[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP, OpenSSL, TLS trace: SSL_accept:error in SSLv3 read clie nt certificate A

Dear Richard,

Thanks for the detailed reply.
1. I had confirmed that slapd.conf file doesn't have TLSVerifyClient
statement.
2. After your valuable inputs, I tried to export the file in PKCS#12 format.
Later, while importing the file in windows based client, it says:
---------------------------
Invalid Public Key Security Object File
---------------------------
This is an invalid Personal Information Exchange file.
---------------------------
OK   
---------------------------

Any ways, thanks you again. I will continue working on it. Please inform me
if anything else can be done about this. Thanks.

Regards
Pravin Joshi




-----Original Message-----
From: Richard Levitte - VMS Whacker [mailto:levitte@stacken.kth.se]
Sent: Thursday, October 31, 2002 01:08
To: Pravin Joshi
Cc: openldap-software@OpenLDAP.org
Subject: Re: OpenLDAP, OpenSSL, TLS trace: SSL_accept:error in SSLv3
read clie nt certificate A


In message <E1DA42CDF67DD61195200080AD7B2D990FC843@rockets.CHARJIV> on Thu,
31 Oct 2002 12:07:51 +0530, Pravin Joshi <pjoshi@CHARJIV.com> said:

pjoshi> TLS trace: SSL_accept:error in SSLv3 read client certificate A
pjoshi> TLS trace: SSL_accept:error in SSLv3 read client certificate A
pjoshi> connection_get(14): got connid=1
pjoshi> connection_read(14): checking for input on id=1
pjoshi> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
pjoshi> TLS: can't accept.
pjoshi> connection_read(14): TLS accept error error=-1 id=1, closing
pjoshi> connection_closing: readying conn=1 sd=14 for close
pjoshi> connection_close: conn=1 sd=14
[...]
pjoshi> Or is it that, the certificate installed from internet explorer and
pjoshi> netsccape is just a copy of server certificate where as my openldap
is
pjoshi> asking for client side certificate too? If that is the case, then
what
pjoshi> should I do next?

Since it stops when trying to read a client certificate, it's a pretty
safe bet to assume that's where the problem is.

So, the next question is how slapd is configured.  Look in slapd.conf,
and check the TLS* settings.  I'm guessing that TLSClientVerify has a
value like "demand".

pjoshi> 1. How do I create and export client side certificate? 

The really important thing to check here is what CA's slapd trusts.
If you check for the settings TLSCAcertificateFile or TLSCAcerificatePath
and look at the file(s) those refer to (probably using the command
'openssl x509 -in $file -issuer -subject -noout'), you can find out
what CA's you can use to create a user certificate for yourself.  If
you don't recognise a particular one, you might want to ask someone
who knows, or create your own CA (quite easily done using the OpenSSL
CA.pl script), create a user certificate and sign it (also easily done
with CA.pl).  In the latter case, you need to tell slapd where the
certificate of your new CA is (or give it a copy) using the setting
TLSCAcertificateFile...

pjoshi> 2. How do I install client side certificate on windows based
machine?

You probably need to make a PKCS#12 copy of your certificate+key+CAcert
(again, easily done with CA.pl), copy the result to your Windows
machine and double-click on that copy.  At least, that's how I
remembered doing it...

-- 
Richard Levitte   \ Spannvägen 38, II \ LeViMS@stacken.kth.se
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis                -- poei@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.