[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS issues

To: Neil Dunbar <ndunbar@llnw.com>
Subject: Re: TLS issues
From: Daniel Gomes <dgomes@ipfn.ist.utl.pt>
Date: Mon, 12 Apr 2010 13:19:38 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <7F380CE2-9241-415A-A528-5C963C80A81A@llnw.com>
References: <1270724220.24895.37.camel@dgomes-virtual> <7F380CE2-9241-415A-A528-5C963C80A81A@llnw.com>

Hey Neil,

thanks for the tip, I might try re-compiling it with the options you
mentioned. The things is, at the moment (and for the last couple of
days), all has been working flawlessly, even on phpldapadmin (with which
I always had those issues), so I cannot reproduce the error anymore (and
therefore I wouldn't be able to tell if the recompilation-trick worked
or not...). But again, assuming the problem would be some certificate
field, this wouldn't change over time, so it still wouldn't explain why
it worked sometimes while others not... I'm starting to believe it was
just a random error, but again, I'm still afraid it will spontaneously
show up some time in the future and give me a lot of headaches...

Anyway, as I mentioned, now it all seems to be working fine, but I still
get this error when clients (successfully) connect:

slapd[13887]: connection_read(14): unable to get TLS client DN, error=49
id=14

It seems to be an issue related to the client certificate, but I am
specifically saying on slapd.conf "TLSVerifyClient never", so I am out
of ideas as to how to fix this error...

Cheers,

Em 08-04-2010 19:20, Neil Dunbar escreveu: 
> 
> On 8 Apr 2010, at 03:57, Daniel Gomes wrote:
> 
> > First of all, the specs: it's a OpenLDAP 2.4.19 compiled (manually,
> > not
> > via apt-get) on a Ubuntu 8.04 (Hardy)
> 
> 
> Hmm. Ubuntu and Debian OpenLDAP packages use GNUTLS by default, and
> I've certainly had problems with cert name recognition - especially
> with subjectAltNames in certificates before. Hit it with the LDAP URI
> set to the name in the subjectName, and it works. Hit it with the
> subjectAltName DNS names, and it tends to barf.
> 
> 
> I recompile the OpenLDAP debs from package source (better still - use
> the 2.4.21 package from Lucid), and change debian/configure.options
> from "--with-ssl=gnutls" to "--with-ssl=openssl"; also change the
> debian/control file dependencies from "libgnutls-dev (>= {version})"
> to "libssl-dev". Follow that with a dpkg-buildpackage -rfakeroot, and
> you should end up with OpenSSL linked packages.
> 
> 
> Note: I'm not trying to get into yet another Debian/GNUTLS/OpenSSL
> licensing debate here, just saying what works for me.
> 
> 
> Cheers,
> 
> 
> Neil
> 
> 
> 
> 
> 
> 
> NEIL DUNBAR
> Systems Architect
> 
> 
> (602) 850-5783 work
> +44 7976 616583 mobile
> +1 (602) 535-6914 US mobile
> www.llnw.com
> 
> 
> 
> 
> 
> 

-- 
Daniel Gomes, 55350

References:
- TLS issues
  - From: Daniel Gomes <dgomes@ipfn.ist.utl.pt>
- Re: TLS issues
  - From: Neil Dunbar <ndunbar@llnw.com>

Prev by Date: Re: SSL / Certificates / ... Some confusion
Next by Date: Re: SSL / Certificates / ... Some confusion
Index(es):
- Chronological
- Thread