[Date Prev][Date Next] [Chronological] [Thread] [Top]

error: unable to get TLS client DN

I work with a self-signed cert, connecting my client to the
server (debian package of slapd 2.2.26-5) , both on my local
computer. when the client does the start_tls it gets an internal
server error. running with debugging i see the error:

=============================
[...]
TLS trace: SSL_accept:SSLv3 read client key exchange A
tls_read: want=5, got=5
  0000:  14 03 01 00 01                                     .....
tls_read: want=1, got=1
  0000:  01                                                 .
tls_read: want=5, got=5
  0000:  16 03 01 00 30                                     ....0
tls_read: want=48, got=48
  0000:  60 f8 fd 78 74 94 1a 2f  fe bb 16 d8 cb dc 5a 94   `..xt../......Z.
  0010:  2c 18 43 e6 35 4e 62 a7  0a 36 02 37 9c e8 18 7d   ,.C.5Nb..6.7...}
  0020:  a8 6f d6 56 ca 5c a0 a5  d3 5e a4 ef 94 42 0b 26   .o.V.\...^...B.&
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
tls_write: want=59, written=59
  0000:  14 03 01 00 01 01 16 03  01 00 30 b8 76 bf 6d 21   ..........0.v.m!
  0010:  9a c3 a3 81 ea 11 db db  97 66 db aa 5d d2 a0 63   .........f..]..c
  0020:  90 27 e7 e7 2b b0 d6 04  53 74 44 0a 59 73 af c6   .'..+...StD.Ys..
  0030:  9d 5a 6d 2b 38 1b 24 ed  0e b9 4b                  .Zm+8.$...K
TLS trace: SSL_accept:SSLv3 flush data
connection_read(10): unable to get TLS client DN, error=49 id=0
[...]
=========================

The cert gets created with 
======================
opensslbin req -new -x509 -nodes \
      -config /etc/ldap/ssl/slapd-cert.cnf \
      -out    /etc/ldap/ssl/slapd.pem \
      -keyout /etc/ldap/ssl/slapd.pem > /dev/null 2>&1 \
  || echo "Problems running openssl"
=======================

and the /etc/ldap/ssl/slapd-cert.cnf looks like this:
==================
RANDOM=/dev/random

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=NO
ST=NA
L=Skolen
O=Ldap server
OU=Automatically-generated Ldap SSL key
CN=ldap
emailAddress=postmaster@ldap.intern


[ cert_type ]
nsCertType = server
====================

in my /etc/hosts i have 
================
127.0.0.1	timotheus localhost ldap.intern ldap
=================
so that the CN resolves.

my slapd.conf looks like this:

==========================
allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/courier.schema
include         /etc/ldap/schema/automount.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/lis.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile    /var/run/slapd.pid

# Read slapd.conf(5) for possible values
loglevel 0

# TLS/SSL
TLSCipherSuite          HIGH:MEDIUM:SSLv2
TLSCACertificateFile    /etc/ldap/ssl/slapd.pem
TLSCertificateKeyFile   /etc/ldap/ssl/slapd.pem
TLSCertificateFile      /etc/ldap/ssl/slapd.pem

modulepath /usr/lib/ldap
moduleload back_bdb
moduleload back_monitor

defaultsearchbase "dc=skole,dc=skolelinux,dc=no"
idletimeout 60
security update_ssf=128  simple_bind=128

backend bdb
backend monitor

[...]
=========================

and some other stuff that is most like insignificant 
(database definitions and ACLs).

please help me to get this running again.

Attachment: signature.asc
Description: Digital signature