[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Trying to get TLS Working
Hi All,
Pardon my newbie-ness. I'm setting up my new OpenLDAP server to
authenticate for Subversion and, eventually other things (postfix,
Bricolage, RT, etc.). But right now I'm running into trouble getting
TLS to work, both with the ldap clients and with
mod_auth_ldap/mod_ldap. Here's an example:
% ldapsearch -x -b 'dc=example,dc=com' -D
"cn=admin,dc=example,dc=com" \
-h ldap.example.com -w password -ZZ '(objectclass=*)'
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I set up my certificates according to the instructions on this handy
page:
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
And my slapd.conf TLS section look like this:
# TLS options.
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/servercert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem
TLSVerifyClient never
And I'm starting up slapd like this:
/usr/local/libexec/slapd -h "ldap:/// ldaps:/// ldapi:///"
Using non-TLS things work fine. SSL seems to work fine, too:
% openssl s_client -connect localhost:636 -showcerts -state -CAfile
/usr/local/etc/openldap/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=Oregon/L=Portland/O=Kineticode,
Inc./OU=Kineticode/CN=Kineticode CA/emailAddress=www@kineticode.com
verify return:1
depth=0 /C=US/ST=Oregon/L=Portland/O=Kineticode,
Inc./OU=Kineticode/CN=Kineticode/emailAddress=www@kineticode.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=US/ST=Oregon/L=Portland/O=Kineticode,
Inc./OU=Kineticode/CN=Kineticode/emailAddress=www@kineticode.com
i:/C=US/ST=Oregon/L=Portland/O=Kineticode,
Inc./OU=Kineticode/CN=Kineticode CA/emailAddress=www@kineticode.com
-----BEGIN CERTIFICATE-----
MIID1zCCA0CgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBnDELMAkGA1UEBhMCVVMx
DzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxhbmQxGTAXBgNVBAoTEEtp
bmV0aWNvZGUsIEluYy4xEzARBgNVBAsTCktpbmV0aWNvZGUxFjAUBgNVBAMTDUtp
bmV0aWNvZGUgQ0ExITAfBgkqhkiG9w0BCQEWEnd3d0BraW5ldGljb2RlLmNvbTAe
Fw0wNDA5MjcxOTQ1NTZaFw0wNTA5MjcxOTQ1NTZaMIGZMQswCQYDVQQGEwJVUzEP
MA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEZMBcGA1UEChMQS2lu
ZXRpY29kZSwgSW5jLjETMBEGA1UECxMKS2luZXRpY29kZTETMBEGA1UEAxMKS2lu
ZXRpY29kZTEhMB8GCSqGSIb3DQEJARYSd3d3QGtpbmV0aWNvZGUuY29tMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDL9TwjNigkrJHsoStS60zpUZNsb/1KY3qL
DjtQ3QBhjfs4zzd2PiXs+V6wSv1VwhY+ZzRVoMaJUigzUFKsQHvpzftamGxICbEp
pusjjOXV6EunmdUGKzS6W/TmpPJdUgHBCvq2joUhZG/EZniPt0dZxrqHXQr1ewVB
RP8gq5XM5QIDAQABo4IBKDCCASQwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd
T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHMiFSmcuIRf
F4axTluIxca9nyIGMIHJBgNVHSMEgcEwgb6AFMYaaduprJ702gVsw82nXuxgGBpP
oYGipIGfMIGcMQswCQYDVQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQH
