[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with ldapsearch/TLS ( or Fedora Core 2?? )

To: "Jeff Warnica <jeffw" <jeffw@chebucto.ns.ca>
Subject: Re: problem with ldapsearch/TLS ( or Fedora Core 2?? )
From: Barrow H Kwan <bhkwan@thoughtworks.com>
Date: Fri, 22 Oct 2004 19:15:22 -0700
Cc: OpenLdap Software List <openldap-software@OpenLDAP.org>, owner-openldap-software@OpenLDAP.org
In-reply-to: <1098492632.3586.2.camel@ron>

I already had this in /etc/openldap/ldap.conf
...
...
tls_cacert /etc/openldap/cacert/ca.crt
tls_cacertdir /etc/openldap/cacert
tls_cert /etc/openldap/certs/myhost.crt
tls_key /etc/openldap/certs/myhost.key
..

ldapsearch -d -1 got this..
....
,.,
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
tls_write: want=146, written=146
0000: 16 03 01 00 07 0b 00 00 03 00 00 00 16 03 01 00 ................
0010: 46 10 00 00 42 00 40 32 d1 67 8f 2d 2d 38 73 33 F...B.@2.g.--8s3
0020: 05 3b 44 d5 30 a8 74 18 54 75 7e 86 24 81 ce fb .;D.0.t.Tu~.$...
0030: 00 dc 3a 39 f7 df 7e db 68 93 02 e9 0d 00 41 e6 ..:9..~.h.....A.
0040: 23 06 8b c7 37 0b 22 82 01 d0 46 a2 1b 50 4f 03 #...7."...F..PO.
0050: f8 d4 65 23 97 a1 fc 14 03 01 00 01 01 16 03 01 ..e#............
0060: 00 30 74 65 d3 0a 54 f2 36 72 c4 48 30 b4 0e f1 .0te..T.6r.H0...
0070: 60 36 0d 40 9a 4d 07 b9 60 c1 65 a8 fe d7 29 85 `6.@.M..`.e...).
0080: b6 ad f3 da b4 7f ba 36 df d3 95 90 d4 00 a8 f4 .......6........
0090: 95 73 .s
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 28 .(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (91)
additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Barrow

Jeff Warnica <jeffw@chebucto.ns.ca>
Sent by: owner-openldap-software@OpenLDAP.org

10/22/2004 07:50 PM

To	Barrow H Kwan <bhkwan@thoughtworks.com>
cc	OpenLdap Software List <openldap-software@OpenLDAP.org>
Subject	Re: problem with ldapsearch/TLS ( or Fedora Core 2?? )

On Thu, 2004-21-10 at 19:16 -0700, Barrow H Kwan wrote > > [root@myhost root]# ldapsearch -H ldap://myhost.domain.com -D > uid=user1,ou=People,dc=Corporate,dc=Domain,dc=COM -x -W -ZZ > ldap_start_tls: Connect error (91) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed <snip> > : is it a problem with ldapsearch ? Unlikely. Does ldapsearch know about your CA certs? Note that /etc/ldap.conf is for pam/nss _only_, everything else uses, ie, /erc/openldap/ldap.conf ... at least with all the RH/Fedora RPMs. If that doesn't work, run ldapsearch with "-d -1" and see if that gives any hits.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: problem with ldapsearch/TLS ( or Fedora Core 2?? )
  - From: Tony Earnshaw <tonye@billy.demon.nl>

References:
- Re: problem with ldapsearch/TLS ( or Fedora Core 2?? )
  - From: Jeff Warnica <jeffw@chebucto.ns.ca>

Prev by Date: Re: problem with ldapsearch/TLS ( or Fedora Core 2?? )
Next by Date: Ignore this test
Index(es):
- Chronological
- Thread