[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Enabling TLS problem on openldap2-2.3.39

On Wed, 21 Nov 2007, Keagle, Chuck wrote:
I have yet to even change the error messages when trying:

# ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base
'objectclass=*' '+' '*'
ldap_start_tls: Connect error (-11)
       additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Looks to me like slapd is sending its cert, but either 1) it doesn't match the hostname in the URI (testsvr.blv.boeing.com), or 2) none of the CAs 'above' it are in the set of CAs trusted to ldapsearch.

So, what's the output of
     openssl x509 -text -noout -in /path/to/servers/cert/here.pem

? Does it show testsvr.blv.boeing.com either as a DNS X509v3 Subject Alternative Name or as the value of a CN attribute in the cert's subject? If not, there's (part of) your problem, as your cert MUST match the name in the URI used to locate the server. If that wasn't true, TLS/SSL would be easily attackable and therefore pointless.

#TLSCertificateFile /etc/ssl/servercerts/servercert.pem
TLSCACertificatePath /etc/ssl/certs/
TLSCACertificateFile /etc/ssl/certs/ldapServer.pem
#TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem

Wait, so you're running the server without certificate or key files? How do you think that can possibly work?

#  Database Configuration Parameters

#TLSCertificateFile /etc/openldap/servercert.pem
#TLSCertificateKeyFile /etc/openldap/serverkey.pem

Another pair of these? What are they doing in the database config part of your slapd.conf? Don't you keep the directives grouped by function?

Here is /etc/openldap/ldap.conf
#CBK Added for self-signed certificate

Well, this means that item #2 above (checking of CAs) can't be the issue, because the 'allow' setting bypasses that check.

(...rendering the TLS negotiation subject to an easy Man-in-the-Middle
attack, of course...)

HOST testsvr.blv.boeing.com

Don't set this. The HOST and PORT settings should never be used. Indeed, this conflicts with the URI setting you also put in the file!

TLS_CACERT /etc/ssl/certs/ldapServer.pem

If that file is the server's self-signed cert, then you should not need the TLS_REQCERT option.

Philip Guenther