[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication in v2.1.2: TLS-error

If you're having trouble with OpenSSL and it's kazillion options, you might want to try tinyCA http://freshmeat.net/projects/tinyca/?topic_id=43 , an OpenSSL gui or OpenCA for a distributed environment http://openca.org/

good luck


Harry Rüter wrote:
Hi ,

i'm using LDAP for testing purposes,
there's no security-problem,
as i'm the only one with access to test-net.

Each sever (master & replica) gets its
own certificat ..

Of course i'm generating my certificates myself,
as it's free ..

I'm making this with the following script :



if [ "$1" == "" ]
  echo "usage: $0 certname (without .pem)"

openssl req -new -x509 -nodes -days 3650 -out $1.pem -keyout

Can i modificate it, so it seems not to be "self-signed" ?

greets Harry

Howard Chu wrote:

You cannot use self-signed certificates for TLS services. You must create
one self-signed CA certificate and use that certificate to sign your server
certificates. On each machine, you must install the CA certificate and tell
the LDAP library where the CA cert is. You must also install and configure
the individual server certificates for each server.

Public key certificates require a mutually trusted 3rd party to ensure any
type of
security. That mutually trusted 3rd party is represented by the self-signed
CA cert that you create and install. Only CAs are allowed to assert their own
identity via self-signing. Every other entity in a PKI must derive its
identity from a known CA.

If you bypass this requirement then you have no assurance that a particular
server is who it claims to be, which means you have no security at all. If
were using TLS in the manner you've described, you should fix this issue at
your earliest opportunity.

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Harry Ruter
Sent: Sunday, July 07, 2002 3:40 AM
To: OpenLDAP-software@OpenLDAP.org
Subject: Replication in v2.1.2: TLS-error


i'm trying to do replication with v2.1.2.

The twao serves are installed on the same machine,
with different ports (master:3389,3636;replica: 4389,4636).

Both servers are running,
but when it come's to replication slurpd says :


ber_flush: 31 bytes to sd 10
request 1 done
TLS certificate verification: Error, self signed certificate
TLS: can't connect.
Warning: ldap_start_tls failed: Connect error (91)
ber_flush: 761 bytes to sd 10
Error: LDAP SASL for ldap.hrnet.de:5389 failed: Can't
contact LDAP server
ber_flush: 7 bytes to sd 10

The replica-server says :

ber_flush: 14 bytes to sd 15
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca s3_pkt.c:956
conn=4 fd=15 closed

I made two different certificates, one for the
master- one for the replica-server.

I've done this before with version 2.0.25,
where it works fine ...

Any suggestions ?

greets Harry