[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: TLS errors on valid certs (ITS#1934)
Setting TLSCACertificateFile in slapd.conf only configures the slapd server.
You also need to configure the LDAP clients, using TLS_CACERT in ldap.conf.
This is not a bug, this issue will be closed.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> quanah@stanford.edu
> Sent: Wednesday, July 10, 2002 5:16 PM
> To: openldap-its@OpenLDAP.org
> Subject: TLS errors on valid certs (ITS#1934)
>
>
> Full_Name: Quanah Gibson-Mount
> Version: HEAD
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (171.64.13.58)
>
>
> Hello,
>
> I am running openldap from HEAD pulled June 26th. I have a valid cert from
> Verisign installed for the ldap server. However, when I try to make a SSL
> connection, it complains that the cert is a self-signed cert. In
> slapd.conf, I
> point TLSCACertificateFile to
> /usr/local/openssl/certs/vsignss.pem. I get the
> following error:
>
> ldap4:~> ldapsearch -d 65535 -H ldaps://ldap4.Stanford.EDU/ -x -b
> "" -s base
> -LLL supportedSASLMechanisms
> ldap_create
> ldap_url_parse_ext(ldaps://ldap4.Stanford.EDU/)
> ldap_bind_s
> ldap_simple_bind_s
> ldap_sasl_bind_s
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host: TCP ldap4.Stanford.EDU:636
> ldap_new_socket: 4
> ldap_prepare_socket: 4
> ldap_connect_to_host: Trying 171.64.14.183:636
> ldap_connect_timeout: fd: 4 tm: -1 async: 0
> ldap_ndelay_on: 4
> ldap_ndelay_off: 4
> ldap_int_sasl_open: host=ldap4.Stanford.EDU
> TLS trace: SSL_connect:before/connect initialization
> tls_write: want=130, written=130
> 0000: 80 80 01 03 01 00 57 00 00 00 20 00 00 16 00 00
> ......W... .....
> 0010: 13 00 00 0a 07 00 c0 00 00 66 00 00 07 00 00 05
> .........f......
> 0020: 00 00 04 05 00 80 03 00 80 01 00 80 08 00 80 00
> ................
> 0030: 00 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00
> .e..d..c..b..a..
> 0040: 60 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14
> `...........@...
> 0050: 00 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02
> ................
> 0060: 00 80 cb 2f fe 41 11 7b 0c 06 12 0b 93 21 07 b3
> .../.A.{.....!..
> 0070: b8 dd 01 57 8c 46 99 9b 48 0e 5e bf fc 84 75 0d
> ...W.F..H.^...u.
> 0080: fc c8 ..
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> tls_read: want=7, got=7
> 0000: 16 03 01 00 4a 02 00 ....J..
> tls_read: want=72, got=72
> 0000: 00 46 03 01 3d 2c cd ae 15 54 1f bf 32 2f d6 bb
> .F..=,...T..2/..
> 0010: 56 2d 80 a3 9b 2f 13 b0 12 9b 0d f4 c3 b1 16 15
> V-.../..........
> 0020: 9a b3 9d b5 20 e9 bc be 32 a9 c8 a0 da 86 45 93 ....
> ...2.....E.
> 0030: 1b 48 d8 c1 8f 2d f6 85 9d 63 f0 75 91 43 6a 47
> .H...-...c.u.CjG
> 0040: 4f 5b 69 70 dc 00 0a 00 O[ip....
> TLS trace: SSL_connect:SSLv3 read server hello A
> tls_read: want=5, got=5
> 0000: 16 03 01 04 a1 .....
> tls_read: want=1185, got=1185
> 0000: 0b 00 04 9d 00 04 9a 00 02 5c 30 82 02 58 30 82
> .........\0..X0.
> 0010: 01 c5 02 10 1d a8 33 02 53 85 82 23 16 a3 55 2d
> ......3.S..#..U-
> 0020: 0b 33 c4 ef 30 0d 06 09 2a 86 48 86 f7 0d 01 01
> .3..0...*.H.....
> 0030: 04 05 00 30 5f 31 0b 30 09 06 03 55 04 06 13 02
> ...0_1.0...U....
