[Date Prev][Date Next] [Chronological] [Thread] [Top]

[Fwd: problem SSL authentication]

To: openldap-software@OpenLDAP.org
Subject: [Fwd: problem SSL authentication]
From: Antonio Ruiz Martínez <arm@dif.um.es>
Date: Thu, 27 May 2004 16:19:30 +0200

--- Begin Message ---

Subject: Re: problem SSL authentication
From: Antonio Ruiz Martínez <arm@dif.um.es>
Date: Wed, 26 May 2004 23:01:35 +0200
Cc: openldap-software@OpenLDAP.org
References: <40B22A4A.5F660D33@dif.um.es> <40B30417.9070705@central.susx.ac.uk>

Hello!

Thanks for your answer.

Dave Lewney wrote:

> Antonio Ruiz Martínez wrote:
> > Hello!
> >
> >     I'm doing a search with ldapsearch. My server is configurated in
> > order to do a SSL connection but it is not necessary a client
> > authentication. However when I execute the command
> > ldapsearch -b "ou=USERS,o=ARM'S PKI,c=ES" -LLL -D
> > "cn=ARM,ou=USERS,o=ARM'S PKI,c=ES" -H ldaps://micropeich.dif.um.es -ZZ
> > -W
> >
> > It seems the server is requesting the user certificate because I'm
> > getting the following:
> >
> > ldap_start_tls: Can't contact LDAP server (81)
> >         additional info: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE
> > :certificate verify failed
> >...
>
> Firstly, you can use -ZZ on port 389 *or* ldaps on port 636, but not both.
> However, I would have expected to see an error something like ...
>
> ldap_start_tls: Operations error
>         additional info: TLS already started
>
> 1) Is your server listening on ports 389 and/or 636?

My server is listening on por 636.


>
> 2) Have you tested out your certificate(s) ...
>
> openssl s_client -connect micropeich.dif.um.es:636 -CApath ...
>

Yes I've tested, the result of the test is:
C:\Programacion\openssl-0.9.6c\out32>openssl s_client -connect
micropeich.dif.um
.es:636 -state -CAfile ./CACert.pem -cert ./ARMcert.pem -key ./ARMkey.pem
Loading 'screen' into random state - done
Enter PEM pass phrase:
CONNECTED(000002C0)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=ES/ST=MURCIA/L=MURCIA/O=ARM'S PKI/OU=CA/CN=ARM'S
CA/Email=arm@dif.um.
es
verify return:1
depth=0 /C=ES/ST=MURCIA/L=MURCIA/O=ARM'S
PKI/OU=SERVERS/CN=micropeich.dif.um.es/
Email=arm@dif.um.es
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=ES/ST=MURCIA/L=MURCIA/O=ARM'S
PKI/OU=SERVERS/CN=micropeich.dif.um.es/Ema
il=arm@dif.um.es
   i:/C=ES/ST=MURCIA/L=MURCIA/O=ARM'S PKI/OU=CA/CN=ARM'S CA/Email=arm@dif.um.es

 1 s:/C=ES/ST=MURCIA/L=MURCIA/O=ARM'S PKI/OU=CA/CN=ARM'S CA/Email=arm@dif.um.es

   i:/C=ES/ST=MURCIA/L=MURCIA/O=ARM'S PKI/OU=CA/CN=ARM'S CA/Email=arm@dif.um.es

---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDmjCCAwOgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgTELMAkGA1UEBhMCRVMx
DzANBgNVBAgTBk1VUkNJQTEPMA0GA1UEBxMGTVVSQ0lBMRIwEAYDVQQKEwlBUk0n
UyBQS0kxCzAJBgNVBAsTAkNBMREwDwYDVQQDEwhBUk0nUyBDQTEcMBoGCSqGSIb3
DQEJARYNYXJtQGRpZi51bS5lczAeFw0wNDA1MTUxODQ3MTRaFw0wNTA1MTUxODQ3
MTRaMIGSMQswCQYDVQQGEwJFUzEPMA0GA1UECBMGTVVSQ0lBMQ8wDQYDVQQHEwZN
VVJDSUExEjAQBgNVBAoTCUFSTSdTIFBLSTEQMA4GA1UECxMHU0VSVkVSUzEdMBsG
A1UEAxMUbWljcm9wZWljaC5kaWYudW0uZXMxHDAaBgkqhkiG9w0BCQEWDWFybUBk
aWYudW0uZXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMimUBF9szLTmqT6
EYd8byYkwDHTnsdfw2KTUPIxcoLlrD5rM955QbfZ7oV3RhIaJLzGokGEOh4MJrrZ
lI/tVD/HzfgNxpi6H0+r51s+eH7/U6hHtc5YWFxGPK0YGQVFddgdf3Zv4aelh/Dc
sHuk4blqJGmZr9t8jFBZwC5QUfbZAgMBAAGjggENMIIBCTAJBgNVHRMEAjAAMCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQUtJh+jOHMUdTPjZ/i08KMtzUYJZkwga4GA1UdIwSBpjCBo4AUQ6Sn0sdI
asAFvrXdNQPPIPVdzymhgYekgYQwgYExCzAJBgNVBAYTAkVTMQ8wDQYDVQQIEwZN
VVJDSUExDzANBgNVBAcTBk1VUkNJQTESMBAGA1UEChMJQVJNJ1MgUEtJMQswCQYD
VQQLEwJDQTERMA8GA1UEAxMIQVJNJ1MgQ0ExHDAaBgkqhkiG9w0BCQEWDWFybUBk
aWYudW0uZXOCAQAwDQYJKoZIhvcNAQEEBQADgYEABnvMOEkggusoGReDwgm/x7oN
vKOaZp8efEGx4op9K4hCHFzVsxuZJQb9CuLHdeU2UXpTuNzeezghbzxxUon7LM3w
6M3B3qMvmnli44MUa1VZ9T2M8J3W249gaLcfz4v4Dtxe1FGPhiv7cySklYI+Yd/i
IwGGTjPaBLfH5ruiqSU=
-----END CERTIFICATE-----
subject=/C=ES/ST=MURCIA/L=MURCIA/O=ARM'S
PKI/OU=SERVERS/CN=micropeich.dif.um.es/
Email=arm@dif.um.es
issuer=/C=ES/ST=MURCIA/L=MURCIA/O=ARM'S PKI/OU=CA/CN=ARM'S
CA/Email=arm@dif.um.e
s
---
No client certificate CA names sent
---
SSL handshake has read 1947 bytes and written 320 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID:
054A197F254C10F66AAA4F4500FCEC599FA6B091B638F2FCC17CDA1B89F52688

    Session-ID-ctx:
    Master-Key:
FF3A8342DFD8EF36E9F2BBFF7087D2EECDADE7F5E3ED7D272B6EF3251D01774F
3091BCF01B776FA835B9417721CEF51C
    Key-Arg   : None
    Start Time: 1085601718
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

I don't know what the problem is. Have you got any idea?

Thanks in advace,
Regards,
Antonio.

--- End Message ---

Prev by Date: slurpd fails to add to replica
Next by Date: Help with schema file/adding attribute
Index(es):
- Chronological
- Thread