[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problem verifying self signed certificate




> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org] 
> Sent: Sunday, September 04, 2005 7:51 PM
> To: Peter Marschall
> Cc: James Wilde; openldap-software@OpenLDAP.org
> Subject: Re: Problem verifying self signed certificate
> 
> 
> 
> 
> Of course, it generally recommended that server certificates 
> should be signed by a separate CA certificate.

The server certificate is separate from the CA certificate.  The only
problem appears to be that the CA certificate is self signed, which, as
you say, shouldn't be a problem for openldap.
> 
> Expecting the actually configuration directives
> (see ldap.conf(5)), none of this is actually specific
> to OpenLDAP (as evident from the following):
> 
> % openssl s_client -host ldap.openldap.org -port 636 > ! 
> openldap.cert ... verify error:num=18:self signed certificate 
> verify return:1 ... [CTRL-D] % openssl s_client -host 
> ldap.openldap.org -port 636 -CAfile openldap.cert ...
>    Verify return code: 0 (ok)
> [CTRL-D]

But:

[root@log1 certs]# openssl s_client -connect localhost:4433 -showcerts
-state -CAfile /usr/share/ssl/certs/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=Glocalnet
Certificate Authority/emailAddress=inoc@glocalnet.com
verify return:1
depth=0 /C=SE/L=Stockholm/O=Glocalnet
AB/OU=Infrastructure/CN=log1.glocalnet.net/emailAddress=inoc@glocalnet.c
om
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data

...

---
Server certificate
subject=/C=SE/L=Stockholm/O=Glocalnet
AB/OU=Infrastructure/CN=log1.glocalnet.net/emailAddress=inoc@glocalnet.c
om
issuer=/C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=Glocalnet
Certificate Authority/emailAddress=inoc@glocalnet.com
---
No client certificate CA names sent

...

...indicates that openssl is working okay and that there is no problem
with either the ca certificate or the server certificate.

That leaves incorrect configuration of openldap (server and/or client)
on log1 - admittedly the bet that the heavy money is on - or incorrect
handling of tls by openldap.  So this is specific to OpenLDAP.

//James