[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL3 alert write:fatal:unknown CA

To: OpenLDAP <openldap-software@OpenLDAP.org>
Subject: Re: SSL3 alert write:fatal:unknown CA
From: Pierre Burri <pierre@globeall.de>
Date: Thu, 26 Jun 2003 17:50:48 +0200
Content-disposition: inline
In-reply-to: <1283281771.1056552645@cadabra-dsl.stanford.edu>
References: <200306252316.12438.pierre@globeall.de> <1283281771.1056552645@cadabra-dsl.stanford.edu>
User-agent: KMail/1.5

Hi 
thank you for your suggestion. I looked for a while on openldap.org and didn't 
find the article you are mentioning. But, I found the article "How to use I 
use TLS/SSL?" in the Faq-O-Matic which gave me some answers.  
I'm just testing OpenLDAP to get the know how and that's why I'm not going to 
buy a "real" certificate. 
Nevertheless, I'm still curious about de document you are talking about...
Cheers, Pierre

Am Mittwoch, 25. Juni 2003 23:50 schrieb Quanah Gibson-Mount:
> Hello,
>
> I suggest reading the OpenLDAP FAQ.  It has a nice long detailed
> explanation of why you probably don't want to use self-signed certs, or if
> you do, you need to have a CA cert you can point both the server & clients
> at.
>
> --Quanah
>
> --On Wednesday, June 25, 2003 11:16 PM +0200 Pierre Burri
>
> <pierre@globeall.de> wrote:
> > Hi,
> >
> > I'm trying to setup a LDAP server over SSL (it works already very well
> > without  SSL)
> >
> > I'm using Debian Sid, package slapd, version 2.1.17-3, LDAPv3
> >
> > I made a certificate, the common name is the FQDN of the host:
> > sun.stars.priv the comand:
> >
> > ldapsearch -H ldaps://sun.stars.priv -b "dc=stars,dc=priv" -d7
> >
> > gives me the followin result:
> >
> > TLS certificate verification: depth: 0, err: 18, subject:
> > /C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
> > il=certificate@sun.stars.priv,  issuer:
> > /C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
> > il=certificate@sun.stars.priv TLS certificate verification: Error, self
> > signed certificate
> > tls_write: want=7, written=7
> >   0000:  15 03 01 00 02 02 30                               ......0
> > TLS trace: SSL3 alert write:fatal:unknown CA
> > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > TLS: can't connect.
> > ldap_perror
> > ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
> >         additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> >
> > What can I do that clients from other hosts than "sun" recognize my self
> > made  certificate?
> >
> > On the the server "sun", I put TLS_CACERT /etc/ldap/server.pem in file
> > /etc/ldap/ldap.conf which remove the problem, but of course only on the
> > server.
>
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Re: SSL3 alert write:fatal:unknown CA
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- SSL3 alert write:fatal:unknown CA
  - From: Pierre Burri <pierre@globeall.de>
- Re: SSL3 alert write:fatal:unknown CA
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: solaris 9 ldap client with tls?
Next by Date: Réf. : RE: ACL : ldap_bind: Insufficient access (50)
Index(es):
- Chronological
- Thread