[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ssl and openldap
1) I notice there are "\x"s in the cert, not sure if "\x" is allowed in SSL cert? Could you not use "\x"?
2) IIRC, if you are using self-sign cert, the issuer of server cert. should not be:
issuer=/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
Vit\xF3ria/CN=FESV Certification Authority
Office/emailAddress=gustavo.rios@fesv.br
It should be identical to server cert's subject.
issuer=/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
Vit\xF3ria/CN=etosha.fesv.br/emailAddress=gustavo.rios@fesv.br
-----Original Message-----
From: Gustavo Rios [mailto:vieira.rios@gmail.com]
Sent: Mon 1/10/2005 9:17 PM
To: Tay, Gary; openldap-software@openldap.org
Cc:
Subject: Re: ssl and openldap
Here you have it:
etosha$ openssl s_client -connect localhost:636 -showcerts -state
-CAfile /var/ca1/crt/ca.crt
CONNECTED(00000004)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
Vit\xF3ria/CN=FESV Certification Authority
Office/emailAddress=gustavo.rios@fesv.br
verify return:1
depth=0 /C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
Vit\xF3ria/CN=etosha.fesv.br/emailAddress=gustavo.rios@fesv.br
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
Vit\xF3ria/CN=etosha.fesv.br/emailAddress=gustavo.rios@fesv.br
i:/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
Vit\xF3ria/CN=FESV Certification Authority
Office/emailAddress=gustavo.rios@fesv.br
-----BEGIN CERTIFICATE-----
MIIFyjCCBLKgAwIBAgIBAzANBgkqhkiG9w0BAQMFADCB6jELMAkGA1UEBhMCQlIx
FzAVBgNVBAgUDkVzcO1yaXRvIFNhbnRvMRAwDgYDVQQHFAdWaXTzcmlhMTMwMQYD
VQQKFCpTb2NpZWRhZGUgZGUgRW5zaW5vIFN1cGVyaW9yIEVzdOFjaW8gZGUgU+Ex
KDAmBgNVBAsUH0ZhY3VsZGFkZSBFc3ThY2lvIGRlIFPhIFZpdPNyaWExLDAqBgNV
BAMTI0ZFU1YgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgT2ZmaWNlMSMwIQYJKoZI
hvcNAQkBFhRndXN0YXZvLnJpb3NAZmVzdi5icjAeFw0wNTAxMDkxOTQ1NDBaFw0w
NjAxMDkxOTQ1NDBaMIHVMQswCQYDVQQGEwJCUjEXMBUGA1UECBQORXNw7XJpdG8g
U2FudG8xEDAOBgNVBAcUB1ZpdPNyaWExMzAxBgNVBAoUKlNvY2llZGFkZSBkZSBF
bnNpbm8gU3VwZXJpb3IgRXN04WNpbyBkZSBT4TEoMCYGA1UECxQfRmFjdWxkYWRl
IEVzdOFjaW8gZGUgU+EgVml083JpYTEXMBUGA1UEAxMOZXRvc2hhLmZlc3YuYnIx
IzAhBgkqhkiG9w0BCQEWFGd1c3Rhdm8ucmlvc0BmZXN2LmJyMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyRNNZ2j/X/3sHU9upsGTVrNDFM6jrh6YInnw
FOnTsr5CPM/jjNX81mRxSLmA//ppkJgI/WWT6/+T7xPxsHG/EOsnFBZGuVpxPzSR
lQ2T/legB5AG9SOwSjtx+85Pd/CZE6it3vdZrVt0d7aifRdXreJiDqZyo/iAK15f
UvPheJUY3RK6GJQ7RVO1BACYzNXEReUnArxnHODp2pj1UTctAbcyqKk481OVC+Oc
4BKHJRHrGvgGFLECHVVDFnTNMnmR4mzH1mOedp8ic6cUclCOSp21WSVndsWhTNVu
wBGqExi66QIiys1Fjgtkaw9BI0UC568Mi7kTDzZkHYa+PQD1PwIDAQABo4IBjDCC
AYgwCQYDVR0TBAIwADA/BglghkgBhvhCAQ0EMhYwQ2VydGlmaWNhdGUgaXNzdWVk
IGJ5IGh0dHA6Ly9ldG9zaGEuZmVzdi5ici9zc2wvMB0GA1UdDgQWBBTIq6MIMLOf
AOlqZTnXeZzBxjNtRDCCARkGA1UdIwSCARAwggEMgBRCzxjE4AI0AoVS9ow96ZWR
2mEbYKGB8KSB7TCB6jELMAkGA1UEBhMCQlIxFzAVBgNVBAgUDkVzcO1yaXRvIFNh
bnRvMRAwDgYDVQQHFAdWaXTzcmlhMTMwMQYDVQQKFCpTb2NpZWRhZGUgZGUgRW5z
aW5vIFN1cGVyaW9yIEVzdOFjaW8gZGUgU+ExKDAmBgNVBAsUH0ZhY3VsZGFkZSBF
c3ThY2lvIGRlIFPhIFZpdPNyaWExLDAqBgNVBAMTI0ZFU1YgQ2VydGlmaWNhdGlv
