[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and ssl

To: openldap-software@OpenLDAP.org
Subject: Re: openldap and ssl
From: "Tony Earnshaw" <tonye@billy.demon.nl>
Date: Sun, 9 Jan 2005 14:20:50 +0100 (CET)
Importance: Low
In-reply-to: <77c28e74050108133670839fbc@mail.gmail.com>
References: <77c28e74050108133670839fbc@mail.gmail.com>
User-agent: SquirrelMail/1.5.1 [CVS]

Gustavo Rios:

> as you may know now, i am trying hard to get ssl with openldap working
> nicely. But i must be doing something must stupid cause for three days i
> cannot get it working.

The *last* entry in your log snippet tells you quite plainly where you're
going wrong (the server Subject CN has to be the same as the FQDN hostname
as found by gethostbyname() name of server or 'hostname -f' on Linux).
Please do read Kent Soper's HOWTO, referenced enough on this list.

--Tonni


> In me desperation i decide to try the same certificate i sign for
> openldap ( i am my own CA). But it does not work too.
>
> So, i respectfully request your help, if possible, in my challenge.
>
>
> Here is the complete sequence of commands i issued:
>
>
> The first one to build my own CA certificate, the later two to build
> the openldap and apache certs (there are in the same box).
>
> $ openssl req -new -x509 -keyout pvt/ca-key.pem -keyform PEM -out
> ca-crt.pem -outform PEM -days 3650
>
> $ openssl req -new -nodes -keyout key.pem -out csr.pem
> $ openssl ca -policy policy -out crt.pem -infiles csr.pem
>
>
> My openssl.conf goes attached.
>
>
> I known i must be doing something very stupid, something a experienced
> one could detected easy. So if possible, would you PLEASE help me.
>
> Thanks a lot for your time and cooperation,
>
>
> best regards.
>
> PS: Log errors:
>
>
> OpenLdap:
> ...
> ...
> tls_read: want=5, got=5
> 0000:  15 03 01 00 02                                     .....
> tls_read: want=2, got=2
> 0000:  02 33                                              .3
> TLS: can't accept.
> TLS: error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
> error /usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1052
>
>
>
> Apache :
> [08/Jan/2005 19:15:02 26426] [info]  Connection to child 0 established
> (server etosha.fesv.br:443, client 192.168.1.254)
> [08/Jan/2005 19:15:02 26426] [info]  Seeding PRNG with 1160 bytes of
> entropy [08/Jan/2005 19:15:04 26426] [error] SSL handshake failed (server
> etosha.fesv.br:443, client 192.168.1.254) (OpenSSL library error
> follows) [08/Jan/2005 19:15:04 26426] [error] OpenSSL: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
> in certificate not server name or identical to CA!?]



--
mail: tonye@billy.demon.nl
http://www.billy.demon.nl

Follow-Ups:
- Re: openldap and ssl
  - From: Gustavo Rios <vieira.rios@gmail.com>

References:
- openldap and ssl
  - From: Gustavo Rios <vieira.rios@gmail.com>

Prev by Date: Re: ldap_start_tls_s deprecated: the replacement is?
Next by Date: Re: ldap_start_tls_s deprecated: the replacement is?
Index(es):
- Chronological
- Thread