[Date Prev][Date Next]
Re: Slurpd over SSL
Tony Earnshaw wrote:
Estevam Viragh wrote:
Yes, The master and slave have both the same
certificates. I assumed it is fine given that I used
heavymetal.com as commonName, the domain name.
Each host's public cert should be issued for the FQDN of that host as
subject and as the rest of the network will see it. Not for the
domain. You cannot use a single certificate for more than one host
(unless you're into the subjectAltName game, but that's a different
story ;) Each server cert should be signed by one single CA and that
CA cert made available to each host and client.
pls explain me, what I doing not too.
In host1 I up CA and create cert for host2
./openssl req -new -nodes -keyout newreq.pem -out newreq.pem
cp newreq.pem /usr/local/ssl/misc
mv newcert.pem host2cert.pem
mv newkey.pem host2key.pem
copy host2cert.pem host2key.pem and file
/usr/local/ssl/misc/demoCA/cacert.pem to host2
slapd.conf in host2
security ssf=1 tls=112
In host2 openldap was compiled as
export CPPFLAGS="-I/usr/local/BerkeleyDB.4.1/include \
export LDFLAGS="-L/usr/local/BerkeleyDB.4.1/lib \
./configure --with-tls \
and when I attempt connect to slapd server on same computer with command
/usr/local/bin/ldapsearch -Z -x -D "cn=Manager,dc=mydomain,dc=ru" -W
I looking next message
ldap_start_tls: Connect error (91)
additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
If CA and slapd run on same host, I can connect to him from somewhere.
Explain me pls what I didn't do.