[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re-2: SSL problem with self-compiled client



> >so I think that the certificates are right. 
> 
> You should use OpenSSL s_client/s_server to confirm that
> the certificates are right.

I don't know much about SSL but for me it looks ok, see below.

But if I start slapd and call s_client it looks strange:

Server:
-------

slapd -d1  -h "ldaps:///"
[...]
ldap_pvt_gethostbyname_a: host=virtlab, r=0
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
TLS certificate verification: depth: 0, err: -49, subject: -unknown-, issuer: -unknown-
TLS certificate verification: Error, Unknown error
connection_read(11): unable to get TLS client DN error=49 id=0


Client:
-------
pemds:~/win/cccd/trunk/sslkeys/ldap/tmp$ openssl s_client -host virtlab -port 636 -showcerts -state -CAfile cacert.p
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=virtlab.gdsys.de
verify return:1
depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=virtlab.gdsys.de
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
[...]
---
Server certificate
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=virtlab.gdsys.de
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=virtlab.gdsys.de
---
No client certificate CA names sent
---
SSL handshake has read 1494 bytes and written 308 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: C5FB5A8D6A802A83C94C2BC409FD191D2E930ED6B6619F02D6757CFA13CAB54A
    Session-ID-ctx: 
    Master-Key: A1CD989334CC17C51E4006ADBD392617869497DDDE9BEC2C280EECD6B219AAB6D811C70A09E03DBAB9C3BCE1B7BC982C
    Key-Arg   : None
    Start Time: 1114773853
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
SSL3 alert read:warning:bad certificate


Any idea what_s wrong?

Thank's -

    Dirk



-----------------------


server-host> openssl s_server -cert slapd_cert.pem -key slapd_key.pem
client-host> openssl s_client -host virtlab -showcerts -state -CAfile cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=virtlab.gdsys.de
verify return:1
depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=virtlab.gdsys.de
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
[...]
Server certificate
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=virtlab.gdsys.de
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=virtlab.gdsys.de
---
No client certificate CA names sent
---
SSL handshake has read 1238 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 14CD8B9414043AC68E56A9CE4FD114F36833F1461F5ECEBA6E48A0975AB50CA1
    Session-ID-ctx: 
    Master-Key: EC42374C9236E8C6D61C7D60FD96D92823BF00D368494AB2877866FE9F67F0DD58027849D317983619D36274EC2FD7AA
    Key-Arg   : None
    Start Time: 1114773372
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---