[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS problem



Hi:

      I am trying to set up TLS/SSL on my ldap server.  I am using openldap
version 2.3.20.  I have used the openssl library 'mini ca' functions to
create a CA root certificate which I then used to create and sign the
server certificate.   The slapd.conf file has these settings:

TLSCipherSuite                     HIGH:MEDIUM
TLSCetificateFile                  /usr/local/etc/openldap/server.cert
TLSCertificateKeyFile         /usr/local/etc/openldap/server.key
TLSCACertificateFile          /usr/local/etc/openldap/cacert/cacert.pem
TLSVerifyClient                     never

and the ldap.conf file has these settings:

TLS_CACERT             /usr/local/etc/openldap/cacert/cacert.pem
TLS_REQCERT         never

I am just doing a simple bind (no SASL).  I run the slapd with the -d 255
option, and this is what I see when I try an ldap search:
.....
TLS trace: SSL alert read: fatal:unknown CA
TLS trace: SSL_accept: failed in SSLv3 read client certificate A
TLS:  can't accept
TLS  error: 14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1052
...

At the client side, I see this:

'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed'

Is the problem the root CA certificate?  Why is the CA unknown?  Doesn't
the "TLSCACertificateFile" directive tell slapd which CA's to trust?  What
am I missing?

Thanks in advance
Dennis