[Date Prev][Date Next]
Re: openldap-2.0/TLS certificate error
i know you're all focusing on the next 2.0 release, so my appologies for
belaboring the issues i'm having with TLS queries. question: should I be
able to do an ldapsearch -Z query, or has this not been implemented yet in
the current state of the 2.0 development? i've taken Mark's advice and gone
though and created a self-signed CA certificate that i've used to sign a
certificate request but to no avail.
here are the steps that i'm using to create the certificates (which comes
from the appendix of an article on SSL: http://www.certco.com/b2b/ssl.htm).
1) create a self-signed CA certificate:
openssl req -new -x509 -keyout /usr/local/ssl/private/CAkey.pem -out
2) create a certificate request:
openssl req -new -keyout newkey.pem -out newreq.pem -days 360
3) sign certificate request
cat newreq.pam newkey.pem > new.pem
openssl ca -policy policy_anything -out newcert.pem -infiles new.pem
4) remove passphrase from key:
openssl rsa -in newkey.pem -out newcertkey.pem
5) update TLS options in slapd.conf:
6) startup slapd
/usr/local/libexec/slapd -h "ldap:/// ldaps:///" -d 9
7) execute ldapsearch with -Z option:
ldapsearch -b o=mp3.com,c=us -Z uid=scottk
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:unknown
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
connection_read(10): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=10 for close
ldap_bind: Local error additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
thanx again for your assistance.
On Tue, Jun 13, 2000 at 03:46:51PM -0400, Mark Valence wrote:
> I'm a bit shaky on the client side, maybe someone else has a more
> definitive answer.
> >How about on the client side? That is, how does
> >a client present certificate to slapd when requested?
> You need to set TLS_KEY in your ldap.conf file to the path to your
> private key file, and TLS_CERT as well. In any case, this option is
> not fully implemented, since the server does not use the identity
> from the certificate.
> >and, how does a client verify server certificate
> >when presented?
> That's not implemented yet. When it is, you'll need to have
> TLS_CACERT and TLS_CERT entries in ldap.conf.
Scott Kelley MP3.com, the Premier Music Service Provider (MSP)