[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS SSL overload

To: openldap-software@OpenLDAP.org
Subject: TLS SSL overload
From: billd <bd@emtex.com>
Date: Wed, 30 Oct 2002 14:21:48 +0000
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0

Hi,


<begging>
I'm trying to get TLS/SSL working with openLDAP.
I've made some progress, but my tiny mind has gone
into overload.  This might be kind of long, sorry.

I'll do server config first as the server is starting,
but I don't know if it's right or not as I can't start
a TLS session with the client ldapsearch so far anyway.

I am using self-signed certs as this is an internal to
my company only openLDAP database.  It hold info for
accounts on about 6 different servers, which is why I
am trying to use openLDAP so I can reduce the chance of
forgetting or mistyping an entry in one of the servers.
All the servers are on the safe side of a firewall at this
point, however I would like to be transmitting these encrypted
just in case someone managed to get a sniffer on my network
somehow, or even if my users were playing around with a sniffer.

So, here is what I have done:

Created a private key with 3des encryption

openssl genrsa -des3 -out ncc1701a.key 1024

created a self signed certificate

openssl req -new -key ncc1701a -x509 -out ncc1701a.crt

This asked me for some input, I think the important
one is the common name, so I put emtex.com... not sure
about this, should it be ncc1701a.emtex.com or emtex.com or
dn=emtex,dn=com...

I then added the key and cert to my slapd.conf

TLSCACertificateFile /usr/local/etc/openldap/ncc1701a.crt
TLSCertificateFile /usr/local/etc/openldap/ncc1701a.crt
TLSCertificateKeyFile /usr/local/etc/openldap/ncc1701a.key

Is this right? As I am the authority that signed my own cert, I used the same cert file for both. Or do I even need the TLSCACertificate line at all? As there wasn't one in the original and it started with out it... in any case putting it in didn't make any difference.

I only have these all in the same place for now to try and
test and get it working, the key would be in a protected directory
once I get things working.

As stated, slapd does start ok.

I am assuming the default of never for TLSVerifyClient as I
am not using client certificates yet, and may not.

Now I try to do a query of everything in the database with
ldapsearch like so:

ldapsearch -Z -x -b 'dc=emtex,dc=com''(objectclass=*)'

and get the following errors from ./slapd -d 1

ldap_start_tls: Connect error (91) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ldap_bind: Can't contact LDAP server (81) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

which seems to be saying that getting the certificate and/or verifying it failed.

The slapd -d1  is saying:

TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(16): got connid=32 connection_read(16): checking for input on id=32 TLS trace: SSL3 alert read:fatal:unknown TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:964

this seems to be pointing at the client certificate as the problem... however as I haven't specified to verify the client cert, it shouldn't be asking for one should it?

I've also tried with the little java LDAP browser\editor v2.8.2 and can't get that to work either. And I've seen dire warnings that ldaps:// isn't compatible with V3 ldap protocol or something, yet the URL that the editor is using is ldaps:// and it is set to version 3 and I would think these would be mutually exclusive if they don't work together.

I have been reading tons of docs and I'm sorry but they don't all
make sense to me and maybe I'm just trying to learn this all a little
too fast.  It is by far the most complex thing I've ever attempted to
configure, if anyone can tell me what I'm doing wrong at this point
I would at least get a decent nights sleep.

Further details should the be needed...

I am using openLDAP version 2.1.5 compiled with SSL suppport
I am using openssl-0.9.6b-18
I am using Redhat Linux 7.3 with stock smp kernel

I think I'm pretty close to having this working, but I could
certainly be wrong as I have been many times before and will
freely admit it.

Thanks, I'd really appreciate if anyone can tell me what I've
done wrong and any pointers on how to fix it if it isn't too
lengthy a subject.... </begging>

Thanks

Bill Dossett

Follow-Ups:
- Re: TLS SSL overload
  - From: Richard Levitte - VMS Whacker <levitte@stacken.kth.se>

Prev by Date: Re: ldbmcat Question
Next by Date: Re: TLS SSL overload
Index(es):
- Chronological
- Thread