[Date Prev][Date Next] [Chronological] [Thread] [Top]

Newbie OpenLDAP/SSL/Certificates question

Dear you all,

I'm (desperately :)) trying to get my OpenLDAP up and running with SSL. I had 
some success so far, but I'm stuck now.

I've installed OpenLDAP,SSL,SASL,BDB successfuly. All work fine. OL recognizes 
SASL as well as SSL (well, I think so, but considering all the things I've 
done, it looks like everything is responding quite well). 

I've been able to "ldapsearch" on "ldaps://localhost", using TLSVerifyClient 
set to "never". I didn't check if the SSL flow is actually encrypted, but 
from what I read in the debug, everything looks fine.

Now, I want to set TLSVerifyClient to "demand" (so that the server is better 
protected). And, this doesn't work. After reading a (loooong) while, I 
figured out that my certificates are probably broken. Here's what they look 
like :

The client has :

        Issuer: C=AU, ST=Some-State, O=CA Company
            Not Before: Sep  9 13:19:53 2004 GMT
            Not After : Sep  9 13:19:53 2005 GMT
        Subject: C=AU, ST=Some-State, O=Client company, CN=localhost

And the server has :

        Issuer: C=AU, ST=Some-State, O=CA Company
            Not Before: Sep  9 13:19:26 2004 GMT
            Not After : Sep  9 13:19:26 2005 GMT
        Subject: C=AU, ST=Some-State, O=Server company, CN=localhost
        Subject Public Key Info:

They were both signed with the same CA (that CA was created with openssl's 
ca.sh script). As you can see, I use localhost as a CN. And that's what is 
scaring me a bit : most of the places I've read say : "Don't use localhost as 
CN", "use FQDN" (btw, what is the FQDN of an ldapserver running on localhost 
and meant to be available only on the localhost,). Unfortunately, my setup 
is :

slapd -f /home/stefan/Projects/server/openldap/etc/openldap/slapd.conf -d127 
-h "ldaps://localhost:8087"                   

ldapadd -H "ldaps://localhost:8087" -ZZ -D "cn=Manager,dc=love,dc=com" -f 
~/ldaptest -x -w Leon -d 1 

So as you can see everything runs in local (I'm just testing, so no IP, no 
DNS, no real CA, no conenction to any intra/internet). So, what is openldap 
requesting that is particular and that I don't know ? (or maybe it can't 
simply work this way ?)

Oh, by the way, the error I can read on the _server_ log is :

TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not 
return a certificate s3_srvr.c:1999

Of course, I understand that using certificates only for local prupose is 
pointless, except that I just want to learn...

Thank you for your patience,


(PS: I've read in this ml policy that one shouldn't post about SSL issues, but 
because I think my certificates are right, well, you know...)