[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL problem - unsupported certificate

To: Tony Earnshaw <tonni@hetnet.nl>
Subject: Re: TLS/SSL problem - unsupported certificate
From: Howard Chu <hyc@symas.com>
Date: Tue, 10 Apr 2007 23:11:57 -0700
Cc: openldap-software@openldap.org
In-reply-to: <461C57B9.8040707@hetnet.nl>
References: <b29e0c790704100820y315af7abo956846e47f10f637@mail.gmail.com> <461C57B9.8040707@hetnet.nl>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a4pre) Gecko/20070409 SeaMonkey/1.5a

Tony Earnshaw wrote:

Antonio Camacho wrote, on 10. apr 2007 17:20:

[...]

My slapd.conf configuration:
#
TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
TLSCertificateFile /etc/openldap/cacerts/master.pem
TLSCertificateKeyFile /etc/openldap/cacerts/master- key.pem
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem


Don't use this:

TLSVerifyClient demand
#

If he's trying to use certificate-based authentication, then he needs that statement.

My ldap.conf configuration:
#
Base=mydomain
SIZELIMIT       0
TIMELIMIT       0
TLS_CACERT /etc/openldap/cacerts/cacert.pem


Don't use these:

TLS_CERT /etc/openldap/cacerts/master.pem
TLS_KEY  /etc/openldap/cacerts/master-key.pem


Those two are ignored in ldap.conf anyway.

TLS_REQCERT demand

This is the default for a client, and in most cases it ought to remain with that setting.

My .ldaprc configuration:
~/.ldaprc is redundant; scrap it.

No. If he is trying to use certificate-based authentication, then the TLS_CERT and TLS_KEY directives belong in the ~/.ldaprc.

Since he didn't actually state whether he is trying to use cert-based authentication or not, and nobody has actually asked that question yet, you're offering advice without any factual basis for your suggestions.

Find out what the real problem is before offering advice. Find out what the real goal is first.

From the information provided so far, all that's certain is that he has a TLS certificate that is intended for use as a web server authentication certificate. The fact that he's trying to use it in both the server and the client configuration is the problem; the TLS library checks the certificate purpose. The client sent a server cert to the server, and the server won't allow it to be used for client authentication.

So, if the goal is to use certificate-based authentication, then the solution is to generate a proper certificate without any usage restrictions on it, or one that says it can be used for client authentication.

If the goal isn't to use certificate-based authentication, then some of your advice is correct. But you don't know enough at this point to say for certain. Ask for clarification before offering advice. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

Follow-Ups:
- Re: TLS/SSL problem - unsupported certificate
  - From: Tony Earnshaw <tonni@hetnet.nl>

References:
- TLS/SSL problem - unsupported certificate
  - From: "Antonio Camacho" <antcam@gmail.com>
- Re: TLS/SSL problem - unsupported certificate
  - From: Tony Earnshaw <tonni@hetnet.nl>

Prev by Date: Re: TLS/SSL problem - unsupported certificate
Next by Date: RE: Ldapsearch on multiple attributes
Index(es):
- Chronological
- Thread