Re: SSL handshake failure

[Philip Guenther <guenther+ldapsoft@sendmail.com>]

On Mon, 18 Feb 2008, Nathan Huesken wrote:
> I am trying to enable TLS on my ldap server. I executed:
> openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout /etc/openldap/ldap-key.pem -days 999999

That creates a self-signed certificate.  If you really do have a need to 
use and issue client certificates, then you'll almost certainly want to 
issue them from a common CA so that they can be validated more easily. 
Whether a single CA or multiple levels of CAs is the best match for your 
needs is a question beyond the scope of this list; you should check the 
OpenSSL documentation and mailing lists for help on that.


> and added:
> TLSCertificateFile /etc/ssl/ldap.pem
> TLSCertificateKeyFile /etc/openldap/ldap-key.pem
> TLSVerifyClient demand
> to my slapd.conf.

You should first get TLS working without requiring client certs.  Once you 
have that working correctly and securely, then you can work through the 
details of getting client certs working on that stable foundation.


> To my ldap.conf, I added:
> TLS_CERT     /etc/ssl/ldap.pem
> TLS_KEY      /etc/openldap/ldap-key.pem

To quote the ldap.conf(5) manpage: "This is a user-only option."


> TLS_REQCERT     allow

You want a setup where client have to present certs, but they don't need 
to validate the server's cert?  That seems counter-productive.  I would 
expect a TLS_CACERT option here instead.  Since the server's cert is 
self-signed, it is its own CA:
	TLS_REQCERT /etc/ssl/ldap.pem

...at least until you use separate certs for the CA and server.


Philip Guenther