[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS problem

To: <openldap-software@OpenLDAP.org>
Subject: Re: SSL/TLS problem
From: "BARON David" <dbaron@creamen.net>
Date: Tue, 24 May 2005 10:02:34 +0200 (CEST)
Importance: Normal
In-reply-to: <874qctv49y.fsf@velma.mini-dweeb.org>
References: <874qctv49y.fsf@velma.mini-dweeb.org>

Hello.

> TLSVerifyClient         demand
With this line you told to slapd to request a client certificate during
handshake - and client cert is mandatory ( see
http://www.openldap.org/doc/admin22/tls.html#TLS%20Configuration )

> And these lines to /etc/ldap/ldap.conf :
> TLS_CACERT      /etc/ldap/cfg/ssl/cacert.pem
> TLS_REQCERT     demand
But in you ldap.conf, you only provide CAcert and no TLS_[CERT|KEY]
directive ( man ldap.conf )

> I got these errors :
> ldap_start_tls: Connect error (-11)
>         additional info: error:14094410:SSL
>         routines:SSL3_READ_BYTES:sslv3 alert handshake failure
CQFD ;)

To check that your SSL/TLS configuration is good, try to change
TLSVerifyClient to a lower level. Try for exemple never ( the lowest one
).
After that, you should sign create and sign ( why your previous CACert ) a
new cert for your client and check that with demand it's working.

Hope this help.

    David

References:
- SSL/TLS problem
  - From: Arnaud Fontaine <arnaud@andesi.org>

Prev by Date: slapd stopped listening to network
Next by Date: Re: Problem with OpenLDAP client tools connecting to Sun Directory Server using STARTTLS
Index(es):
- Chronological
- Thread