[Date Prev][Date Next]
Re: TLS server side auth problem
On 2 September 2003, peter pan <firstname.lastname@example.org> wrote:
> I still haven't made any progress on this. No one
> replied to my post below, is this because:
> - no one knows
> - my post is not appropriate in some way
> - I'm a berk for not spotting something obvious :)
> I can't move forward with our LDAP rollout until this
> is resolved - does any one have any suggestions?
> --- peter pan <email@example.com> wrote:
> > If I put the serverkey and servercert in the .ldaprc
> > file (I know this is for the client certs but as a
> > test..) then ldapsearch -ZZ -x -h <FQDN> works. If
> > I
> > take them out of .ldaprc it fails:
> > [root@test root]# ldapsearch -ZZ -x -H
> > ldap://test.mydomain.com
> > ldap_start_tls: Connect error
> > additional info: error:14077410:SSL
> > routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> > handshake
> > failure
According to "man 5 ldap.conf":
: Some options are user-only. Such options are ignored if
: present in the ldap.conf (or file specified by LDAPCONF).
: TLS_CERT <filename>
: Specifies the file that contains the client cer
: tificate. This is a user-only option.
: TLS_KEY <filename>
: Specifies the file that contains the private key
: that matches the certificate stored in the TLS_CERT
: file. Currently, the private key must not be pro
: tected with a password, so it is of critical impor
: tance that the key file is protected carefully.
: This is a user-only option.
Dr. Liviu Daia e-mail: Liviu.Daia@imar.ro
Institute of Mathematics web page: http://www.imar.ro/~daia
of the Romanian Academy PGP key: http://www.imar.ro/~daia/daia.asc