[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS configuration needs client certification (why?)

Hello all,

why does slapd require a peer/client certificate? I'm slapd 2.3.30 on debian (package 2.3.30-5 to be precise).

when connexting with ssl to slapd using

        ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -x

I get the following error from slapd (started with -d 8):

TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2455

When connecting to the same host but with the ldap protocol (vs ldaps) the search results correctly.

This error seems like somehow slapd wants to get a client certficate, but I did not set slapd up that way. The ldap.conf on the client machines only contains the CA certificate field:

        TLS_CACERT /usr/share/ca-certificates/t310/t310_pem.crt

relevant parts from slapd.conf (included in total at the end of message):

        TLSCertificateFile /etc/ldap/artemis-ldap-cert.pem
        TLSCertificateKeyFile /etc/ldap/artemis-ldap-key.pem
        TLSCACerticateFile /usr/share/ca-certificates/t310/t310_pem.crt
        #TLSVerifyClient never
        #TLSCRLCheck none

verification with openssl s_server and s_client:

openssl s_server -accept 12345 -cert /etc/ldap/artemis-ldap- cert.pem -key /etc/ldap/artemis-ldap-key.pem -CAfile /usr/share/ca- certificates/t310/t310_pem.crt
Using default temp DH parameters
Using default temp ECDH parameters

and the client:

openssl s_client -CAfile /etc/ssl/certs/t310_pem.pem - connect artemis.t310.org:12345

allows me to exchange data between them. However connecting the s_client to the real ldap server results in an error:

artemis:~# openssl s_client -CAfile /etc/ssl/certs/ t310_pem.pem -connect artemis.t310.org:636
depth=1 /O=T310 technologies/OU=CA Division/ emailAddress=ca@t310.org/L=Amsterdam/ST=NH/C=NL/CN=T310 root CA
verify return:1
depth=0 /C=NL/ST=NH/O=T310 technologies/OU=ldap/ CN=artemis.t310.org
verify return:1
15612:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1057:SSL alert number 40
15612:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Any help is appreciated

Frank Cornelissen

Attachment: slapd.conf
Description: Binary data