EwhQb3J0bGFuZDEZMBcGA1UEChMQS2luZXRpY29kZSwgSW5jLjETMBEGA1UECxMK
S2luZXRpY29kZTEWMBQGA1UEAxMNS2luZXRpY29kZSBDQTEhMB8GCSqGSIb3DQEJ
ARYSd3d3QGtpbmV0aWNvZGUuY29tggEAMA0GCSqGSIb3DQEBBAUAA4GBAMCxaBV5
JfCvxpCl9oW8xnmqyYtT13eGgsJ8fcF8YrPxy227DYT9978dAUPwVIaR1qAas45M
NkEjgoZ3O2J6SYfygr7BghmsvCY0eF/v3ZPv1nw+L5bI3S89mKL9SHVJvEu43R7p
QtUeUBD/2mvqOLOjVShSc4zRiUPuNHZ0WEYx
-----END CERTIFICATE-----
1 s:/C=US/ST=Oregon/L=Portland/O=Kineticode,
Inc./OU=Kineticode/CN=Kineticode CA/emailAddress=www@kineticode.com
i:/C=US/ST=Oregon/L=Portland/O=Kineticode,
Inc./OU=Kineticode/CN=Kineticode CA/emailAddress=www@kineticode.com
-----BEGIN CERTIFICATE-----
MIIDrTCCAxagAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnDELMAkGA1UEBhMCVVMx
DzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxhbmQxGTAXBgNVBAoTEEtp
bmV0aWNvZGUsIEluYy4xEzARBgNVBAsTCktpbmV0aWNvZGUxFjAUBgNVBAMTDUtp
bmV0aWNvZGUgQ0ExITAfBgkqhkiG9w0BCQEWEnd3d0BraW5ldGljb2RlLmNvbTAe
Fw0wNDA5MjcxOTQ0NDBaFw0wNTA5MjcxOTQ0NDBaMIGcMQswCQYDVQQGEwJVUzEP
MA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEZMBcGA1UEChMQS2lu
ZXRpY29kZSwgSW5jLjETMBEGA1UECxMKS2luZXRpY29kZTEWMBQGA1UEAxMNS2lu
ZXRpY29kZSBDQTEhMB8GCSqGSIb3DQEJARYSd3d3QGtpbmV0aWNvZGUuY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDKvwLMU9wN0vuFg8ZxqVyAXKj4mfBj
S4c9610CXlpojWA+WyrTQxmKsZVEC6lDZ0I28J4UCJB5/FALBuGBQHL7VlexGfLN
EQzEo+oNhpNLnyzBI13pXNwnrMW3aKNmF6KAUlqOXI6YdW7c3YVruQKeFulGuNJm
RSEjqubA8yVZhQIDAQABo4H8MIH5MB0GA1UdDgQWBBTGGmnbqaye9NoFbMPNp17s
YBgaTzCByQYDVR0jBIHBMIG+gBTGGmnbqaye9NoFbMPNp17sYBgaT6GBoqSBnzCB
nDELMAkGA1UEBhMCVVMxDzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxh
bmQxGTAXBgNVBAoTEEtpbmV0aWNvZGUsIEluYy4xEzARBgNVBAsTCktpbmV0aWNv
ZGUxFjAUBgNVBAMTDUtpbmV0aWNvZGUgQ0ExITAfBgkqhkiG9w0BCQEWEnd3d0Br
aW5ldGljb2RlLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GB
ACGaCLaI93UVIkgH3drKu8i2VTwIjbnm8Res6YFIa1rLm8F8WK4NVomEN33ses7Y
S77GW1TRMg5IfpnWp2OOW8EoHgDidkD4hG/C5jQx9Vike4+3Bl04q79C9t7Ao2CN
j7b3eElDbu0zu80Err00bIkdDZWz9Lc7T0j0Y8hZ2t4x
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Oregon/L=Portland/O=Kineticode,
Inc./OU=Kineticode/CN=Kineticode/emailAddress=www@kineticode.com
issuer=/C=US/ST=Oregon/L=Portland/O=Kineticode,
Inc./OU=Kineticode/CN=Kineticode CA/emailAddress=www@kineticode.com
---
No client certificate CA names sent
---
SSL handshake has read 2097 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
67AD3F1B8377585EAED950FE1E036775921F2E00BC5BD86513F9D9EC041193B8
Session-ID-ctx:
Master-Key:
5358C7799C1244841A81B528BAC2ACC43E0990445AEB85B93439B51A8DCCCA24071E673B
ABCCD14F7406DF64AFBC4C21
Key-Arg : None
Start Time: 1096321244
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
I've spent a lot f time Googling to try to figure this out, but haven't
had much luck. Any kind suggestions would be greatly appreciated.
Regards,
David