biBBdXRob3JpdHkgT2ZmaWNlMSMwIQYJKoZIhvcNAQkBFhRndXN0YXZvLnJpb3NA
ZmVzdi5icoIBADANBgkqhkiG9w0BAQMFAAOCAQEAlO5aOLbQR1A5adxCkcNqFAi+
oJbfg9csRR9t264dThqNbNv4NWi0vgSEWDtfhfKMtM/bDo85sZPZ3uohUUKnBxlx
Lau2K2Lkph8CuuNt03OMgZPt7HgMMY1XgUtDjmFGpd3VBlhZpYqOvpyasJfH1AUO
4VSzLkHPQcb9o4teWBx57+URKI4ljCAbxNa1cp3GgH2yJSXRJaOoyletYLfbU5I5
vpfoMsJB+BF7gb0LHnA5jB55NQQ1AWI8yIH7eYVRRxucBxsh4pNv+uKEeHzgoeTG
8tsCmRkw8CWMX220lrh7P0te40IDxAo9H5S3ppRXx+O3vMxpgPVdj8Rt8rIGzQ==
-----END CERTIFICATE-----
1 s:/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
Vit\xF3ria/CN=FESV Certification Authority
Office/emailAddress=gustavo.rios@fesv.br
i:/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
Vit\xF3ria/CN=FESV Certification Authority
Office/emailAddress=gustavo.rios@fesv.br
-----BEGIN CERTIFICATE-----
MIIF4jCCBMqgAwIBAgIBADANBgkqhkiG9w0BAQMFADCB6jELMAkGA1UEBhMCQlIx
FzAVBgNVBAgUDkVzcO1yaXRvIFNhbnRvMRAwDgYDVQQHFAdWaXTzcmlhMTMwMQYD
VQQKFCpTb2NpZWRhZGUgZGUgRW5zaW5vIFN1cGVyaW9yIEVzdOFjaW8gZGUgU+Ex
KDAmBgNVBAsUH0ZhY3VsZGFkZSBFc3ThY2lvIGRlIFPhIFZpdPNyaWExLDAqBgNV
BAMTI0ZFU1YgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgT2ZmaWNlMSMwIQYJKoZI
hvcNAQkBFhRndXN0YXZvLnJpb3NAZmVzdi5icjAeFw0wNTAxMDkxNjA3MjdaFw0x
NTAxMDcxNjA3MjdaMIHqMQswCQYDVQQGEwJCUjEXMBUGA1UECBQORXNw7XJpdG8g
U2FudG8xEDAOBgNVBAcUB1ZpdPNyaWExMzAxBgNVBAoUKlNvY2llZGFkZSBkZSBF
bnNpbm8gU3VwZXJpb3IgRXN04WNpbyBkZSBT4TEoMCYGA1UECxQfRmFjdWxkYWRl
IEVzdOFjaW8gZGUgU+EgVml083JpYTEsMCoGA1UEAxMjRkVTViBDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0eSBPZmZpY2UxIzAhBgkqhkiG9w0BCQEWFGd1c3Rhdm8ucmlv
c0BmZXN2LmJyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArYjDA/3d
o78n8KBs6VIJ4PpbjhazoeGGS7uWJ+OHhuFHEeQnKFD5BPTo+sI3VWaBaFk4Zr3G
yvzwRRRefg9aTR1Hm+xaIJBdVn6UMuL+LoiDEVk6haue6wX/mK+Ga1mU7AU/PBT6
mzOqsGWN19a8LxO13YEb4JYBSh3c1xYFLOHZbtbh6MZgHDYbTW6SEf1RAEtbHGNc
oodPvW8KW5+/2RYngAqeL9aO1kQnRqEx3rClGZ5qAHEo6+ZrP8Gnq7ho67XlXWJ1
U/mYEoRsElfUaeLlsaj7se3hCN9xEzlyOsDgUrAfwLQEuBFLJB1aDoReeS9zWlvC
3hjUiqM7kQ0OewIDAQABo4IBjzCCAYswHQYDVR0OBBYEFELPGMTgAjQChVL2jD3p
lZHaYRtgMIIBGQYDVR0jBIIBEDCCAQyAFELPGMTgAjQChVL2jD3plZHaYRtgoYHw
pIHtMIHqMQswCQYDVQQGEwJCUjEXMBUGA1UECBQORXNw7XJpdG8gU2FudG8xEDAO
BgNVBAcUB1ZpdPNyaWExMzAxBgNVBAoUKlNvY2llZGFkZSBkZSBFbnNpbm8gU3Vw
ZXJpb3IgRXN04WNpbyBkZSBT4TEoMCYGA1UECxQfRmFjdWxkYWRlIEVzdOFjaW8g
ZGUgU+EgVml083JpYTEsMCoGA1UEAxMjRkVTViBDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eSBPZmZpY2UxIzAhBgkqhkiG9w0BCQEWFGd1c3Rhdm8ucmlvc0BmZXN2LmJy
ggEAMAwGA1UdEwQFMAMBAf8wPwYJYIZIAYb4QgENBDIWMENlcnRpZmljYXRlIGlz
c3VlZCBieSBodHRwOi8vZXRvc2hhLmZlc3YuYnIvc3NsLzANBgkqhkiG9w0BAQMF
AAOCAQEAfvkdXOior9cd/e2tsOZyA4OOYrizgP8r+/ALZmFYiW/TaVmXHulFqp2Q
9gn+ySkJE2bzj+BkFUcio2gSOXcjEUctxXGtdEWLaRHTW9yRCxlC1WqwBmaqsIMk
9tVausQDaDavCwTPewGXgVQhEsu8Oo7HV4pOcOn2KHJJVcEmb7vbx4WZxqNoyO6G
LwopxWkXNiJ763UUty8RtnMAjqsZlcai5lha6UGGfTAWU/lYeg3Vj2gI3pT9zzC6
7WQBFycAAI8jLyEdKKxeEd4Yp8+1pXZjXlC6YzTCkGVe7KAHNxGxLPiicCAX6MrA
hrPXZlfcwPQTScS1YomOpz/yzudBug==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
Vit\xF3ria/CN=etosha.fesv.br/emailAddress=gustavo.rios@fesv.br
