[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSL problem with self-compiled client



Hello, I have a problem with my self-compiled LDAP client with SSL. Maybe it's a trivial problem but I have no idea what's wrong in my configuration. I installed LDAP on two Debian systems, created the certificates and called ldapsearch on the client machine like this: ldapsearch -h 10.3.0.1 -b 'ou=CATX,dc=gdsys,dc=de' -x -Z Everything seems to work fine, so I think that the certificates are right. Now I compiled the client from source (openldap-2.2.23) ./configure --with-cyrus-sasl --with-ssl make depend make But this client didn't work with SSL: ./clients/tools/ldapsearch -h 10.3.0.1 -b 'ou=CATX,dc=gdsys,dc=de' -x -Z ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Without -Z it's working fine. Any idea what's wrong? Thanks - Dirk ------------------------------------------- Some more debug messages: Client: ------- ./clients/tools/ldapsearch -h 10.3.0.1 -b 'ou=CATX,dc=gdsys,dc=de' -x -Z -d1 ldap_create ldap_url_parse_ext(ldap://10.3.0.1) ldap_extended_operation_s ldap_extended_operation [...] TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=10.3.0.1, issuer: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=10.3.0.1 TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ldap_bind_s ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request [...] Server: ------- slapd -d1 [...] ldap_pvt_gethostbyname_a: host=virtualab, r=0 put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ber_scanf fmt (m) ber: connection_get(11): got connid=0 connection_read(11): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 29 contents: do_extended ber_scanf fmt ({m) ber: ber_get_next ber_get_next on fd 11 failed errno=11 (Resource temporarily unavailable) send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 11 connection_get(11): got connid=0 connection_read(11): checking for input on id=0 TLS: can't accept. TLS: A TLS fatal alert has been received. (null):0 connection_read(11): TLS accept error error=-1 id=0, closing connection_closing: readying conn=0 sd=11 for close connection_close: conn=0 sd=11