Re: Newbie OpenLDAP/SSL/Certificates question

[Stefan Champailler <schampailler@easynet.be>]

Thank you !

However 

> > TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
> > return a certificate s3_srvr.c:1999
> >
> This is what any SSL-enabled server/client (http, LDAP, whatever) will
> return when the info requested has been sent *unencrypted*.

I think I had this because I set TLS_CERT / TLS_KEY in ldap.conf insteadfd 
of  .ldaprc. Fixing that fixed my problems. So I think the error message can 
also happen if the client simply doesn't have access to its key and cannot 
complete the handshake. (but I may be wrong, just a newbie :))

Stefan

> tor, 09.09.2004 kl. 17.04 skrev Stefan Champailler:
> [...]
>
> > Oh, by the way, the error I can read on the _server_ log is :
> >
> > TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
> > return a certificate s3_srvr.c:1999
> >
> > Of course, I understand that using certificates only for local prupose is
> > pointless, except that I just want to learn...
>
> This is what any SSL-enabled server/client (http, LDAP, whatever) will
> return when the info requested has been sent *unencrypted*.
>
> > (PS: I've read in this ml policy that one shouldn't post about SSL
> > issues, but because I think my certificates are right, well, you know...)
>
> Nope. Read up on Openssl's s_server and s_client and use those for
> testing actual Openssl issues. s_client (always use the very latest
> Openssl.org release) is a wonderful tool for testing all SSL client
> stuff, including MTAs and IMAP servers - and, naturally ;) Openldap.
>
> --Tonni