[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS configuration needs client certification (why?)

On Aug 25, 2007, at 2:49 PM, Howard Chu wrote:

Frank Cornelissen wrote:
Hello all,
why does slapd require a peer/client certificate? I'm slapd 2.3.30 on debian (package 2.3.30-5 to be precise).
when connexting with ssl to slapd using
ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -x
I get the following error from slapd (started with -d 8):
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2455
When connecting to the same host but with the ldap protocol (vs ldaps) the search results correctly.
This error seems like somehow slapd wants to get a client certficate, but I did not set slapd up that way. The ldap.conf on the client machines only contains the CA certificate field:
TLS_CACERT /usr/share/ca-certificates/t310/t310_pem.crt
relevant parts from slapd.conf (included in total at the end of message):
TLSCertificateFile /etc/ldap/artemis-ldap-cert.pem
TLSCertificateKeyFile /etc/ldap/artemis-ldap-key.pem
TLSCACerticateFile /usr/share/ca-certificates/t310/ t310_pem.crt
#TLSVerifyClient never
#TLSCRLCheck none

Uncomment the "TLSVerifyClient never" directive here to work around this problem.

No, that didn't work. The problem is a bad interaction with libnss_ldap and slapd, that share the same ldap connection context (same process). libnss-ldap does (rightfully) want to check the certificate of the server, and sets this option when it is activated. That happens after the slapd.conf is read. My solution for now is to run slapd in a chroot jail which does not reference nss-ldap, so this problem does not occur.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

Frank Cornelissen