[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP FC5 openssl error when validating self sign cert



Hi, I'm new to openLDAP. I was following some of the docs on openldap.org site but I'm stuck. docs/links which I read ( + others ) are OpenLDAP Server With Server-Side SSL/TLS and Client Authentication http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html (esp. #4 ) OpenLDAP FAQ-O-Matic: How do I use TLS/SSL http://www.openldap.org/faq/data/cache/185.html OpenLDAP Software 2.3 Administrator's Guide: Using TLS http://www.openldap.org/doc/admin23/tls.html So, following the first link, I created the self signed certificate on my FC 5 server. Afterwards, I wanted to test it using openssl ( as stated in step 4 and 6 ). Yet I'm getting the following error [root@ openldap]# openssl s_client -connect :636 -showcerts -state -CAfile certs/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=US/ST=/L=/O=,/OU=IT Department/CN=/emailAddress= verify return:1 depth=0 /C=US/ST=/L=/O=,/OU=IT Department/CN=/emailAddress= verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read finished A 11422:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1057:SSL alert number 40 11422:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: Here is the slapd.conf on the server ---------------------- start ---------------------------------- include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/redhat/autofs.schema pidfile /var/lib/ldap/slapd.pid argsfile /var/lib/ldap/slapd.args TLSCipherSuite HIGH:MEDIUM:!LOW:+TLSv1:+SSLv3:+SSLv2 TLSCACertificateFile /etc/openldap/certs/cacert.pem TLSCertificateFile /etc/openldap/certs/servercrt.pem TLSCertificateKeyFile /etc/openldap/certs/serverkey.pem TLSVerifyClient demand --- some access lines not included --- suffix "dc=,dc=com" rootdn "cn=manager,dc=,dc=com" rootpw {SSHA}BWngyl8Z3XJP3h/cnTmSwnvV8HYkCp+l password-crypt-salt-format "$1$%.8s" password-hash {CRYPT} directory /var/lib/ldap mode 0600 cachesize 2000 dbcachesize 100000 --- couple of indexes ---- ------------------------------ EOF ------------------------------ The following is what I have tried.. yet, still getting same error on the FC5. Creating the self signed cert directly on the FC5 server Creating the newreq on the FC5, then signing it on a RH7.3 for the newcert.pem Creating the newreq and signing it on same RH7.3 to get the newcert.pem ( I've copied the cacert.pem from the signing server to the FC5 server in such case also ) Can someone help me with this? If I run the same openssl command to a RH7.3 server, I don't have this error.. I'm trying to install a use openLDAP with TLS/SSL, where I have combination of LDAP servers (master/slave) on FC5 and RH7.3 In such case, in the /etc/openldap/ldap.conf and /etc/ldap.conf, should I be using HOST or URI. If I use URI, should I specify ldap:// or ldaps:// Thanks in advance, Steven