[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Getting SSL/TSL to work

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello

Je Sabato Marto 12 2005 14:25, vi skribis:
> Pupeno writes:
> > Now I'm trying to use that certificate for LDAP, I configured it this
> > way:
> >
> > TLSCipherSuite HIGH:MEDIUM
> > TLSCertificateFile /etc/certificates/server.crt
> > TLSCertificateKeyFile /etc/certificates/server.key
>
> The server may also needs the certificates of recognized Certificate
> Authorities; at least the CA certificate which signed the server
> certificate.  I.e.
>        TLSCACertificateFile <filename>
>        TLSCACertificatePath <path> in slapd.conf.  See 'man slapd.conf'
> or the OpenLDAP Admin Guide;
> <http://www.openldap.org/doc/admin22/tls.html>.  Possibly that is not
> true for very old versions; I don't see it in the man page for RedHat's
> ancient OpenLDAP 2.0.27.
Well, I think here might be the *real* problem, but I'm not sure how to solve 
it. I'm not getting anyone to issue a certificate for my server (I can't pay 
it, it's not important yet), so, I'm making self-signed certificates.
I start by making a DSA key[1]:

# openssl dsaparam -out dsaparameters.pem 2048
Generating DSA parameters, 2048 bit long prime
This could take some time
.+++++++++++++++++++++++++++++++++++++++++++++++++++*
..................................+....................+..+....+...
+..............+.+..........+.................+...........+.+..+.+...........
+........................................+.....
+++++++++++++++++++++++++++++++++++++++++++++++++++*

# openssl gendsa -out privatekey.pem dsaparameters.pem
Generating DSA key, 2048 bits

# ls
dsaparameters.pem  privatekey.pem

Then I issue the self-signed certificate for that key:

# openssl req -new -x509 -key privatekey.pem -out cacertificate.pem -days 1095
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
- -----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:master.pupeno.com
Email Address []:pupeno@pupeno.com

# ls
cacertificate.pem  dsaparameters.pem  privatekey.pem

I believe I might be doing something wrong when generating the certificate, I 
was told that the DN must match my server's, but I'm not sure how to achieve 
that.

And then I configure slapd.conf like this:
TLSCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:
+eNULL
TLSCertificateFile /etc/certificates/cacertificate.pem
TLSCACertificateFile /etc/certificates/cacertificate.pem
TLSCertificateKeyFile /etc/certificates/privatekey.pem

There's something that I'm not sure, TLSCertificateFile and 
TLSCACertificateFile are the same file ? if not, I'm missing the creation of 
a certificate, how do I do that ?

And when I start slapd, I get the following messages in the logs:

Mar 12 12:50:23 master slapd[28766]: sql_select option missing
Mar 12 12:50:23 master slapd[28766]: auxpropfunc error no mechanism available
Mar 12 12:50:23 master slapd[28766]: _sasl_plugin_load failed on 
sasl_auxprop_plug_init for plugin: sql
Mar 12 12:50:23 master slapd[28766]: bdb_initialize: Sleepycat Software: 
Berkeley DB 4.1.25: (December 19, 2002)
Mar 12 12:50:23 master slapd[28766]: bdb_db_init: Initializing BDB database
Mar 12 12:50:23 master slapd[28766]: main: TLS init def ctx failed: -1
Mar 12 12:50:23 master slapd[28766]: slapd stopped.
Mar 12 12:50:23 master slapd[28766]: connections_destroy: nothing to destroy.

Any help is appretiated.

> Similarly, put TLS_CACERT or TLS_CACERTDIR in 
> ldap.conf so the clients can verify the server certificate, though that
> does not affect slapd startup.
I'll do that latter, when I get the server to start. Why does the clients need 
the certificates?, Konqueror doesn't need any certificate to access a web on 
the https protocol.

> If that's not it, check that the user which slapd runs as (e.g. if you
> use slapd -u <user>) has read access to the certificate and key files.
For this testings, they are currently readable by all. When I start doing some 
security, I'll take a look at this.

> > Mar 10 16:56:13 master slapd[6814]: daemon: socket() failed errno=97
> > (Address family not supported by protocol)
> > Mar 10 16:56:13 master slapd[6814]: daemon: socket() failed errno=97
> > (Address family not supported by protocol)
>
> These probably come from attempts to open 'ldap:///' and 'ldaps:///'
> URLs with both IPv4 and IPv6, while only IPv4 is enabled on your host.
> If so they are harmless, but you can can suppress them by only
> attempting to use IPv4, with the slapd -4 option.  (Or I suppose it
> could be the other way around, with only IPv6 and not IPv4 is enabled:-)
This is just trying to bind an ipv6 address, since the server never starts, no 
connection can be made, anyway, now I have ipv6 support (and I don't care 
much about this 'warning', the server starts anyway).

Thank you!
- -- 
Pupeno: pupeno@pupeno.com - http://pupeno.com
Reading Science Fiction ? http://sfreaders.com.ar

[1] Sorry for the long posts, but since I'm kinda new and lost on all this 
SSL, key, certificates and so on, I'd like to see if you can spot something 
that's not working all right.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCMywafW48a9PWGkURArSNAJ9aYfW0fI43Khb/mPQHZukRM9BjygCcC2Sa
I9dpsUZ2tGkeqzDVo/W2/2g=
=fwGt
-----END PGP SIGNATURE-----