[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL3 alert write:fatal:unknown CA

To: OpenLDAP <openldap-software@OpenLDAP.org>
Subject: Re: SSL3 alert write:fatal:unknown CA
From: Pierre Burri <pierre@globeall.de>
Date: Thu, 26 Jun 2003 23:00:59 +0200
Content-disposition: inline
In-reply-to: <OF13FB7FF1.9C9493C5-ON87256D51.005F8F6F-86256D51.005FE248@us.ibm.com>
References: <OF13FB7FF1.9C9493C5-ON87256D51.005F8F6F-86256D51.005FE248@us.ibm.com>
User-agent: KMail/1.5

Hi Kent,
I looked in your excellent Document OpenLDAP_TLS_howto, also because Quanah 
Gibson-Mount mentioned it.

In Chapter 7 Using TLS you give the following example:

ldapsearch -x -b 'dc=myserver,dc=com' -D "cn=Manager,dc=myserver,dc=com" 
'(objectclass=*)' -H ldaps://myserver.com -W -ZZ

I thought TLS was working on port 389 and only SSL was using ldaps:// 
If that's true the command would be:

ldapsearch -x -b 'dc=myserver,dc=com' -D "cn=Manager,dc=myserver,dc=com" 
'(objectclass=*)' -h myserver.com -W -ZZ

Pierre


Am Donnerstag, 26. Juni 2003 19:28 schrieben Sie:
> Pierre,
>
> You might also want to add '-x' for simple authentication as well as -D
> "something" -W if needed to the ldapsearch command.
>
> This one:  ldapsearch -H ldaps://sun.stars.priv -b "dc=stars,dc=priv" -d7
> uses SASL and whatever mechanism the server decides is best.  Hence the
> ldap_sasl_interactive_bind_s error.
>
> If your certificates are configured correctly and can be verified, it might
> just work.
>
> Cheers,
> Kent Soper
>
> "You don't stop playing because you grow old ...
>        you grow old because you stop playing."
>
> Linux Technology Center, Linux Security
> Phone:  1-512-838-9216
> e-mail:  dksoper@us.ibm.com
>
>
>
>
>
>                       Pierre Burri
>                       <pierre@globeall.de>             To:       OpenLDAP
> <openldap-software@OpenLDAP.org> Sent by:                         cc:
>                       owner-openldap-software@O        Subject:  Re: SSL3
> alert write:fatal:unknown CA penLDAP.org
>
>
>                       06/26/2003 10:50 AM
>
>
>
>
>
>
> Hi
> thank you for your suggestion. I looked for a while on openldap.org and
> didn't
> find the article you are mentioning. But, I found the article "How to use I
>
> use TLS/SSL?" in the Faq-O-Matic which gave me some answers.
> I'm just testing OpenLDAP to get the know how and that's why I'm not going
> to
> buy a "real" certificate.
> Nevertheless, I'm still curious about de document you are talking about...
> Cheers, Pierre
>
> Am Mittwoch, 25. Juni 2003 23:50 schrieb Quanah Gibson-Mount:
> > Hello,
> >
> > I suggest reading the OpenLDAP FAQ.  It has a nice long detailed
> > explanation of why you probably don't want to use self-signed certs, or
>
> if
>
> > you do, you need to have a CA cert you can point both the server &
>
> clients
>
> > at.
> >
> > --Quanah
> >
> > --On Wednesday, June 25, 2003 11:16 PM +0200 Pierre Burri
> >
> > <pierre@globeall.de> wrote:
> > > Hi,
> > >
> > > I'm trying to setup a LDAP server over SSL (it works already very well
> > > without  SSL)
> > >
> > > I'm using Debian Sid, package slapd, version 2.1.17-3, LDAPv3
> > >
> > > I made a certificate, the common name is the FQDN of the host:
> > > sun.stars.priv the comand:
> > >
> > > ldapsearch -H ldaps://sun.stars.priv -b "dc=stars,dc=priv" -d7
> > >
> > > gives me the followin result:
> > >
> > > TLS certificate verification: depth: 0, err: 18, subject:
>
> /C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
>
> > > il=certificate@sun.stars.priv,  issuer:
>
> /C=DE/ST=Berlin/L=Berlin/O=linux-age/OU=LDAP-Server/CN=sun.stars.priv/Ema
>
> > > il=certificate@sun.stars.priv TLS certificate verification: Error, self
> > > signed certificate
> > > tls_write: want=7, written=7
> > >   0000:  15 03 01 00 02 02 30                               ......0
> > > TLS trace: SSL3 alert write:fatal:unknown CA
> > > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > > TLS trace: SSL_connect:error in SSLv3 read server certificate B
> > > TLS: can't connect.
> > > ldap_perror
> > > ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)
> > >         additional info: error:14090086:SSL
> > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> > >
> > > What can I do that clients from other hosts than "sun" recognize my
>
> self
>
> > > made  certificate?
> > >
> > > On the the server "sun", I put TLS_CACERT /etc/ldap/server.pem in file
> > > /etc/ldap/ldap.conf which remove the problem, but of course only on the
> > > server.
> >
> > --
> > Quanah Gibson-Mount
> > Senior Systems Administrator
> > ITSS/TSS/Computing Systems
> > Stanford University
> > GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

-- 
My Sites: 
http://www.linux-age.com
http://www.myfirewall.de
http://www.globeall.de

Tel. +49 (0)30 757 02 517
Fax: +49 (0)30 757 02 518

Follow-Ups:
- Re: SSL3 alert write:fatal:unknown CA
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- Re: SSL3 alert write:fatal:unknown CA
  - From: Kent Soper <dksoper@us.ibm.com>

Prev by Date: Re: ACL/ACI && SASL
Next by Date: Re: SSL3 alert write:fatal:unknown CA
Index(es):
- Chronological
- Thread