> 0040: 55 53 31 20 30 1e 06 03 55 04 0a 13 17 52 53 41 US1
> 0...U....RSA
> 0050: 20 44 61 74 61 20 53 65 63 75 72 69 74 79 2c 20 Data Security,
> 0060: 49 6e 63 2e 31 2e 30 2c 06 03 55 04 0b 13 25 53
> Inc.1.0,..U...%S
> 0070: 65 63 75 72 65 20 53 65 72 76 65 72 20 43 65 72 ecure
> Server Cer
> 0080: 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f
> tification Autho
> 0090: 72 69 74 79 30 1e 17 0d 30 32 30 37 31 30 30 30
> rity0...02071000
> 00a0: 30 30 30 30 5a 17 0d 30 33 30 37 31 30 32 33 35
> 0000Z..030710235
> 00b0: 39 35 39 5a 30 7f 31 0b 30 09 06 03 55 04 06 13
> 959Z0.1.0...U...
> 00c0: 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 43 61
> .US1.0...U....Ca
> 00d0: 6c 69 66 6f 72 6e 69 61 31 11 30 0f 06 03 55 04
> lifornia1.0...U.
> 00e0: 07 14 08 53 74 61 6e 66 6f 72 64 31 1c 30 1a 06
> ...Stanford1.0..
> 00f0: 03 55 04 0a 14 13 53 74 61 6e 66 6f 72 64 20 55
> .U....Stanford U
> 0100: 6e 69 76 65 72 73 69 74 79 31 0d 30 0b 06 03 55
> niversity1.0...U
> 0110: 04 0b 14 04 49 54 53 53 31 1b 30 19 06 03 55 04
> ....ITSS1.0...U.
> 0120: 03 14 12 6c 64 61 70 34 2e 53 74 61 6e 66 6f 72
> ...ldap4.Stanfor
> 0130: 64 2e 45 44 55 30 81 9f 30 0d 06 09 2a 86 48 86
> d.EDU0..0...*.H.
> 0140: f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81
> ...........0....
> 0150: 81 00 c0 12 64 10 03 15 ea 26 ba 98 99 90 87 b9
> ....d....&......
> 0160: a6 95 5c 7c 53 e7 5b 10 0a 3f c3 3a be 23 7b 54
> ..\|S.[..?.:.#{T
> 0170: 4b 9f b2 43 5a ef 7d e1 50 a6 b3 6a bd 91 9c e7
> K..CZ.}.P..j....
> 0180: 44 8e c1 1c 43 bb b4 2d ea 4f 61 73 01 14 12 67
> D...C..-.Oas...g
> 0190: f2 48 cc f7 f4 03 7f 44 f0 c3 fd ce fc 0e 22 e0
> .H.....D......".
> 01a0: 1d 6d f0 24 68 d9 63 a1 06 8b 0a cc 3a 04 a6 d6
> .m.$h.c.....:...
> 01b0: 21 57 6a 1b 07 6f 6a ea d3 d4 b0 48 66 ed 2e 4b
> !Wj..oj....Hf..K
> 01c0: 2c a2 4e 9e b8 67 99 5d 56 42 56 87 5e d8 6a 6e
> ,.N..g.]VBV.^.jn
> 01d0: b1 13 02 03 01 00 01 30 0d 06 09 2a 86 48 86 f7
> .......0...*.H..
> 01e0: 0d 01 01 04 05 00 03 7e 00 44 e9 15 4b 09 d0 a6
> .......~.D..K...
> 01f0: 19 f4 d8 31 c7 26 81 f6 ac e4 19 be 5b 2b 00 0e
> ...1.&......[+..
> 0200: 93 93 68 68 a4 a8 e8 ae e9 4d 92 94 1b c3 50 79
> ..hh.....M....Py
> 0210: c4 e5 98 4d df f2 e8 3d 29 d5 5d 12 96 c9 68 7a
> ...M...=).]...hz
> 0220: de 40 0e 39 72 d3 81 f7 5a 5f 77 ac 95 77 42 b7
> .@.9r...Z_w..wB.
> 0230: 9f 46 e2 53 01 cf bc b3 6d 01 f1 94 78 16 3c af
> .F.S....m...x.<.
> 0240: 70 86 03 75 ac d3 1c 33 71 32 86 36 3d 66 b8 1d
> p..u...3q2.6=f..
> 0250: b3 f2 87 68 5a 64 1b 54 05 a5 58 10 2c ce cf e6
> ...hZd.T..X.,...
> 0260: aa 07 bc 85 25 26 00 02 38 30 82 02 34 30 82 01
> ....%&..80..40..
> 0270: a1 02 10 02 ad 66 7e 4e 45 fe 5e 57 6f 3c 98 19
> .....f~NE.^Wo<..
> 0280: 5e dd c0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 02
> ^..0...*.H......
