[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS CA Chain Problem

To: openldap-technical@openldap.org
Subject: TLS CA Chain Problem
From: Iruwen <iruwen@gmx.net>
Date: Mon, 12 Oct 2009 15:02:22 +0200
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Hello,

I just got an SSL certificate issued by Comodo which doesn't work asexpected with slapd.Which means I get an untrusted certificate warning in Thunderbird.Probably I just missed something.


For Apache2 for example, I just configured

SSLCACertificateFile mycert.ca-bundle
SSLCertificateFile mycert.crt
SSLCertificateKeyFile mycert.key

and I don't get any warnings in Firefox. Also if I test the connectionusing openssl s_client it looks fine:


office:~# openssl s_client -connect localhost:443
CONNECTED(00000003)

depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrustExternal CA Root

verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de

i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CALimited/CN=PositiveSSL CA1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CALimited/CN=PositiveSSL CAi:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUSTNetwork/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUSTNetwork/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardwarei:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrustExternal CA Root3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrustExternal CA Rooti:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrustExternal CA Root


To achieve the same with OpenLDAP, I tried:

TLSCACertificateFile mycert.ca-bundle
TLSCertificateFile mycert.crt
TLSCertificateKeyFile mycert.key

But the result is different, Thunderbird doesn't trust the certificateand throws a corresponding warning and the output of openssl s_clientlooks like this:


office:~# openssl s_client -connect localhost:636
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de

i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CALimited/CN=PositiveSSL CA

Seems like the ca-bundle wouldn't be used at all, does slapd expect adifferent format or something?


Maybe someone could shed some light on this for me, thanks a lot in advance.

Regards,
Iruwen

Follow-Ups:
- Re: TLS CA Chain Problem
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: OpenLDAP Scaling
Next by Date: Map attributes to access LDAP addressbook with thunderbird too
Index(es):
- Chronological
- Thread