[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL3 alert read:warning:bad certificate

Tony Earnshaw wrote:

tir, 24.08.2004 kl. 15.42 skrev Artur Kokoszka:

When I use :

openssl s_server -accept 636 -cert /etc/ldap/ldapcert.pem -key /etc/ldap/ldapkey.pem

and then

openssl s_client -connect ldap.example.com:636 -showcerts -state -CAfile /etc/ldap/cacert.pem

All it's OK. There are no errors.
But when I start slapd with configuration:

TLSCertificateFile /etc/ldap/ldapcert.pem
TLSCertificateKeyFile /etc/ldap/ldapkey.pem
TLSCACertificateFile /etc/ldap/cacert.pem
TLSVerifyClient 0                                             or never

There is a string:

SSL3 alert read:warning:bad certificate  - full listing below

Maybe it ok yet (I.'m not sure - ldapsearch with tls works good). But, when I try to authentificate users, it is not possible. All the time I've got massages that:

No client certificate CA names sent


Since properly made certificates work for me (on several sites) and 1000
others with the above parameters, we have to look somewhere else.

As what user are you running 'openssl s_client' and 'ldapsearch'? As
what user are you running slapd? What are the permissions on
/etc/ldap/cacert.pem and the two other certs?


Both s_server and slapd are run by root, and in both cases the client in run by a common user.
The permissions are (the /etc/ldap directory is rx for all)

-rw-r--r--    1 root     root         1237 Jul 24 14:19 cacert.pem
-rw-r--r--    1 root     root          365 Jul 23 23:37 ldap.conf
-rw-r--r--    1 root     root         3593 Jul 24 14:56 ldapcert.pem
-r--------    1 root     root         1587 Jul 24 14:50 ldapkey.pem
-rw-------    1 root     root         3747 Jul 24 14:33 slapd.conf

Ldap client configuration is not valid in the case of s_client, but I put it below additionally.

The client configuration:


BINDDN cn=admin,dc=example,dc=com
TLS_CACERT /etc/ldap/cacert.pem
TLS_CERT /home/artur/cert/newcert.pem
TLS_KEY /home/artur/cert/newreq.pem


BASE    dc=example,dc=com
URI     ldaps://ldap.example.com
TLS_CACERT /etc/ldap/cacert.pem

Thanks for attention