[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP+TLS



Hi.

Never could make it work, and I gave up I tried everything they told me to do in the mailing list
I followed the how-tos' ( official one and others ) but no way cannot force it to ask for a certificate, so

I setted it up like.
Try instead of Demand.

Maybe I'm too lame, and do not understad it complexity, hope some day to make it work.

Thank for your help, time, and interest.
Greets.



2007/2/13, Brian A. Seklecki <lavalamp@spiritual-machines.org>:

Any resolution ?

~BAS

On Mon, 13 Nov 2006, Net Warrior wrote:

> Hi.
>
> Using the -cert or -key options returns the same
> error, this error arises only when  I use
> the TLSClientVerify demand option as I explained before.
>
> Any clues?
>
>
> Thanks for your time.
>
>
>
> 2006/11/6, Howard Chu <hyc@symas.com>:
>>
>> Net Warrior wrote:
>>
>> > With this configuration everything seems to work fine, but now, what I
>> > want to do is to force my clients to use a certificate to connect,
>> > so, if I did not misundestrand it wrong, the demand options is a must.
>> >
>> > So, when I change TLSVerifyClient never to demand. I've get the
>> > following ( alway on my server )
>> >
>> > linux:/etc/ssl # openssl s_client -connect localhost:636 -state
>> > -showcerts -CAfile cacert.pem
>>
>> This invocation of s_client didn't provide the -cert or -key options, so
>> no client certificate was used. Naturally the handshake fails.
>>
>> Learn to use the OpenSSL tools.
>>
>> > CONNECTED(00000003)
>> > SSL_connect:before/connect initialization
>> > SSL_connect:SSLv2/v3 write client hello A
>> > SSL_connect:SSLv3 read server hello A
>> > depth=1 /C=AU/ST=Some State/L=City/O=Internet Widgits Pty
>> > Ltd/OU=Section/CN=localhost/emailAddress= test@company.com
>> > <mailto:test@company.com>
>> > verify return:1
>> > depth=0 /C=AU/ST=Some Even State/L=City/O=Internet Widgits Pty
>> > Ltd/OU=Section/CN=localhost/emailAddress=test@company.com
>> > <mailto:test@company.com>
>> > verify return:1
>> > SSL_connect:SSLv3 read server certificate A
>> > SSL_connect:SSLv3 read server certificate request A
>> > SSL_connect:SSLv3 read server done A
>> > SSL_connect:SSLv3 write client certificate A
>> > SSL_connect:SSLv3 write client key exchange A
>> > SSL_connect:SSLv3 write change cipher spec A
>> > SSL_connect:SSLv3 write finished A
>> > SSL_connect:SSLv3 flush data
>> > SSL3 alert read:fatal:handshake failure
>> > SSL_connect:failed in SSLv3 read finished A
>> > 6274:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
>> > failure:s3_pkt.c:1052:SSL alert number 40
>> > 6274:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>> > failure:s23_lib.c:226:
>> >
>> >
>> > Making some searches in the mailing list I found a guy who had the same
>> > problem, and he was told that with the
>> > demand option we force slapd to ask for a client certificate, and that
>> > the client certificate is a must.
>> > Well, now, I do not get it, cuz I'm authenticating against myself, with
>> > teh certificates I generated before,
>> > maybe ai have to generate a separate pair of certificates, do not know.
>> >
>> > With never, and always it works as suggested by someone in the list, who
>> > said that first we need try a lower option (never, allow )
>> > to test if the server works ) my problem is with the demand option.
>> >
>> >
>> > What am I mising here?
>> > Sorry for my stupidity, I do not get it yet.
>> >
>> > Thanks in advance and or your valuable time.
>> >
>> > Greets.
>> >
>>
>> --
>>    -- Howard Chu
>>    Chief Architect, Symas Corp.  http://www.symas.com
>>    Director, Highland Sun        http://highlandsun.com/hyc
>>    OpenLDAP Core Team            http://www.openldap.org/project/
>>
>

l8*
        -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
               http://www.spiritual-machines.org/

"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."