issuer=/C=BR/ST=Esp\xEDrito Santo/L=Vit\xF3ria/O=Sociedade de Ensino
Superior Est\xE1cio de S\xE1/OU=Faculdade Est\xE1cio de S\xE1
Vit\xF3ria/CN=FESV Certification Authority
Office/emailAddress=gustavo.rios@fesv.br
---
No client certificate CA names sent
---
SSL handshake has read 3161 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 99E32706AF5C998DDB52BB9CF2FD3EFB722D49ABA1E43B8C6DC46BC2A85DB181
Session-ID-ctx:
Master-Key:
A2DF39188D95621A9E844FAD5DD77E7920199D9468A7E583FB2A447F0F7A0C893F5F59C5765B92C35F941A6CAF700847
Key-Arg : None
Start Time: 1105362778
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
^C
etosha$ ldapsearch -x -H ldaps://etosha.fesv.br
ldap_bind: Can't contact LDAP server (-1)
additional info: error:0D0890A1:asn1 encoding
routines:ASN1_verify:unknown message digest algorithm
etosha$
Any suggestion ?
On Mon, 10 Jan 2005 09:58:28 +0800, Tay, Gary <Gary_Tay@platts.com> wrote:
> Hv u read this URL and done some local check?
>
> http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
>
> 6.1 SSL Connection Check
> To check the SSL connection, try this command:
>
> % openssl s_client -connect localhost:636 -showcerts -state -CAfile <ca
> cert>
>
> (Note: Replace <ca cert> with the name of yr ca cert file)
>
> For the above command, post any err seen to OpenLDAP MailList.
>
> Gary
>
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Gustavo Rios
> Sent: Monday, January 10, 2005 4:01 AM
> To: openldap-software@OpenLDAP.org
> Subject: ssl and openldap
>
> Hey list,
>
> since my last posts i have done progress with netscape browser (it's ok
> now). Any how, let's forget about apache and this matter and keep
> focused on ssl and openldap.
>
> After have re-done my CA configuration i tried again to have ssl working
> for openldap, but no success so far.
>
> starting openldap (slapd -d 7) i had the following:
>
> ...
> ...
> TLS trace: SSL_accept:SSLv3 flush data
> tls_read: want=5, got=5
> 0000: 15 03 01 00 02 .....
> tls_read: want=2, got=2
> 0000: 02 33 .3
> TLS trace: SSL3 alert read:fatal:decrypt error
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> TLS: error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
> error /usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1052
> connection_read(12): TLS accept error error=-1 id=1, closing
> connection_closing: readying conn=1 sd=12 for close
> connection_close: conn=1 sd=12
>
> The program i used to try connecting was ldapsearch, it's output was:
>
> etosha$ ldapsearch -ZZ -x
> ldap_start_tls: Connect error (-11)
> additional info: error:0D0890A1:asn1 encoding
> routines:ASN1_verify:unknown message digest algorithm etosha$
>
> Does anybody have any ideia about what is going on ?
>
> My slapd.conf is:
>
> TLSCACertificateFile /var/ca1/crt/ca.crt
> TLSCertificateFile /var/ca1/crt/ldap.crt
> TLSCertificateKeyFile /var/ca1/pvt/ldap.key
> TLSVerifyClient never
>
> My ldap.conf is:
> TLS_CACERT /var/ca1/crt/ca.crt
>
> Thanks a lot for your time and cooperation.
>
> Best regards.
>