[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: openldap-2.0/TLS certificate error



> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Scott Kelley

> i know you're all focusing on the next 2.0 release, so my appologies for
> belaboring the issues i'm having with TLS queries.  question: should I be
> able to do an ldapsearch -Z query, or has this not been implemented yet in
> the current state of the 2.0 development?

The -Z option for enabling TLS is fully implemented. This is also obvious
from your included log, which clearly shows TLS processing taking place.

> i've taken Mark's advice and gone
> though and created a self-signed CA certificate that i've used to sign a
> certificate request but to no avail.

It looks like your CA certificate is not installed properly.
>
> here are the steps that i'm using to create the certificates (which comes
> from the appendix of an article on SSL:
> http://www.certco.com/b2b/ssl.htm).

Have you tried reading the docs on www.openssl.org? The steps you outline
here slightly broken.
>
> 1) create a self-signed CA certificate:
>
> openssl req -new -x509 -keyout /usr/local/ssl/private/CAkey.pem -out
> /usr/local/ssl/private/CAcert.pem

Created this way, your CA private key has been encrypted with a passphrase.
This makes it unusable by slapd. You should use the "-nodes" option to skip
the passphrase encryption.
>
> 2) create a certificate request:
>
> openssl req -new -keyout newkey.pem -out newreq.pem -days 360

Likewise here, you should use "-nodes" to omit the passphrase encryption
step. Then your step #4 below is unnecessary.
>
> 3) sign certificate request
>
> cat newreq.pam newkey.pem > new.pem
> openssl ca -policy policy_anything -out newcert.pem -infiles new.pem

The cat command is unneeded, the private key isn't used in signing certs.
>
> 4) remove passphrase from key:
>
> openssl rsa -in newkey.pem -out newcertkey.pem
>
Step 4 is unnecessary, as noted above.

> 5) update TLS options in slapd.conf:
>
> TLSCertificateFile      /usr/local/ssl/certs/newcert.pem
> TLSCertificateKeyFile   /usr/local/ssl/certs/newcertkey.pem
> TLSCACertificateFile    /usr/local/ssl/private/CAcert.pem
>
> 6) startup slapd
>
> /usr/local/libexec/slapd -h "ldap:/// ldaps:///" -d 9
>
> 7) execute ldapsearch with -Z option:
>
> ldapsearch -b o=mp3.com,c=us -Z uid=scottk
>
> slapd_errors:
>
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write certificate request A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL3 alert read:fatal:unknown
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> s3_pkt.c:956
> connection_read(10): TLS accept error error=-1 id=0, closing
> connection_closing: readying conn=0 sd=10 for close
>
> ldapsearch_errors:
>
> ldap_bind: Local error additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> thanx again for your assistance.
>
> On Tue, Jun 13, 2000 at 03:46:51PM -0400, Mark Valence wrote:
> >
> > I'm a bit shaky on the client side, maybe someone else has a more
> > definitive answer.
> >
> > >How about on the client side? That is, how does
> > >a client present certificate to slapd when requested?
> >
> > You need to set TLS_KEY in your ldap.conf file to the path to your
> > private key file, and TLS_CERT as well.  In any case, this option is
> > not fully implemented, since the server does not use the identity
> > from the certificate.
> >
> > >and, how does a client verify server certificate
> > >when presented?
> >
> > That's not implemented yet.  When it is, you'll need to have
> > TLS_CACERT and TLS_CERT entries in ldap.conf.
> >
> > Mark.
>
> --
> Scott Kelley		      MP3.com, the Premier Music Service
> Provider (MSP)
> Engineering
> MP3.com, Inc.
> scottk@mp3.com
> Office: (858)623-7336
> Cell:   (858)382-3749
>

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc