[Date Prev][Date Next]
RE: Enabling TLS problem on openldap2-2.3.39
On Wed, 21 Nov 2007, Keagle, Chuck wrote:
I have yet to even change the error messages when trying:
# ldapsearch -x -Z -H ldap://testsvr.blv.boeing.com -b "" -s base
'objectclass=*' '+' '*'
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Looks to me like slapd is sending its cert, but either
1) it doesn't match the hostname in the URI (testsvr.blv.boeing.com), or
2) none of the CAs 'above' it are in the set of CAs trusted to ldapsearch.
So, what's the output of
openssl x509 -text -noout -in /path/to/servers/cert/here.pem
? Does it show testsvr.blv.boeing.com either as a DNS X509v3 Subject
Alternative Name or as the value of a CN attribute in the cert's subject?
If not, there's (part of) your problem, as your cert MUST match the name
in the URI used to locate the server. If that wasn't true, TLS/SSL would
be easily attackable and therefore pointless.
Wait, so you're running the server without certificate or key files? How
do you think that can possibly work?
# Database Configuration Parameters
Another pair of these? What are they doing in the database config part of
your slapd.conf? Don't you keep the directives grouped by function?
Here is /etc/openldap/ldap.conf
#CBK Added for self-signed certificate
Well, this means that item #2 above (checking of CAs) can't be the
issue, because the 'allow' setting bypasses that check.
(...rendering the TLS negotiation subject to an easy Man-in-the-Middle
attack, of course...)
Don't set this. The HOST and PORT settings should never be used.
Indeed, this conflicts with the URI setting you also put in the file!
If that file is the server's self-signed cert, then you should not need
the TLS_REQCERT option.