[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap-2.0/TLS certificate error



i know you're all focusing on the next 2.0 release, so my appologies for
belaboring the issues i'm having with TLS queries.  question: should I be 
able to do an ldapsearch -Z query, or has this not been implemented yet in
the current state of the 2.0 development?  i've taken Mark's advice and gone 
though and created a self-signed CA certificate that i've used to sign a 
certificate request but to no avail.

here are the steps that i'm using to create the certificates (which comes
from the appendix of an article on SSL: http://www.certco.com/b2b/ssl.htm).

1) create a self-signed CA certificate:

openssl req -new -x509 -keyout /usr/local/ssl/private/CAkey.pem -out
/usr/local/ssl/private/CAcert.pem

2) create a certificate request:

openssl req -new -keyout newkey.pem -out newreq.pem -days 360

3) sign certificate request

cat newreq.pam newkey.pem > new.pem
openssl ca -policy policy_anything -out newcert.pem -infiles new.pem

4) remove passphrase from key:

openssl rsa -in newkey.pem -out newcertkey.pem

5) update TLS options in slapd.conf:

TLSCertificateFile      /usr/local/ssl/certs/newcert.pem
TLSCertificateKeyFile   /usr/local/ssl/certs/newcertkey.pem
TLSCACertificateFile    /usr/local/ssl/private/CAcert.pem

6) startup slapd

/usr/local/libexec/slapd -h "ldap:/// ldaps:///" -d 9

7) execute ldapsearch with -Z option:

ldapsearch -b o=mp3.com,c=us -Z uid=scottk

slapd_errors: 

TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:unknown
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:956
connection_read(10): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=10 for close

ldapsearch_errors:

ldap_bind: Local error additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

thanx again for your assistance.

On Tue, Jun 13, 2000 at 03:46:51PM -0400, Mark Valence wrote:
> 
> I'm a bit shaky on the client side, maybe someone else has a more 
> definitive answer.
> 
> >How about on the client side? That is, how does
> >a client present certificate to slapd when requested?
> 
> You need to set TLS_KEY in your ldap.conf file to the path to your 
> private key file, and TLS_CERT as well.  In any case, this option is 
> not fully implemented, since the server does not use the identity 
> from the certificate.
> 
> >and, how does a client verify server certificate
> >when presented?
> 
> That's not implemented yet.  When it is, you'll need to have 
> TLS_CACERT and TLS_CERT entries in ldap.conf.
> 
> Mark.

-- 
Scott Kelley		      MP3.com, the Premier Music Service Provider (MSP)
Engineering	
MP3.com, Inc.
scottk@mp3.com
Office: (858)623-7336
Cell:   (858)382-3749