[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: TLS headache

To: "Paolo Marini" <paolom@prisma-eng.it>
Subject: Re: TLS headache
From: Kent Soper <dksoper@us.ibm.com>
Date: Tue, 17 Jun 2003 11:53:44 -0500
Cc: ldap@fadesa.es, openldap-software@OpenLDAP.org, owner-openldap-software@OpenLDAP.org



Hi Paolo,

Thank you for the comment on the SSL/TLS doc!

I don't know the exact commands you used to create your certificate, but if
you followed the doc's examples, then you can't be too far off.

I see a lot of areas for you to look at which will probably require you to
recreate your server certificate (at a minimum).

1.  A fully qualified domain name (FQDN) for a server certificate is of the
form "myldap.server.com".
Not "localhost".  If your machine is named "foo.server.com" and the LDAP
server can be referenced by "ldap://foo.server.com";, then "foo.server.com"
is the FQDN and should be the server certificate's CN.  A FQDN is never
"localhost".  If the CA cert is also your server cert (self signed) then it
will have to have a FQDN as the CN too.

2. Which brings me to ... in your ldap.conf, you have "HOST 127.0.0.1".  I
have seen a previous note where the author did this and it never worked.
He changed it to the FQDN and his problem was solved.

3.  More ldap.conf:  the "PORT 389" entry is ok but I would comment it out
('#') until you get the server working.  It's a default setting anyway and
it might (not really sure) interfere with port 636 tests.

4.  Which brings me to port 636 tests ... getting SSL working on port 636
before TLS on 389 has been easier for me.  Dave Lewney suggested using the
openssl client calls to check out the LDAP server and various certificates
which is an awesome step to do.

Here are some example calls ffrom a client machine (probably localhost for
you) (see section 6.1 of the doc):

% openssl s_client -connect localhost:636 -showcerts -state -CAfile <ca
cert on client>   // server side

% openssl s_client -connect foo.server.com:636 -showcerts -state -CAfile
<ca cert on client>   // server side with FQDN

% openssl s_client -connect localhost:636 -showcerts -state -CAfile <ca
cert on client>   \
-cert <client cert> -key <client cert key>     // server/client auth

It's important that your client has the correct path permissions to the CA
cert, client cert, and client key in order for any of this to work
(including OpenLDAP client calls!).  This happened to me once as well as
creating a cert on a machine with an incorrect clock so the cert was
invalid for 90 minutes.

5.  Your TLSCipherSuite value is fine.  The HIGH:MEDUIM covers several
SSLv3 values.  If in doubt, run "openssl ciphers -v <cipher>" where
<cipher> is the cipher in doubt, such as "HIGH", "MEDIUM" or "SSLv2".

Hope this helps.

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
phonel:  1-512-838-9216
e-mail:  dksoper@us.ibm.com

Paolo wrote:

I have tried the instructions in your HOWTO (very clear / thank you!),
after
lot

of time and frustration trying to setting up an LDAP server with TLS, but
the

client seems not to like the server certificate. Here are my configuration

files for the openldap 2.1.21 on a RH8 linux box:

/etc/openldap/slapd.conf:

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
20:00:31
kurt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/inetorgperson.schema

include /etc/openldap/schema/nis.schema

include /etc/openldap/schema/redhat/rfc822-MailMember.schema

include /etc/openldap/schema/redhat/autofs.schema

#include /etc/openldap/schema/redhat/kerberosobject.schema



loglevel 296

pidfile /var/run/slapd.pid

TLSCipherSuite HIGH:MEDIUM:+SSLv2

TLSCACertificateFile /etc/openldap/cacert.pem

TLSCertificateFile /etc/openldap/servercert.pem

TLSCertificateKeyFile /etc/openldap/serverkey.pem

TLSVerifyClient never

access to * by read

#######################################################################

# ldbm database definitions

#######################################################################

database bdb

suffix "dc=prisma,dc=com"

rootdn "cn=root,dc=prisma,dc=com"

rootpw {SSHA}vZddgTWTErSxFyNG2MC8fnp4k/9zNadi

directory /var/lib/ldap

index objectClass,uid,uidNumber,gidNumber,memberUid eq

index cn,mail,surname,givenname eq,subinitial



/etc/ldap.conf:

HOST 127.0.0.1

PORT 389

TLS_CACERT /usr/share/ssl/misc/demoCA/cacert.pem

TLS_CACERTDIR /usr/share/ssl/misc/demoCA

TLS_REQCERT never
Prev by Date: Converting schema from LDIF to OpenLDAP
Next by Date: Chicken-and-egg with 2.1.x schema
Index(es):
- Chronological
- Thread