[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS - Help Please



That line is in the slapd.conf so for the server. the command line tool doesn't get to read that file. I had the same problem. I have no idea how to get that suit of tools to understand a self-signed certificate. I tried to switch to smbldap-tools but I'm having difficulty with those aswell. If you find a solution to SSL/TLS please let me know, especially if it involves samba.

Cheers

Miguel Baptista wrote:
Hi,

you said: "The error is below that line (two lines down) and says that the CA is unknown....
           You have to add the certificate to the list of trusted CAs."


This error is strange because i already had done that in my slapd.conf.

--> TLSCACertificateFile  /root/certificados/cacert.pem

I'm going to do some more tests

Best Regards

Alberto Tablado wrote:

Literally, the log says that your certificate is self signed, i.e., the
issuer and the subject are the same. This, per se, is not an error. In
fact, CAs have self-signed certificates.

The error is below that line (two lines down) and says that the CA is
unknown. Normally, certificates are signed by well-known CAs (like
VeriSign), but your certificate is signed by the not-known yourself.
Normally, when a certificate signed by unknow CA is received, the
programs asks you for acceptance. In servers, this is not possible. You
have to add the certificate to the list of trusted CAs.

Regards.

Alberto.

El mié, 04-02-2004 a las 19:06, Miguel Baptista escribió:


Hi,

I' ve tried to solve my the problem without bother you again. But no luck.

My computer's FQDN is now estagio.ccom.uminho.pt. As in the previous attempt, i follow this page's guide: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html

I created new certificates (CA, server and client). They are all in the same (testing) computer. So, the CN in those certificates is estagio.ccom.uminho.pt
I've made the necessary changes in this files: slapd.conf, ldap.conf and .ldaprc


I run my server with this command: /usr/local/libexec/slapd -d -1 -h "ldap:///estagio.ccom.uminho.pt ldaps:///estagio.ccom.uminho.pt"

I executed this command:
ldapsearch -x -d -1 -b 'dc=uminho,dc=pt' -D "cn=Manager,dc=uminho,dc=pt" '(uid=a22)' -H ldaps://estagio.ccom.uminho.pt -W -ZZ


and this is the client's trace with the -d -1 option (i removed some parts that didn't look important)

ldap_url_parse_ext(ldaps://estagio.ccom.uminho.pt:636)
ldap_connect_to_host: TCP estagio.ccom.uminho.pt:636
ldap_connect_to_host: Trying 192.168.1.210:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=estagio.ccom.uminho.pt
TLS trace: SSL_connect:before/connect initialization
tls_write: want=148, written=148
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
tls_read: want=72, got=72
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
tls_read: want=1683, got=1683
TLS certificate verification: depth: 1, err: 19, subject: /C=pt/ST=pt/L=braga/O=braga/OU=certificador/CN=estagio.ccom.uminho.pt, issuer: > /C=pt/ST=pt/L=braga/O=braga/OU=certificador/CN=estagio.ccom.uminho.pt
TLS certificate verification: -------------------> Error, self signed certificate in certificate chain <--------------------------
tls_write: want=7, written=7
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Can't contact LDAP server (81)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed



Does this problem arrise because i have the client, CA and server in the same machine? I follow the tutorial but i didn't the use self signed certificate, why is this happening? Any Ideas?

















-- Martin Ritchie

the Kelvin Institute
50, George Street
Glasgow
Scotland, UK
G1 1QE

www.kelvininstitute.com
+44 (0) 141 548 5719