[Date Prev][Date Next]
RE: openldap-2.0/TLS certificate error
> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Scott Kelley
> i know you're all focusing on the next 2.0 release, so my appologies for
> belaboring the issues i'm having with TLS queries. question: should I be
> able to do an ldapsearch -Z query, or has this not been implemented yet in
> the current state of the 2.0 development?
The -Z option for enabling TLS is fully implemented. This is also obvious
from your included log, which clearly shows TLS processing taking place.
> i've taken Mark's advice and gone
> though and created a self-signed CA certificate that i've used to sign a
> certificate request but to no avail.
It looks like your CA certificate is not installed properly.
> here are the steps that i'm using to create the certificates (which comes
> from the appendix of an article on SSL:
Have you tried reading the docs on www.openssl.org? The steps you outline
here slightly broken.
> 1) create a self-signed CA certificate:
> openssl req -new -x509 -keyout /usr/local/ssl/private/CAkey.pem -out
Created this way, your CA private key has been encrypted with a passphrase.
This makes it unusable by slapd. You should use the "-nodes" option to skip
the passphrase encryption.
> 2) create a certificate request:
> openssl req -new -keyout newkey.pem -out newreq.pem -days 360
Likewise here, you should use "-nodes" to omit the passphrase encryption
step. Then your step #4 below is unnecessary.
> 3) sign certificate request
> cat newreq.pam newkey.pem > new.pem
> openssl ca -policy policy_anything -out newcert.pem -infiles new.pem
The cat command is unneeded, the private key isn't used in signing certs.
> 4) remove passphrase from key:
> openssl rsa -in newkey.pem -out newcertkey.pem
Step 4 is unnecessary, as noted above.
> 5) update TLS options in slapd.conf:
> TLSCertificateFile /usr/local/ssl/certs/newcert.pem
> TLSCertificateKeyFile /usr/local/ssl/certs/newcertkey.pem
> TLSCACertificateFile /usr/local/ssl/private/CAcert.pem
> 6) startup slapd
> /usr/local/libexec/slapd -h "ldap:/// ldaps:///" -d 9
> 7) execute ldapsearch with -Z option:
> ldapsearch -b o=mp3.com,c=us -Z uid=scottk
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write certificate request A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL3 alert read:fatal:unknown
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> connection_read(10): TLS accept error error=-1 id=0, closing
> connection_closing: readying conn=0 sd=10 for close
> ldap_bind: Local error additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> thanx again for your assistance.
> On Tue, Jun 13, 2000 at 03:46:51PM -0400, Mark Valence wrote:
> > I'm a bit shaky on the client side, maybe someone else has a more
> > definitive answer.
> > >How about on the client side? That is, how does
> > >a client present certificate to slapd when requested?
> > You need to set TLS_KEY in your ldap.conf file to the path to your
> > private key file, and TLS_CERT as well. In any case, this option is
> > not fully implemented, since the server does not use the identity
> > from the certificate.
> > >and, how does a client verify server certificate
> > >when presented?
> > That's not implemented yet. When it is, you'll need to have
> > TLS_CACERT and TLS_CERT entries in ldap.conf.
> > Mark.
> Scott Kelley MP3.com, the Premier Music Service
> Provider (MSP)
> MP3.com, Inc.
> Office: (858)623-7336
> Cell: (858)382-3749
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun