:74:4b:dd:bf:1c:73:d6:08:43:
                    8f:18:20:9b:94:6d:ba:f2:ef:0d:d4:f2:02:79:14:
                    31:a7:c1:de:ca:0f:30:f2:d2:c2:84:f8:1d:2e:b5:
                    e9:85:c9:7e:b9:33:39:ba:be:d4:de:f9:4c:8a:0c:
                    a7:4b:64:21:cc:30:c3:fd:28:93:09:7d:5e:59:cb:
                    96:32:b8:e1:de:7d:e9:e1:fa:7c:64:c3:7f:3d:a7:
                    42:55:f4:12:fc:d0:8f:e2:e6:f5:4f:ac:e3:75:a8:
                    70:f5:47:fd:e6:18:3c:f7:9b:55:dd:61:9b:a7:30:
                    0b:8d:9f:55:bf:15:a7:b9:1b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                AE:90:03:DF:CF:0C:3A:63:81:4B:55:BD:24:0D:56:6E:FA:3C:78:C0
            X509v3 Authority Key Identifier:
                keyid:AE:90:03:DF:CF:0C:3A:63:81:4B:55:BD:24:0D:56:6E:FA:3C:78:C0
                DirName:/C=FI/ST=Too Cold Place/L=Espoo/O=Espoo Kingdom/CN=Universal Super Deluxe CA Service
                serial:00

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
        6a:59:07:08:0d:08:6e:dc:a1:55:db:5c:ba:d0:0d:48:29:af:
        76:94:e1:49:12:a9:6e:0f:59:8d:38:bf:a0:5d:bc:62:a8:d6:
        85:40:14:45:98:d6:5a:36:9e:cf:0d:84:27:19:c3:25:71:08:
        91:6f:98:ba:7f:8e:26:11:52:0c:e9:46:11:98:c1:57:1b:0e:
        37:85:a0:e4:cb:66:ed:4e:3a:1c:5c:e0:2b:6b:d6:76:22:d0:
        c0:0e:4d:90:72:06:a2:c0:b6:5f:9c:3d:db:ca:59:60:a1:10:
        24:7b:09:f8:1a:87:62:7a:2d:8b:31:f0:13:05:95:88:18:79:
        c9:34

** Server

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=FI, ST=Too Cold Place, L=Espoo, O=Espoo Kingdom, CN=Universal Super Deluxe CA Service
        Validity
            Not Before: Oct 22 11:10:10 2002 GMT
            Not After : Oct 22 11:10:10 2003 GMT
        Subject: C=FI, ST=Espoo, L=Newbury, O=My Company Ltd, CN=ldap.labra.fi
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:d8:55:3c:4e:10:c6:5b:62:d2:33:14:0a:54:db:
                    74:f9:7b:0f:d1:df:41:a2:02:29:24:3d:7d:af:39:
                    08:9c:56:ec:17:ce:bf:4a:91:12:b2:5e:a4:cf:0b:
                    c1:e2:30:6b:00:1d:cc:18:87:80:63:cd:88:5b:4a:
                    e9:d0:b9:9c:da:23:56:5f:90:6b:5b:fd:b5:10:a2:
                    ae:2b:69:16:7d:a6:15:29:18:e5:02:c1:d2:7a:ba:
                    6b:dc:72:21:7a:df:53:a8:ec:f3:4c:ef:5b:02:92:
                    3e:16:af:f8:b1:e4:09:a2:e8:80:75:ae:bc:3a:fe:
                    ec:2d:2b:13:b8:e5:a2:75:21
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                96:8A:C5:63:A2:B4:4B:AA:11:7D:8F:60:4E:44:EA:C4:CD:B2:4B:BB
            X509v3 Authority Key Identifier:
                keyid:AE:90:03:DF:CF:0C:3A:63:81:4B:55:BD:24:0D:56:6E:FA:3C:78:C0
                DirName:/C=FI/ST=Too Cold Place/L=Espoo/O=Espoo Kingdom/CN=Universal Super Deluxe CA Service
                serial:00

    Signature Algorithm: md5WithRSAEncryption
        85:4b:8d:af:95:50:01:f6:c9:6a:0e:6e:1f:09:94:b0:af:c2:
        0e:e0:f5:00:6e:18:17:76:76:76:cf:5a:3c:20:79:94:22:c5:
        b2:aa:5d:00:73:dc:f4:15:7a:38:a6:c5:a5:b9:9e:68:36:8e:
        9e:ca:ef:5d:f0:7e:af:b8:be:2c:45:f8:00:43:d2:5f:22:4f:
        5c:f9:ba:b5:3a:7a:56:e9:35:1a:3f:98:da:40:6d:16:a6:a8:
        91:62:1c:36:07:4c:b9:9f:97:28:10:b7:f5:b4:84:1b:b0:19:
        c4:ef:fe:e6:81:51:04:9d:00:5a:10:a9:96:34:44:83:18:f8:
        ec:a2

Cheers,
--
Jani Patokallio >0._, unction of my function. urge. urging of my purging.
jpatokal@iki.fi  `..' nip. nip of my snip. now. now. now of my enow. NOW.