Re: LDAP TLS/SSL Security problem

[Kirk Turner-Rustin <ktrustin@owu.edu>]

On Wed, 30 Jun 2004 sworden@focal.com wrote:

>
> /usr/local/bin/ldapsearch -d 1 -x -b "dc=********,dc=com" -H
> 'ldaps://ldaptest.*********.com' -ZZ

You are trying to use StartTLS on an already encrypted channel. For
details, see the following:

http://www.OpenLDAP.org/lists/openldap-software/200406/msg00454.html

Meanwhile, either drop the "-ZZ" from your ldapsearch command or
point ldapsearch to 'ldap://ldaptest.*********.com' (assuming that
slapd is listening there), and see if you get closer.

Also...

[snip]
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 0, err: 20, subject:
> /C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.*********.com, issuer:
> /C=US/ST=IL/L=AH/O=Focal/OU=NMS/CN=ldaptest.************.com
> TLS certificate verification: Error, unable to get local issuer certificate
> TLS trace: SSL3 alert write:fatal:unknown CA

...it appears that there may be something wrong with your server
certificate setup. Maybe review this FAQ:

http://www.openldap.org/faq/index.cgi?_highlightWords=tls&file=185

...or this:

http://www.OpenLDAP.org/pub/ksoper/OpenLDAP_TLS_howto.html

> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Can't contact LDAP server (81)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

-- 
Kirk Turner-Rustin
Programmer/Analyst
Libraries and Information Services
Ohio Wesleyan University
http://www.owu.edu