[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Enabling TLS problem on openldap2-2.3.39

To: "Keagle, Chuck" <chuck.keagle@boeing.com>
Subject: RE: Enabling TLS problem on openldap2-2.3.39
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Wed, 21 Nov 2007 22:53:38 -0700
Cc: Howard Chu <hyc@symas.com>, openldap-software@openldap.org
In-reply-to: <0E9A8FE5719275499AA143D64E0C0FF604990A0A@XCH-NW-1V2.nw.nos.boeing.com>
References: <0E9A8FE5719275499AA143D64E0C0FF6049909FE@XCH-NW-1V2.nw.nos.boeing.com><090BE73AF1A87957DAF7DCF3@[192.168.0.198]> <0E9A8FE5719275499AA143D64E0C0FF6049909FF@XCH-NW-1V2.nw.nos.boeing.com> <0E9A8FE5719275499AA143D64E0C0FF604990A00@XCH-NW-1V2.nw.nos.boeing.com> <4742ED77.3010101@symas.com> <0E9A8FE5719275499AA143D64E0C0FF604990A0A@XCH-NW-1V2.nw.nos.boeing.com>

On Wed, 21 Nov 2007, Keagle, Chuck wrote:

I have yet to even change the error messages when trying:

# ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base
'objectclass=*' '+' '*'
ldap_start_tls: Connect error (-11)
       additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


Looks to me like slapd is sending its cert, but either
1) it doesn't match the hostname in the URI (testsvr.blv.boeing.com), or
2) none of the CAs 'above' it are in the set of CAs trusted to ldapsearch.

So, what's the output of
     openssl x509 -text -noout -in /path/to/servers/cert/here.pem

? Does it show testsvr.blv.boeing.com either as a DNS X509v3 Subject Alternative Name or as the value of a CN attribute in the cert's subject? If not, there's (part of) your problem, as your cert MUST match the name in the URI used to locate the server. If that wasn't true, TLS/SSL would be easily attackable and therefore pointless.

...

#TLSCertificateFile /etc/ssl/servercerts/servercert.pem
TLSCACertificatePath /etc/ssl/certs/
TLSCACertificateFile /etc/ssl/certs/ldapServer.pem
#TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem

Wait, so you're running the server without certificate or key files? How do you think that can possibly work?

...

#####
#  Database Configuration Parameters
#####

#TLSCertificateFile /etc/openldap/servercert.pem
#TLSCertificateKeyFile /etc/openldap/serverkey.pem

Another pair of these? What are they doing in the database config part of your slapd.conf? Don't you keep the directives grouped by function?

...

Here is /etc/openldap/ldap.conf

...

TLS_REQCERT allow
#CBK Added for self-signed certificate


Well, this means that item #2 above (checking of CAs) can't be the
issue, because the 'allow' setting bypasses that check.

(...rendering the TLS negotiation subject to an easy Man-in-the-Middle
attack, of course...)

HOST testsvr.blv.boeing.com

Don't set this. The HOST and PORT settings should never be used. Indeed, this conflicts with the URI setting you also put in the file!

TLS_CACERT /etc/ssl/certs/ldapServer.pem

If that file is the server's self-signed cert, then you should not need the TLS_REQCERT option.


Philip Guenther

Follow-Ups:
- Re: Enabling TLS problem on openldap2-2.3.39
  - From: Michael Ströder <michael@stroeder.com>

References:
- Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>
- Re: Enabling TLS problem on openldap2-2.3.39
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>
- Re: Enabling TLS problem on openldap2-2.3.39
  - From: Howard Chu <hyc@symas.com>
- RE: Enabling TLS problem on openldap2-2.3.39
  - From: "Keagle, Chuck" <chuck.keagle@boeing.com>

Prev by Date: Re: Enabling TLS problem on openldap2-2.3.39
Next by Date: Re: Enabling TLS problem on openldap2-2.3.39
Index(es):
- Chronological
- Thread