[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP TLS/SSL Security problem

On Wed, 30 Jun 2004 sworden@focal.com wrote:

> /usr/local/bin/ldapsearch -d 1 -x -b "dc=********,dc=com" -H
> 'ldaps://ldaptest.*********.com' -ZZ

You are trying to use StartTLS on an already encrypted channel. For
details, see the following:


Meanwhile, either drop the "-ZZ" from your ldapsearch command or
point ldapsearch to 'ldap://ldaptest.*********.com' (assuming that
slapd is listening there), and see if you get closer.


> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 0, err: 20, subject:
> /C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.*********.com, issuer:
> /C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.************.com
> TLS certificate verification: Error, unable to get local issuer certificate
> TLS trace: SSL3 alert write:fatal:unknown CA

...it appears that there may be something wrong with your server
certificate setup. Maybe review this FAQ:


...or this:


> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Can't contact LDAP server (81)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Kirk Turner-Rustin
Libraries and Information Services
Ohio Wesleyan University