[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and SSL

To: openldap-software@OpenLDAP.org
Subject: Re: LDAP and SSL
From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
Date: Mon, 29 Nov 2004 12:23:39 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=nqbwgHlDaFoW9gKU3o4cZozKHesl9Utc+6cCdNuYfKvcJG1UNPzxxqf7kT55VO4S3TtdpRrFaK/z7LbLZvpEq/QiLIOWU+cW+SvGeFlliBd15GN1sVqqrEp5vB67b6R6rsKSuZmjeoMyz1SrGoD/KdsizSdL94I34CS9mDpaOJg=
In-reply-to: <Pine.OSX.4.58.0411282026360.387@spud.local>
References: <91f88ee204112810284d745e7f@mail.gmail.com> <Pine.OSX.4.58.0411282026360.387@spud.local>

On Sun, 28 Nov 2004 20:33:38 -0500 (EST), Steve Revilak
<srevilak@speakeasy.net> wrote:

> This seems to indicate that `newcert.pem' does not contain an rsa key.
> pem's are just text files.  An rsa key will look like this:
> 
>   -----BEGIN RSA PRIVATE KEY-----
>   [base64 encoded representation of rsa key]
>   -----END RSA PRIVATE KEY-----
> 
> While not specific to openldap software, the mod_ssl folks have a nice
> set of how-to's for working with ssl certificates:
> 
>   http://www.modssl.org/docs/2.8/ssl_faq.html#ToC24

I was under the impression that OpenLDAP didnt support encrypted keys?

Is this not the proper procedure:

  CA.sh -newca
  openssl req -new -nodes -keyout newreq.pem -out newreq.pem
  CA.sh -sign
  CA.sh -verify

etc ... etc
(Like its documented on OpenLDAP SSL FAQ?)
 
So far I am at this point (testing with Mozilla and my cacert.der installed.)

s_server -accept 390 -cert /etc/ldap/servercrt.pem -key
/etc/ldap/serverkey.pem -CAfile /etc/ldap/cacert.pem -www
Ciphers supported in s_server binary
TLSv1/SSLv3:DHE-RSA-AES256-SHA       TLSv1/SSLv3:DHE-DSS-AES256-SHA       
TLSv1/SSLv3:AES256-SHA               TLSv1/SSLv3:EDH-RSA-DES-CBC3-SHA     
TLSv1/SSLv3:EDH-DSS-DES-CBC3-SHA     TLSv1/SSLv3:DES-CBC3-SHA             
SSLv2      :DES-CBC3-MD5             TLSv1/SSLv3:DHE-RSA-AES128-SHA       
TLSv1/SSLv3:DHE-DSS-AES128-SHA       TLSv1/SSLv3:AES128-SHA               
SSLv2      :RC2-CBC-MD5              TLSv1/SSLv3:DHE-DSS-RC4-SHA          
TLSv1/SSLv3:RC4-SHA                  TLSv1/SSLv3:RC4-MD5                  
SSLv2      :RC4-MD5                  SSLv2      :RC4-64-MD5               
TLSv1/SSLv3:EXP1024-DHE-DSS-DES-CBC-SHATLSv1/SSLv3:EXP1024-DES-CBC-SHA      
TLSv1/SSLv3:EXP1024-RC2-CBC-MD5      TLSv1/SSLv3:EDH-RSA-DES-CBC-SHA      
TLSv1/SSLv3:EDH-DSS-DES-CBC-SHA      TLSv1/SSLv3:DES-CBC-SHA              
SSLv2      :DES-CBC-MD5              TLSv1/SSLv3:EXP1024-DHE-DSS-RC4-SHA  
TLSv1/SSLv3:EXP1024-RC4-SHA          TLSv1/SSLv3:EXP1024-RC4-MD5          
TLSv1/SSLv3:EXP-EDH-RSA-DES-CBC-SHA  TLSv1/SSLv3:EXP-EDH-DSS-DES-CBC-SHA  
TLSv1/SSLv3:EXP-DES-CBC-SHA          TLSv1/SSLv3:EXP-RC2-CBC-MD5          
SSLv2      :EXP-RC2-CBC-MD5          TLSv1/SSLv3:EXP-RC4-MD5              
SSLv2      :EXP-RC4-MD5              
---
Ciphers common between both SSL end points:
DHE-RSA-AES256-SHA         DHE-DSS-AES256-SHA         AES256-SHA                
DHE-RSA-AES128-SHA         DHE-DSS-AES128-SHA         RC4-MD5                   
RC4-SHA                    AES128-SHA                 EDH-RSA-DES-CBC3-SHA      
EDH-DSS-DES-CBC3-SHA       DES-CBC3-SHA               EDH-RSA-DES-CBC-SHA       
EDH-DSS-DES-CBC-SHA        DES-CBC-SHA                EXP1024-RC4-SHA           
EXP1024-DES-CBC-SHA        EXP-RC4-MD5                EXP-RC2-CBC-MD5
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: E90A6F64F4F58CF4A61B87FCF20640AE2CCBBD746567C48FCCF089122D1D7938
    Session-ID-ctx: 00000001
    Master-Key:
15E8E6C37D8ED68693BAEAC64680828EC0AB2E530CF56309E2B9352F42C798D9A6ABBD8ABF978ABA1601E634054D7DBA
    Key-Arg   : None
    Start Time: 1101747594
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
   3 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   5 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   4 server accepts that finished
   1 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)
---
no client certificate available

No errors on reported on the server side.
Does that mean I am even on the right track?

I would be more than happy to try anything those with more expereince
in this matter would  direct me in testing.

-- 
WC -Sx- Jones
http://insecurity.org/

Follow-Ups:
- Re: LDAP and SSL
  - From: jmorin@dominiondiagnostics.com

References:
- LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
- Re: LDAP and SSL
  - From: Steve Revilak <srevilak@speakeasy.net>

Prev by Date: Re: dummy population [auf Viren überprüft]
Next by Date: Re: How to get the Directory's last modification time?
Index(es):
- Chronological
- Thread