[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS in openldap 2.0.27

To: openldap-software@OpenLDAP.org
Subject: TLS in openldap 2.0.27
From: Alexey Chetroi <openldap@twilight.telco.md>
Date: Mon, 10 Feb 2003 16:27:50 +0200
Content-disposition: inline
User-agent: Mutt/1.3.23i

  Hello,

  I have a little question regarding TLS configuration of openldap 2.0.27
I'm running debian woody. I've compiled openldap from sid with TLS support
enabled and got it working. But I want a bit of more funcionality and not
sure if it possible with openldap-2.0.xx

  I've generated certificates both for server and client with openca, added
following lines to slapd.conf:

TLSCACertificateFile    /etc/ldap/ca.certs/ca.pem
TLSCACertificatePath    /etc/ldap/ca.certs

TLSCertificateFile      /etc/ldap/slapd.cert.pem
TLSCertificateKeyFile   /etc/ldap/slapd.key.pem
TLSVerifyClient         demand

so basic TLS works, but I cannot make slapd to verify client's certificate.
To test it, I've created bogus ca certificate, but slapd stills accept client's
connection, despite of the fact that client's certificate cannot be verified 
with ca certificate. Here's output:

lexa:/etc/ldap# openssl verify -CAfile ca.pem lex.cert.pem 
lex.cert.pem: /C=MD/O=Uniflux-Line/OU=Internet/CN=Alex Ch/SN=3
error 20 at 0 depth lookup:unable to get local issuer certificate

connection_get(9): got connid=2
connection_read(9): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({a) ber:
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 9
connection_get(9): got connid=2
connection_read(9): checking for input on id=2
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(9): got connid=2
connection_read(9): checking for input on id=2
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(9): got connid=2
connection_read(9): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
do_bind
ber_get_next
ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)
ber_scanf fmt ({iat) ber:
ber_scanf fmt (o}) ber:
do_bind: version=3 dn="cn=admin,o=Uniflux-Line,c=md" method=128

 I see there's error in reading client certificate, but why connection isn't
aborted?

-- 

  Best regards,
  Alexey Chetroi

---
Smile... Tomorrow will be worse.   (c) Murphy's law

Prev by Date: ldapsearch hangs on Linux Alpha
Next by Date: slapd error !
Index(es):
- Chronological
- Thread