[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS - Help Please

To: openldap-software@OpenLDAP.org
Subject: Re: SSL/TLS - Help Please
From: Alberto Tablado <alberto@aluki.org>
Date: 04 Feb 2004 21:53:13 +0100
In-reply-to: <402134A1.3010106@ccom.uminho.pt>
References: <Pine.LNX.4.44.0401281258360.17890-100000@cerberus> <401935CD.7040908@ccom.uminho.pt> <Pine.GSO.4.58.0401301309530.5631@lectura.CS.Arizona.EDU> <402134A1.3010106@ccom.uminho.pt>

Literally, the log says that your certificate is self signed, i.e., the
issuer and the subject are the same. This, per se, is not an error. In
fact, CAs have self-signed certificates.

The error is below that line (two lines down) and says that the CA is
unknown. Normally, certificates are signed by well-known CAs (like
VeriSign), but your certificate is signed by the not-known yourself.
Normally, when a certificate signed by unknow CA is received, the
programs asks you for acceptance. In servers, this is not possible. You
have to add the certificate to the list of trusted CAs.

Regards.

Alberto.

El mié, 04-02-2004 a las 19:06, Miguel Baptista escribió:
> Hi,
> 
> I' ve tried to solve my the problem without bother you again. But no luck.
> 
> My computer's FQDN is now estagio.ccom.uminho.pt.   As in the previous 
> attempt, i follow this page's guide: 
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
> 
> I created new certificates (CA, server and client).  They are all in the 
> same (testing) computer. So, the CN in those certificates is 
> estagio.ccom.uminho.pt
> I've made the necessary changes in this files: slapd.conf, ldap.conf and 
> .ldaprc
> 
> I run my server with this command:   /usr/local/libexec/slapd -d -1 -h 
> "ldap:///estagio.ccom.uminho.pt ldaps:///estagio.ccom.uminho.pt"
> 
> I executed this command:
> ldapsearch -x -d -1 -b 'dc=uminho,dc=pt' -D "cn=Manager,dc=uminho,dc=pt" 
> '(uid=a22)' -H ldaps://estagio.ccom.uminho.pt  -W -ZZ
> 
> and this is the client's trace with the -d -1 option (i removed some 
> parts that didn't look important)
> 
>   ldap_url_parse_ext(ldaps://estagio.ccom.uminho.pt:636)
>   ldap_connect_to_host: TCP estagio.ccom.uminho.pt:636
>   ldap_connect_to_host: Trying 192.168.1.210:636
>   ldap_connect_timeout: fd: 3 tm: -1 async: 0
>   ldap_int_sasl_open: host=estagio.ccom.uminho.pt
>   TLS trace: SSL_connect:before/connect initialization
>   tls_write: want=148, written=148
>   TLS trace: SSL_connect:SSLv2/v3 write client hello A
>   tls_read: want=7, got=7
>   tls_read: want=72, got=72
>   TLS trace: SSL_connect:SSLv3 read server hello A
>   tls_read: want=5, got=5
>   tls_read: want=1683, got=1683
>   TLS certificate verification: depth: 1, err: 19, subject: 
> /C=pt/ST=pt/L=braga/O=braga/OU=certificador/CN=estagio.ccom.uminho.pt, 
> issuer: > 
>  /C=pt/ST=pt/L=braga/O=braga/OU=certificador/CN=estagio.ccom.uminho.pt
>   TLS certificate verification: ------------------->  Error, self signed 
> certificate in certificate chain  <--------------------------
>   tls_write: want=7, written=7
>   TLS trace: SSL3 alert write:fatal:unknown CA
>   TLS trace: SSL_connect:error in SSLv3 read server certificate B
>   TLS trace: SSL_connect:error in SSLv3 read server certificate B
>   TLS: can't connect.
>   ldap_perror
>   ldap_start_tls: Can't contact LDAP server (81)
>          additional info: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 
> 
> Does this problem arrise because i have the client, CA and server in the 
> same machine? I follow the tutorial but i didn't the use self signed 
> certificate, why is this happening? Any Ideas?
> 
> 
> 
> 
> 
> 
>

Follow-Ups:
- Re: SSL/TLS - Help Please
  - From: Miguel Baptista <miguel@ccom.uminho.pt>

References:
- Re: SSL/TLS - Help Please
  - From: Miguel Baptista <miguel@ccom.uminho.pt>

Prev by Date: Re: replica slapd core dumped under load: memory leak ?
Next by Date: Re: Cannot find rootDN
Index(es):
- Chronological
- Thread