[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problem verifying self signed certificate

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org] 
> Sent: Sunday, September 04, 2005 7:51 PM
> To: Peter Marschall
> Cc: James Wilde; openldap-software@OpenLDAP.org
> Subject: Re: Problem verifying self signed certificate
> Of course, it generally recommended that server certificates 
> should be signed by a separate CA certificate.

The server certificate is separate from the CA certificate.  The only
problem appears to be that the CA certificate is self signed, which, as
you say, shouldn't be a problem for openldap.
> Expecting the actually configuration directives
> (see ldap.conf(5)), none of this is actually specific
> to OpenLDAP (as evident from the following):
> % openssl s_client -host ldap.openldap.org -port 636 > ! 
> openldap.cert ... verify error:num=18:self signed certificate 
> verify return:1 ... [CTRL-D] % openssl s_client -host 
> ldap.openldap.org -port 636 -CAfile openldap.cert ...
>    Verify return code: 0 (ok)
> [CTRL-D]


[root@log1 certs]# openssl s_client -connect localhost:4433 -showcerts
-state -CAfile /usr/share/ssl/certs/cacert.pem
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=Glocalnet
Certificate Authority/emailAddress=inoc@glocalnet.com
verify return:1
depth=0 /C=SE/L=Stockholm/O=Glocalnet
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data


Server certificate
issuer=/C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=Glocalnet
Certificate Authority/emailAddress=inoc@glocalnet.com
No client certificate CA names sent


...indicates that openssl is working okay and that there is no problem
with either the ca certificate or the server certificate.

That leaves incorrect configuration of openldap (server and/or client)
on log1 - admittedly the bet that the heavy money is on - or incorrect
handling of tls by openldap.  So this is specific to OpenLDAP.