[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap

Hello Rich,

On 04/12/2011 10:24 PM, Rich Megginson wrote:

On 04/12/2011 02:18 PM, Judith Flo Gaya wrote:

ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.19.5.13:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS certificate verification: subject: -unknown-, issuer: -unknown-,
cipher: -unknown-, security level: off, secret key bits: 0, total key
bits: 0, cache hits: 0, cache misses: 0, cache not reusable: 0
TLS certificate verification: bad
TLS certificate verification: Error, -8182: Unknown code ___f 10
TLS: error: connect - force handshake failure -1 - error -8182:Unknown
code ___f 10
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

It seems that it doesn't like the certificate.


-8182 is SEC_ERROR_BAD_SIGNATURE.  During the TLS/SSL handshake, the
client tries to see if the server's cert is correctly signed by the CA
cert (the local ca-cert.pem).
Now I have the same error but using the moznss certs, the certificate was copied from the server and the cert command confirms the status of the certificate (so it's not bad... 

# ldapsearch -x -d1
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP server:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ip:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: using moznss security dir /etc/openldap/cacerts.
TLS certificate verification: subject: -unknown-, issuer: -unknown-, cipher: -unknown-, security level: off, secret key bits: 0, total key bits: 0, cache hits: 0, cache misses: 0, cache not reusable: 0 
TLS certificate verification: bad
TLS certificate verification: Error, -8182: Unknown code ___f 10
TLS: error: connect - force handshake failure -1 - error -8182:Unknown code ___f 10 
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@curri2 ~]# certutil -d /etc/openldap/cacerts/ -L "name cert"
Certificate Nickname Trust Attributes 

SSL,S/MIME,JAR/XPI

name cert                                                  CTu,u,u

# certutil -V -u V -d /etc/openldap/cacerts/ -n "name cert"
certutil: certificate is valid

The server just complains about the tls communication:
 (TLS negotiation failure)
Do you think it is necessary to recompile the server so that the tls is done by moznss in both sides... 

Thanks for your help,
j