[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Tls/ssl issue






See original note below.

Hi Cody,

I'm sending this off-list, hope you don't mind.  I was just wondering if
you were able to get past the TLS/SSL problem using the help me and others
provided.

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
tie line:     678-9216
external:  1-512-838-9216
e-mail:  dksoper@us.ibm.com




                                                                                                                                
                      "cody wang"                                                                                               
                      <codywang@clunet.edu>            To:       "openldap-software@OpenLDAP. org"                              
                      Sent by:                          <openldap-software@OpenLDAP.org>                                        
                      owner-openldap-software@O        cc:                                                                      
                      penLDAP.org                      Subject:  Tls/ssl issue                                                  
                                                                                                                                
                                                                                                                                
                      08/11/2003 04:07 PM                                                                                       
                                                                                                                                
                                                                                                                                




Hi,
I just finished the tls/ssl, but the test is failed. Client and server
is on the same machines. I did not see any error message during the
issue CA server/client process.

[root@accounts openldap]# openssl s_client -connect localhost:636
-showcerts
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Thousand Oaks/O=California Lutheran
University/OU=ISS/CN
=accounts.clunet.edu/emailAddress=codywang@clunet.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Thousand Oaks/O=California Lutheran
University/OU=ISS/CN
=accounts.clunet.edu/emailAddress=codywang@clunet.edu
verify error:num=21:unable to verify the first certificate
verify return:1
11712:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt
.c:1037:SSL alert number 40
11712:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:


In slapd.conf

##SSL/TLS options for slapd
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem
TLSVerifyClient demand

In ldap.conf
TLS_CACERT /usr/local/etc/openldap/cacert.pem
TLS_REQCERT demand



Cody Wang