[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slurpd over SSL

Tony Earnshaw wrote:

Estevam Viragh wrote:

Yes, The master and slave have both the same
certificates. I assumed it is fine given that I used
heavymetal.com as commonName, the domain name.

Each host's public cert should be issued for the FQDN of that host as subject and as the rest of the network will see it. Not for the domain. You cannot use a single certificate for more than one host (unless you're into the subjectAltName game, but that's a different story ;) Each server cert should be signed by one single CA and that CA cert made available to each host and client.


pls explain me, what I doing not too.

In host1 I up CA and create cert for host2

cd /usr/local/ssl/bin
./openssl req -new -nodes -keyout newreq.pem -out newreq.pem
( cn=host2.mydomain.ru)
cp newreq.pem /usr/local/ssl/misc
./CA.sh -sign
mv newcert.pem host2cert.pem
mv newkey.pem host2key.pem

copy host2cert.pem host2key.pem and file /usr/local/ssl/misc/demoCA/cacert.pem to host2

slapd.conf in host2

security ssf=1 tls=112
TLSCACertificateFile    /usr/local/etc/openldap/ssl/cacert.pem
TLSCertificateFile      /usr/local/etc/openldap/ssl/host2cert.pem
TLSCertificateKeyFile   /usr/local/etc/openldap/ssl/host2key.pem
TLSVerifyClient demand


TLS_CACERT      /usr/local/etc/openldap/ssl/cacert.pem
TLS_CERT        /usr/local/etc/openldap/ssl/host2cert.pem
TLS_KEY /usr/local/etc/openldap/ssl/host2key.pem
BASE    dc=mydomain,dc=ru
URI     ldap://host2.mydomain.ru

In host2 openldap was compiled as
export CPPFLAGS="-I/usr/local/BerkeleyDB.4.1/include \
export LDFLAGS="-L/usr/local/BerkeleyDB.4.1/lib \
-R/usr/local/BerkeleyDB.4.1/lib \
-L/usr/local/ssl/lib \
./configure --with-tls \
--enable-slapd \

and when I attempt connect to slapd server on same computer with command
/usr/local/bin/ldapsearch -Z -x -D "cn=Manager,dc=mydomain,dc=ru" -W "(uid=user)"

I looking next message
ldap_start_tls: Connect error (91)
additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

If CA and slapd run on same host, I can connect to him from somewhere. Explain me pls what I didn't do. Thanks.