[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls key exchange

To: Thomas Berg <Thomas.Berg1@gmx.de>
Subject: Re: tls key exchange
From: Buchan Milne <bgmilne@obsidian.co.za>
Date: Thu, 24 Jun 2004 15:28:14 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <30925.1088082610@www27.gmx.net>
References: <40D88748.60005@obsidian.co.za> <30925.1088082610@www27.gmx.net>
User-agent: Mozilla Thunderbird 0.6 (X11/20040609)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Berg wrote:
|>Thomas Berg wrote:
|>| hi
|>|
|>| Ich tried for quite a long time to get tls/ssl encryption to work
|>together
|>| with openldap. But it didn't work. This is my configuration.
|>|
|>| I went the normal way to generate the CA, the req and the cert.
|>|
|>| CA.pl -newca
|>| CA.pl -newcert
|>| CA.pl -signcert
|>| openssl rsa -in newreq.pem -out ldapkey.pem
|>| cp newcert.pem ldapcert.pem
|>| CA.pl verify ldapcert.pem (OK)
|>|
|>| generated a req and cert for the client (don't know if it is a must)
|>
|>If all you want is encryption of the ldap traffic from php, a client
|>cert is not necessary, and most likely causing your problems.
|>
|>Also, ensure that you are connecting to the LDAP server with the
|>hostname that is on the cert ..
|>
|>Regards,
|>Buchan
|>
|>- --
|>Buchan Milne                      Senior Support Technician
|>Obsidian Systems                  http://www.obsidian.co.za
|>B.Eng                                RHCE (803004789010797)
|
|
| How can I get the hostname or maybe hostnames onto the cert? I was never
| asked for it while generating the cert with CA.pl/openssl!
|

I mean the Subject's CN should be the hostname you are trying to connect
to. Never used CA.pl before, but it is usually the only critical
parameter ...

| Now my server output looks like this:

Well, it still seems to be using a client cert, which is unnecessary.

|
| connection_get(12): got connid=0
| connection_read(12): checking for input on id=0
| TLS trace: SSL_accept:before/accept initialization
| TLS trace: SSL_accept:SSLv3 read client hello A
| TLS trace: SSL_accept:SSLv3 write server hello A
| TLS trace: SSL_accept:SSLv3 write certificate A
| TLS trace: SSL_accept:SSLv3 write server done A
| TLS trace: SSL_accept:SSLv3 flush data
| TLS trace: SSL_accept:error in SSLv3 read client certificate A
| TLS trace: SSL_accept:error in SSLv3 read client certificate A
| connection_get(12): got connid=0
| connection_read(12): checking for input on id=0
| TLS trace: SSL_accept:SSLv3 read client key exchange A
| TLS trace: SSL_accept:SSLv3 read finished A
| TLS trace: SSL_accept:SSLv3 write change cipher spec A
| TLS trace: SSL_accept:SSLv3 write finished A
| TLS trace: SSL_accept:SSLv3 flush data
| connection_read(12): unable to get TLS client DN error=49 id=0
| connection_get(12): got connid=0
| connection_read(12): checking for input on id=0
| ber_get_next
| TLS trace: SSL3 alert read:warning:close notify
| ber_get_next on fd 12 failed errno=0 (Success)
| connection_read(12): input error=-2 id=0, closing.
| connection_closing: readying conn=0 sd=12 for close
| connection_close: conn=0 sd=12
| TLS trace: SSL3 alert write:warning:close notify
|


- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA2tburJK6UGDSBKcRAuY4AKC7ANjE7pGUJIiOb51bVC1ywDFhawCbB1TA
jCgXm4tHvbK1FzZm4k3aQKw=
=Wqn2
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: tls key exchange
  - From: "Thomas Berg" <Thomas.Berg1@gmx.de>

References:
- Re: tls key exchange
  - From: Buchan Milne <bgmilne@obsidian.co.za>
- Re: tls key exchange
  - From: "Thomas Berg" <Thomas.Berg1@gmx.de>

Prev by Date: Re: tls key exchange
Next by Date: Re: tls key exchange
Index(es):
- Chronological
- Thread