[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Last question about SSL and certs I hope
- To: openldap-software@OpenLDAP.org
- Subject: Last question about SSL and certs I hope
- From: billd <bd@emtex.com>
- Date: Fri, 01 Nov 2002 10:51:39 +0000
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
Hi,
After removing the encryption from my cert
and removing other things in the confs that
I had put in for testing, I believe I am
now using SSL/TLS. I am a little concerned
by a couple of messages while running this
in debug though. I am using a cert on the
server only, not client side and I am happy
to do things that way for now. But when I am
running
./slapd -d 1
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(16): got connid=47
connection_read(16): checking for input on id=47
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(16): unable to get TLS client DN error=49 id=47
connection_get(16): got connid=47
connection_read(16): checking for input on id=47
ber_get_next
TLS trace: SSL3 alert read:warning:bad certificate
ber_get_next on fd 16 failed errno=11 (Resource temporarily unavailable)
connection_get(16): got connid=47
connection_read(16): checking for input on id=47
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
do_bind
and
ldapsearch -d 1 -ZZ -x -b 'dc=emtex,dc=com' '(objectclass=*)'
yeilds
TLS certificate verification: Error, self signed certificate
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS trace: SSL3 alert write:warning:bad certificate
TLS: unable to get peer certificate.
I am not using client certs, so I am guessing that these errors
are because I am not using a client cert? I am only asking as
they seem fairly dire and I guess I wouldn't expect to see
errors so much just because I am not using a client cert.
Apart from that, I have used tcpdump to watch the exchange and
if I don't request an encrypted session, I can read the data
in the packets as it goes through.. and if I do request an
encrypted session, I can't read anything in the packets... so
it sure looks like it is working, but I just wanted to make
sure as it's fairly useless thinking you are working over
an encrypted channel when you aren't .
Thanks
Bill Dossett