[Date Prev][Date Next] [Chronological] [Thread] [Top]

Next stumbling block: TSL

To: openldap-software@OpenLDAP.org
Subject: Next stumbling block: TSL
From: Oliver Hoffmann <oliver.hoffmann@uw-service.de>
Date: Mon, 28 Jun 2004 12:15:53 +0200
Content-disposition: inline
User-agent: KMail/1.6.2

Hi all!

The next step is to provide security between client and server.
I have done the openssl preparations according to this tutorial: 
http://linsec.ca/bin/view/Main/OpenLDAPAuth#Using_SSL_TLS_with_OpenLDAP

I made the keys, certified them and finally the command:
ldap# openssl x509 -in /etc/ssl/openldap/ldap.cert -text -noout
gives me a reasonable output.
Thus I assume that the openssl-preconditions are ok.

I went on with adding this three lines to the slapd.conf:

TLSCertificateFile /etc/ssl/openldap/ldap.cert
TLSCertificateKeyFile /etc/ssl/openldap/ldap.key
TLSCACertificateFile /etc/ssl/openldap/ca.cert

I set the rights to 0400 and ldap:ldap.
I also put these line to the ldap.conf:
ssl start_tls

Promptly something went wrong as you can see:

Client:
ldap# ldapsearch -v -n -Z -b 'dc=testldap,dc=org'
ldap_initialize( <DEFAULT> )
ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Server:
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown 
ca /usr/src/crypto/openssl/ssl/s3_pkt.c:1052
connection_read(12): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12

The command ldapsearch -x -b 'dc=testldap,dc=org' works. Even from a remote (a 
real client ;)) machine.

I apologize if this is too off topic. Despite I hope somebody can push me in 
the right direction.

Thanks to the list which helped a lot so far!

Cheers,

Oliver.

Follow-Ups:
- Re: Next stumbling block: TSL
  - From: Patrick Radtke <phr2101@columbia.edu>

Prev by Date: Re: Crash on ia64
Next by Date: sasl - cmusaslsecretDIGEST-MD5 - encrypted passwords in ldap
Index(es):
- Chronological
- Thread