[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL3 alert read:warning:bad certificate

To: openldap-software@OpenLDAP.org
Subject: Re: SSL3 alert read:warning:bad certificate
From: Artur Kokoszka <kokoszka@ite.waw.pl>
Date: Mon, 26 Jul 2004 19:09:09 +0200
In-reply-to: <1090685370.21418.408.camel@localhost>
References: <412B45C9.1030101@ite.waw.pl> <1090685370.21418.408.camel@localhost>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4.1) Gecko/20031008

Tony Earnshaw wrote:

tir, 24.08.2004 kl. 15.42 skrev Artur Kokoszka:
[...]
When I use :
openssl s_server -accept 636 -cert /etc/ldap/ldapcert.pem -key /etc/ldap/ldapkey.pem
and then
openssl s_client -connect ldap.example.com:636 -showcerts -state -CAfile /etc/ldap/cacert.pem
All it's OK. There are no errors.
But when I start slapd with configuration:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ldap/ldapcert.pem
TLSCertificateKeyFile /etc/ldap/ldapkey.pem
TLSCACertificateFile /etc/ldap/cacert.pem
TLSVerifyClient 0                                             or never
There is a string:
SSL3 alert read:warning:bad certificate  - full listing below
Maybe it ok yet (I.'m not sure - ldapsearch with tls works good). But, when I try to authentificate users, it is not possible. All the time I've got massages that:

No client certificate CA names sent
[...]
Since properly made certificates work for me (on several sites) and 1000
others with the above parameters, we have to look somewhere else.
As what user are you running 'openssl s_client' and 'ldapsearch'? As
what user are you running slapd? What are the permissions on
/etc/ldap/cacert.pem and the two other certs?
--Tonni

Both s_server and slapd are run by root, and in both cases the client in run by a common user. The permissions are (the /etc/ldap directory is rx for all)

-rw-r--r--    1 root     root         1237 Jul 24 14:19 cacert.pem
-rw-r--r--    1 root     root          365 Jul 23 23:37 ldap.conf
-rw-r--r--    1 root     root         3593 Jul 24 14:56 ldapcert.pem
-r--------    1 root     root         1587 Jul 24 14:50 ldapkey.pem
-rw-------    1 root     root         3747 Jul 24 14:33 slapd.conf

Ldap client configuration is not valid in the case of s_client, but I put it below additionally.

The client configuration:

~/.ldaprc

BINDDN cn=admin,dc=example,dc=com
TLS_CACERT /etc/ldap/cacert.pem
TLS_CERT /home/artur/cert/newcert.pem
TLS_KEY /home/artur/cert/newreq.pem

ldap.conf

BASE    dc=example,dc=com
URI     ldaps://ldap.example.com
TLS_CACERT /etc/ldap/cacert.pem

Thanks for attention
Artur

Follow-Ups:
- Re: SSL3 alert read:warning:bad certificate
  - From: Tony Earnshaw <tonye@billy.demon.nl>

References:
- SSL3 alert read:warning:bad certificate
  - From: Artur Kokoszka <kokoszka@ite.waw.pl>
- Re: SSL3 alert read:warning:bad certificate
  - From: Tony Earnshaw <tonye@billy.demon.nl>

Prev by Date: sequence number in slurpd.replog
Next by Date: Re: slurpd setup
Index(es):
- Chronological
- Thread