[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: FW: Problem in configuring SSL with openldap



Hi Sadique, 

The problem is resolved now. Actually the root certificate created was
not valid until 17th Oct 10.00 PM. That is why I was facing the issue.
But I think, ideally the certificate created should be valid from the
time of creation itself. 

Regards,
Monica Rana


-----Original Message-----
From: Sadique Puthen [mailto:xenguy@gmail.com] 
Sent: Wednesday, October 18, 2006 12:31 PM
To: Monica_Rana; openldap-software@openldap.org
Subject: Re: FW: Problem in configuring SSL with openldap

This looks like a problem in the way you created CA, Key and
Certificate. Can you please explain how did you create it? That would be
helpful.

Regards,
Sadique

Monica_Rana wrote:
> Hi All,
>
> I have successfully installed and built openLDAP and openSSL.
> Now I need to configure SSL.
> I have followed the link
> http://www.proscrutiny.com/howtos/OpenLDAP.html#confssl-co.
>
> These are the settings in my "slapd.conf"
>
> TLSCipherSuite HIGH:MEDIUM TLSCertificateFile 
> /usr/local/etc/openldap/certs/newcert.pem
> TLSCertificateKeyFile /usr/local/etc/openldap/certs/privkey.pem
> TLSCACertificateFile /usr/local/ssl/misc/demoCA/cacert.pem
> TLSCACertificatePath /usr/local/ssl/misc/demoCA #TLSRandFile 
> <filename> #TLSVerifyClient 0
> ----------------------------------------------------------------------
> --
> -----
>
> These are the settings in my "ldap.conf"
> # See ldap.conf(5) for details
> # This file should be world readable but not world wr
>
> HOST    10.152.72.5
> BASE    dc=ad,dc=infosys,dc=com
> URI     ldap://10.152.72.5 ldap://10.152.72.5:389
> BINDDN  "cn=Manager,dc=ad,dc=infosys,dc=com"
>
> SIZELIMIT       12
> TIMELIMIT       25
> #DEREF          never
> TLS_CACERT /usr/local/ssl/misc/demoCA/cacert.pem
> ~
>
> When I run the command "./slapd -h 'ldap://10.152.72.5:389/ 
> ldaps://10.152.72.5:636/' -d 255 ", and try to connect to the SSL 
> port, I get the following error messages.
>
> TLS trace: SSL_accept:SSLv3 flush data
> tls_read: want=5, got=5
>   0000:  15 03 01 00 02                                     .....
> tls_read: want=2, got=2
>   0000:  02 30                                              .0
> TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: 
> SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown 
> ca s3_pkt.c
> :1057
> connection_read(12): TLS accept failure error=-1 id=3, closing
> connection_closing: readying conn=3 sd=12 for close
> connection_close: conn=3 sd=12
> daemon: removing 12
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: select: listen=8 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptor
> daemon: waked
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: select: listen=8 active_threads=0 tvp=NULL
>
> Could you please suggest what is the probable reason for this. Have I 
> configured something incorrectly. Earlier I had tried with a different

> CA. But the issue was there. That's why I created the Demo 
> Certification Authority(using openssl). But the issue persists.
>
> Regards,
> Monica Rana
>
>
>
> -----Original Message-----
> From: Sameer N Ingole [mailto:strike@proscrutiny.com]
> Sent: Thursday, October 12, 2006 6:03 PM
> To: Monica_Rana
> Subject: Re: Problem in configuring SSL with openldap
>
> Hi Monica,
>
> Replying off list because this is more of a Solaris/OpenSSL issue.
> Please ignore my last mail, it was obscure.
>
> If you are referring to Openssl installation, you may want to take a 
> look at this http://www.sunfreeware.com/openssh8.html
>
> Else download OpenSSL from:
> ftp://ftp.sunfreeware.com/pub/freeware/sparc/8/openssl-0.9.8d-sol8-spa
> rc
> -local.gz
>
>
>
> If you are referring to OpenSSL source installation (downloaded from
> openssl.org) then there are few things to note:
> Sun does not ship include libraries (for Solaris 9, I guess) You would

> want to compile shared version of libraries, it defaults to static By 
> default it is compiled gnu-shared so and for solaris you need to 
> specify solaris-shared instead of gnu-shared
>
> So generally you would do this:
> edit Configure script - find solaris-x86-gcc or solaris-sparcv9-gcc 
> etc as suitable
>    *  Change "gnu-shared" to "solaris-shared".
>    * add "-R/usr/local/ssl/lib " just before "-lsocket"
>
> So now your configure command would look something like..
>
> ./Configure solaris-x86-gcc shared
>
>
> Some of the above things might be inconsistent  as last time I worked 
> on solaris was 11 months back.
>
> Regards,
>
> Sameer Ingole.
> http://weblogic.noroot.org/gallery2/
>
> Monica_Rana wrote:
>   
>> Hi Sameer,
>>
>> I have followed the below mentioned steps:
>> 1.  $ ./config
>> 2.  $ make
>> 3.  $ make test
>> 4.  $ make install.
>>
>> All the options ran without any errors.
>> Do I need to do anything extra?
>>
>> Regards,
>> Monica Rana
>>
>> -----Original Message-----
>> From: Sameer N Ingole [mailto:strike@proscrutiny.com]
>> Sent: Thursday, October 12, 2006 2:34 PM
>> To: openldap-software@openldap.org
>> Cc: Monica_Rana
>> Subject: Re: Problem in configuring SSL with openldap
>>
>> Did you custom compile Openssl?
>> Did you install development libraries for Openssl?
>>
>> I suspect absence of development libraries is causing this problem.
>> Also read http://www.columbia.edu/~ariel/ssleay/rsaref.html
>>
>> Regards,
>>
>> Sameer Ingole.
>> http://weblogic.noroot.org/gallery2/
>>  
>>     
> <snip>
>   
>>> -----Original Message-----
>>> From: Phillip [mailto:phuang@plasmon.cn]
>>> Sent: Thursday, October 12, 2006 1:07 PM
>>> To: Monica_Rana
>>> Cc: openldap-software@openldap.org
>>> Subject: Re: Problem in configuring SSL with openldap
>>>
>>> Monica,
>>>
>>> Maybe you've take a mistake in setting "env", just try:
>>>
>>> env CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include - 
>>> I/usr/local/db4/include"  LDFLAGS="-L/usr/local/ssl/lib - 
>>> L/usr/local/db4/lib" ./configure --with-tls --with-cyrus-sasl
>>> --enable- wrappers --enable-crypt --enable-bdb
>>>
>>> You'd better verify the "include" and "lib" path for SSL and DB.
>>>
>>> Regards,
>>> Phillip
>>>
>>>
>>>
>>>
>>>
>>> On Thu, 2006-10-12 at 12:18 +0530, Monica_Rana wrote:
>>>
>>>    
>>>       
>>>> Hi All,
>>>>
>>>> I have the following installed on solaris 8.
>>>> openLDAP 2.3.27
>>>> openSSL 0.9.8b.
>>>>
>>>> when i try to configure using the command env 
>>>> CPPFLAGS="-I/usr/local/include -I/usr/local/include/ssl - 
>>>> I/usr/local/include/db4"
>>>>     LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib/db4"
>>>>     ./configure --with-tls --with-cyrus-sasl --enable-wrappers -- 
>>>> enable-crypt --enable-bdb it throws the error checking for 
>>>> openssl/ssl.h... yes checking for SSL_library_init in -lssl... no 
>>>> checking for ssl3_accept in -lssl... no checking OpenSSL library 
>>>> version (CRL checking capability)... yes
>>>> configure: error: Could not locate TLS/SSL package.
>>>>
>>>> Please let me know what could be the possible reson behind. PFA the

>>>> config.log file.
>>>>
>>>> Regards,
>>>> Monica Rana
>>>>   
>>>>         
>
>
> **************** CAUTION - Disclaimer ***************** This e-mail 
> contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for
the use of the addressee(s). If you are not the intended recipient,
please notify the sender by e-mail and delete the original message.
Further, you are not to copy, disclose, or distribute this e-mail or its
contents to any other person and any such actions are unlawful. This
e-mail may contain viruses. Infosys has taken every reasonable
precaution to minimize this risk, but is not liable for any damage you
may sustain as a result of any virus in this e-mail. You should carry
out your own virus checks before opening the e-mail or attachment.
Infosys reserves the right to monitor and review the content of all
messages sent to or from this e-mail address. Messages sent to or from
this e-mail address may be stored on the Infosys e-mail system.
> ***INFOSYS******** End of Disclaimer ********INFOSYS***
>
>
>