[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and SSL

To: openldap-software@OpenLDAP.org
Subject: Re: LDAP and SSL
From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
Date: Mon, 29 Nov 2004 14:28:23 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=P7LI6zVwOZwlw7inbLOg+JqV9o8IjAENv6LgctRqaXYpTkmkcmnIH/IKC7yw6nM+9O9gwA5cfIGLMtAMf1e5oMaAi8DJ5aRmMjzdVw7V6Ozi3Jymuuu+ISpoEHTlPW6b/hoeUFO/qYf7v4WteT3Mvr3pFFKElGHTUjVjjmetXhI=
In-reply-to: <91f88ee20411291117141ece3b@mail.gmail.com>
References: <91f88ee204112810284d745e7f@mail.gmail.com> <Pine.OSX.4.58.0411282026360.387@spud.local> <91f88ee2041128183058dc0ae6@mail.gmail.com> <20041129152907.GA25263@mtholyoke.edu> <20041129185429.GD25565@mtholyoke.edu> <91f88ee20411291117141ece3b@mail.gmail.com>

In response to questions by another list reader -

> 2: 'man s_server': do 'openssl s_server -accept 390 -cert
> /path/to/server-public-cert -key /path/to/server-private-key -CAfile
> /path/to/CA-cert www' and point a browser at https://yourserver:390 and
> see what the browser feeds back. Look at the different debug options for
> s_server;

(I posted the output of this to the openldap-software listserv already.)


> 3: 'man s_client': if that works, do 'openssl s_client -connect
> localhost:390'

Tested:
debian:/etc/ssl# openssl s_client -connect localhost:390
CONNECTED(00000003)
depth=0 /C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
  i:/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEwzCCBCygAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCVVMx
... blah blah ...
eT/41rpZUObT4uQfS/C44uHqteI5SB0=
-----END CERTIFICATE-----
subject=/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
issuer=/C=US/ST=Florida/L=Jacksonville/O=Chasecreek Systemhouse/O=WC
-Sx- Jones/OU=Open
Source/CN=debian.insecurity.org/emailAddress=webmaster@insecurity.org
---
No client certificate CA names sent
---
SSL handshake has read 1659 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
   Protocol  : TLSv1
   Cipher    : DHE-RSA-AES256-SHA
   Session-ID: 2FED925EDE9DD6093322187CC0AB0D99F66B9396A1189515EA5DCA5EB9755D59
   Session-ID-ctx:
   Master-Key:
2AFC0783F832D85C83848568C2063C7C64D5BF65EB42B46003C3C77504F37D40ADCE5E85338E3D59F86FB4002EB84A81
   Key-Arg   : None
   Start Time: 1101754395
   Timeout   : 300 (sec)
   Verify return code: 21 (unable to verify the first certificate)
---

This is where I am...


> The above two should indicate a. whether you certs are good, then check
> the perms on server-cert and server-key - can the slapd user read the
> path? Can *everyone* read the path to the CA-cert?

Yes, the CACert is publically readable.

> Did you make the certs so that the Subject id the FQDN of your machine
> as given by 'hostname -f'?

I created the certs as best I could to match (hostname -f)
debian.insecurity.org -
publically seen as  68.214.83.106 and privately seen as 192.168.2.2

-- 
WC -Sx- Jones
http://insecurity.org/

Follow-Ups:
- How can we assign a user to multiple groups..?
  - From: "Ashok Kanodia" <a.kanodia@xpedite.com>
- Max connection exceded failover help.
  - From: "Sean O'Malley" <omalleys@msu.edu>
- Re: LDAP and SSL
  - From: Tony Earnshaw <tonye@billy.demon.nl>

References:
- LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
- Re: LDAP and SSL
  - From: Steve Revilak <srevilak@speakeasy.net>
- Re: LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>
- Re: LDAP and SSL
  - From: Ron Peterson <rpeterso@mtholyoke.edu>
- Re: LDAP and SSL
  - From: Ron Peterson <rpeterso@mtholyoke.edu>
- Re: LDAP and SSL
  - From: Chasecreek Systemhouse <chasecreek.systemhouse@gmail.com>

Prev by Date: Re: LDAP and SSL
Next by Date: How can we assign a user to multiple groups..?
Index(es):
- Chronological
- Thread