> 0290: 05 00 30 5f 31 0b 30 09 06 03 55 04 06 13 02 55
> ..0_1.0...U....U
> 02a0: 53 31 20 30 1e 06 03 55 04 0a 13 17 52 53 41 20 S1 0...U....RSA
> 02b0: 44 61 74 61 20 53 65 63 75 72 69 74 79 2c 20 49 Data
> Security, I
> 02c0: 6e 63 2e 31 2e 30 2c 06 03 55 04 0b 13 25 53 65
> nc.1.0,..U...%Se
> 02d0: 63 75 72 65 20 53 65 72 76 65 72 20 43 65 72 74 cure
> Server Cert
> 02e0: 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72
> ification Author
> 02f0: 69 74 79 30 1e 17 0d 39 34 31 31 30 39 30 30 30
> ity0...941109000
> 0300: 30 30 30 5a 17 0d 31 30 30 31 30 37 32 33 35 39
> 000Z..1001072359
> 0310: 35 39 5a 30 5f 31 0b 30 09 06 03 55 04 06 13 02
> 59Z0_1.0...U....
> 0320: 55 53 31 20 30 1e 06 03 55 04 0a 13 17 52 53 41 US1
> 0...U....RSA
> 0330: 20 44 61 74 61 20 53 65 63 75 72 69 74 79 2c 20 Data Security,
> 0340: 49 6e 63 2e 31 2e 30 2c 06 03 55 04 0b 13 25 53
> Inc.1.0,..U...%S
> 0350: 65 63 75 72 65 20 53 65 72 76 65 72 20 43 65 72 ecure
> Server Cer
> 0360: 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f
> tification Autho
> 0370: 72 69 74 79 30 81 9b 30 0d 06 09 2a 86 48 86 f7
> rity0..0...*.H..
> 0380: 0d 01 01 01 05 00 03 81 89 00 30 81 85 02 7e 00
> ..........0...~.
> 0390: 92 ce 7a c1 ae 83 3e 5a aa 89 83 57 ac 25 01 76
> ..z...>Z...W.%.v
> 03a0: 0c ad ae 8e 2c 37 ce eb 35 78 64 54 03 e5 84 40
> ....,7..5xdT...@
> 03b0: 51 c9 bf 8f 08 e2 8a 82 08 d2 16 86 37 55 e9 b1
> Q...........7U..
> 03c0: 21 02 ad 76 68 81 9a 05 a2 4b c9 4b 25 66 22 56
> !..vh....K.K%f"V
> 03d0: 6c 88 07 8f f7 81 59 6d 84 07 65 70 13 71 76 3e
> l.....Ym..ep.qv>
> 03e0: 9b 77 4c e3 50 89 56 98 48 b9 1d a7 29 1a 13 2e
> .wL.P.V.H...)...
> 03f0: 4a 11 59 9c 1e 15 d5 49 54 2c 73 3a 69 82 b1 97
> J.Y....IT,s:i...
> 0400: 39 9c 6d 70 67 48 e5 dd 2d d6 c8 1e 7b 02 03 01
> 9.mpgH..-...{...
> 0410: 00 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 02 05
> ..0...*.H.......
> 0420: 00 03 7e 00 65 dd 7e e1 b2 ec b0 e2 3a e0 ec 71
> ..~.e.~.....:..q
> 0430: 46 9a 19 11 b8 d3 c7 a0 b4 03 40 26 02 3e 09 9c
> F.........@&.>..
> 0440: e1 12 b3 d1 5a f6 37 a5 b7 61 03 b6 5b 16 69 3b
> ....Z.7..a..[.i;
> 0450: c6 44 08 0c 88 53 0c 6b 97 49 c7 3e 35 dc 6c b9
> .D...S.k.I.>5.l.
> 0460: bb aa df 5c bb 3a 2f 93 60 b6 a9 4b 4d f2 20 f7
> ...\.:/.`..KM. .
> 0470: cd 5f 7f 64 7b 8e dc 00 5c d7 fa 77 ca 39 16 59
> ._.d{...\..w.9.Y
> 0480: 6f 0e ea d3 b5 83 7f 4d 4d 42 56 76 b4 c9 5f 04
> o......MMBVv.._.
> 0490: f8 38 f8 eb d2 5f 75 5f cd 7b fc e5 8e 80 7c fc
> .8..._u_.{....|.
> 04a0: 50 P
> TLS certificate verification: depth: 1, err: 19, subject: /C=US/O=RSA Data
> Security, Inc./OU=Secure Server Certification Authority, issuer:
> /C=US/O=RSA
> Data Security, Inc./OU=Secure Server Certification Authority
> TLS certificate verification: Error, self signed certificate in certificate
> chain
> tls_write: want=7, written=7
> 0000: 15 03 01 00 02 02 30 ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_bind: Can't contact LDAP server (81)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed