[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: SSL3 alert write:fatal:unknown CA

To: Pierre Burri <pierre@globeall.de>
Subject: Re: SSL3 alert write:fatal:unknown CA
From: Kent Soper <dksoper@us.ibm.com>
Date: Thu, 26 Jun 2003 11:50:42 -0500
Cc: OpenLDAP <openldap-software@OpenLDAP.org>, owner-openldap-software@OpenLDAP.org



You can also look at
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html  for more
self-signed cert vs. CA-signed cert examples with config info.

By the way, not all self-signed cert errors are errors.  They just have
nonzero return codes that signify self-signed cert usage.

You put TLS_CACERT into the CLIENT config file, /etc/ldap/ldap.conf, but
did you edit the SERVER config file slapd.conf?

For server side auth, you should have at a minimum in slapd.conf:
TLSCACertificate (or TLSCACertificatePath)      <your server's CA cert>
TLSCertificateFile      <server cert (or CA cert if using self-signed cert>
TLSCerttificateKeyFile   <server cert key>

TLSCipherSuite would be good to add too.

The default value of TLS_REQCERT for the client is demand so you could
leave ldap.conf empty.

For client authentication, use the above directives and ...
slapd.conf:  TLSVerifyClient  <either demand, try, or hard>
ldap.conf:    TLS_CACERT      <client CA cert, can be same as server CA
cert>
Your client cert and keys to a ldaprc file in user homedir:
TLS_CERT    <cert>
TLS_KEY     <cert key>

Check the man pages (slapd.conf, ldap.conf) for more info as well as the
above mentioned doc.

Cheers,
Kent

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
tie line:     678-9216
external:  1-512-838-9216
e-mail:  dksoper@us.ibm.com




                                                                                                                                     
                      Pierre Burri                                                                                                   
                      <pierre@globeall.de>             To:       OpenLDAP <openldap-software@OpenLDAP.org>                           
                      Sent by:                         cc:                                                                           
                      owner-openldap-software@O        Subject:  Re: SSL3 alert write:fatal:unknown CA                               
                      penLDAP.org                                                                                                    
                                                                                                                                     
                                                                                                                                     
                      06/26/2003 10:50 AM                                                                                            
                                                                                                                                     
                                                                                                                                     




Hi
thank you for your suggestion. I looked for a while on openldap.org and
didn't
find the article you are mentioning. But, I found the article "How to use I

use TLS/SSL?" in the Faq-O-Matic which gave me some answers.
I'm just testing OpenLDAP to get the know how and that's why I'm not going
to
buy a "real" certificate.
Nevertheless, I'm still curious about de document you are talking about...
Cheers, Pierre

Am Mittwoch, 25. Juni 2003 23:50 schrieb Quanah Gibson-Mount:
> Hello,
>
> I suggest reading the OpenLDAP FAQ.  It has a nice long detailed
> explanation of why you probably don't want to use self-signed certs, or
if
> you do, you need to have a CA cert you can point both the server &
clients
> at.
>
> --Quanah
>
> --On Wednesday, June 25, 2003 11:16 PM +0200 Pierre Burri
>
> <pierre@globeall.de> wrote:
> > Hi,
> >
> > I'm trying to setup a LDAP server over SSL (it works already very well
> > without  SSL)
> >
> > I'm using Debian Sid, package slapd, version 2.1.17-3, LDAPv3
> >
> > I made a certificate, the common name is the FQDN of the host:
> > sun.stars.priv the comand:
> >
> > ldapsearch -H ldaps://sun.stars.priv -b "dc=stars,dc=priv" -d7
> >
> > gives me the followin result:
> >
> > TLS certificate verification: depth: 0, err: 18, subject:
> >
/C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
> > il=certificate@sun.stars.priv,  issuer:
> >
/C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
> > il=certificate@sun.stars.priv TLS certificate verification: Error, self
> > signed certificate
> > tls_write: want=7, written=7
> >   0000:  15 03 01 00 02 02 30                               ......0
> > TLS trace: SSL3 alert write:fatal:unknown CA
> > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > TLS: can't connect.
> > ldap_perror
> > ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
> >         additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> >
> > What can I do that clients from other hosts than "sun" recognize my
self
> > made  certificate?
> >
> > On the the server "sun", I put TLS_CACERT /etc/ldap/server.pem in file
> > /etc/ldap/ldap.conf which remove the problem, but of course only on the
> > server.
>
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Prev by Date: Re: SSL3 alert write:fatal:unknown CA
Next by Date: Re: TLS-based authentication?
Index(es):
- Chronological
- Thread