[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Tls/ssl issue






Disregard the previous email ... sort of.  It won't help with an openssl
s_client command but it will help to set up your LDAP for TLS connections.

Look at http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html for some
openssl s_client examples.  You need some more arguments in the command and
section 6.1 shows them.

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com




                                                                                                                              
                      "cody wang"                                                                                             
                      <codywang@clunet.edu>            To:       "openldap-software@OpenLDAP. org"                            
                      Sent by:                          <openldap-software@OpenLDAP.org>                                      
                      owner-openldap-software@O        cc:                                                                    
                      penLDAP.org                      Subject:  Tls/ssl issue                                                
                                                                                                                              
                                                                                                                              
                      08/11/2003 04:07 PM                                                                                     
                                                                                                                              
                                                                                                                              




Hi,
I just finished the tls/ssl, but the test is failed. Client and server
is on the same machines. I did not see any error message during the
issue CA server/client process.

[root@accounts openldap]# openssl s_client -connect localhost:636
-showcerts
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Thousand Oaks/O=California Lutheran
University/OU=ISS/CN
=accounts.clunet.edu/emailAddress=codywang@clunet.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Thousand Oaks/O=California Lutheran
University/OU=ISS/CN
=accounts.clunet.edu/emailAddress=codywang@clunet.edu
verify error:num=21:unable to verify the first certificate
verify return:1
11712:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt
.c:1037:SSL alert number 40
11712:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:


In slapd.conf

##SSL/TLS options for slapd
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem
TLSVerifyClient demand

In ldap.conf
TLS_CACERT /usr/local/etc/openldap/cacert.pem
TLS_REQCERT demand



Cody Wang