[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Replication in v2.1.2: TLS-error

You cannot use self-signed certificates for TLS services. You must create
one self-signed CA certificate and use that certificate to sign your server
certificates. On each machine, you must install the CA certificate and tell
the LDAP library where the CA cert is. You must also install and configure
the individual server certificates for each server.

Public key certificates require a mutually trusted 3rd party to ensure any
type of
security. That mutually trusted 3rd party is represented by the self-signed
CA cert that you create and install. Only CAs are allowed to assert their own
identity via self-signing. Every other entity in a PKI must derive its
identity from a known CA.

If you bypass this requirement then you have no assurance that a particular
server is who it claims to be, which means you have no security at all. If
were using TLS in the manner you've described, you should fix this issue at
your earliest opportunity.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Harry Ruter
> Sent: Sunday, July 07, 2002 3:40 AM
> To: OpenLDAP-software@OpenLDAP.org
> Subject: Replication in v2.1.2: TLS-error
> Hi,
> i'm trying to do replication with v2.1.2.
> The twao serves are installed on the same machine,
> with different ports (master:3389,3636;replica: 4389,4636).
> Both servers are running,
> but when it come's to replication slurpd says :
> --------------snipp-------------------------------------
> ber_flush: 31 bytes to sd 10
> request 1 done
> TLS certificate verification: Error, self signed certificate
> TLS: can't connect.
> Warning: ldap_start_tls failed: Connect error (91)
> ber_flush: 761 bytes to sd 10
> Error: LDAP SASL for ldap.hrnet.de:5389 failed: Can't
> contact LDAP server
> ber_flush: 7 bytes to sd 10
> --------------snipp-------------------------------------
> The replica-server says :
> --------------snipp-------------------------------------
> ber_flush: 14 bytes to sd 15
> TLS: can't accept.
> TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca s3_pkt.c:956
> conn=4 fd=15 closed
> --------------snipp-------------------------------------
> I made two different certificates, one for the
> master- one for the replica-server.
> I've done this before with version 2.0.25,
> where it works fine ...
> Any suggestions ?
> greets Harry