[Date Prev][Date Next] [Chronological] [Thread] [Top]

SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server - client certificate not read

Hello everybody,

I'm just trying to set up a LDAPS server using my own
certification authority, but the ldap server does not
accept/understand my client certificate. Instead, the server

   TLS: can't accept: The peer did not send any certificate..

What I did:

1.) I set up LDAP without SSL/TLS to make sure that it is
configured properly. This worked out fine so far, I can
use ldapsearch, ldapadd, phpldapadmin ...

2.) I created a self signed certificate for my RootCA, used
it to sign my ServerCA and used the ServerCA to sign the
certificates for my ldap server and client.

The certificates of RootCA and ServerCA have been concatenated
into one file <name of ca>.chain.crt

3.) Changed ldap.conf and slapd.conf as described below

4.) Tried to do an ldapsearch on the client -> failed

5.) Tried openssl client -> success

Here are the details:


# ldapsearch -x -LLL -ZZ -d 1

ldap_new_connection 1 1 0
ldap_connect_to_host: TCP <serverip>:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying <serverip>:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_start_tls: Can't contact LDAP server (-1)


# slapd -VV
  @(#) $OpenLDAP: slapd 2.4.9 (Aug  1 2008 01:09:46) $

# slapd -h "ldaps://<ip>/" -u openldap -g openldap -d 127

connection_get(13): got connid=32
connection_read(13): checking for input on id=32
tls_read: want=5, got=5
  0000:  16 03 02 00 07                                     .....
tls_read: want=7, got=7
  0000:  0b 00 00 03 00 00 00                               .......
TLS: can't accept: The peer did not send any certificate..
connection_read(13): TLS accept failure error=-1 id=32, closing
connection_closing: readying conn=32 sd=13 for close
connection_close: conn=32 sd=13
daemon: removing 13

But if I use openssl s_client, I get a differnet result:


openssl s_client -showcerts -connect <serverfqdn>:636 \
        -CAfile cacerts/<ca>.chain.crt -cert certs/<clientfqdn>.cert.pem \
        -key private/<clientfqdn>.key.pem

depth=2 /C=...
verify return:1
depth=1 /C=...
verify return:1
depth=0 /C=...
verify return:1
Certificate chain
 0 s:/C=...
<Certificate data>
Server certificate
Acceptable client certificate CA names
SSL handshake has read 1806 bytes and written 4358 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: F63D4DB4A918CC3BC8F8617AD49F6C6EFCB316203466EC91DBCF0C2E3700DE1E
    Master-Key: <master key>
    Key-Arg   : None
    Start Time: 1219848938
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

And on server side, everything seems to be o.k. There is no error and the last lines
of output are:

=> ldap_dn2bv(16)
<= ldap_dn2bv(cn=<cn of client>,ou=<ou>,o=<o>,st=<st>,c=<c>)=0
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero

ldap.conf (partially)

uri ldaps://
ssl yes
tls_cacertfile /usr/lib/ssl/cacartes/<ca>.chain.crt
tls_ciphers TLSv1
tls_cert /usr/lib/ssl/certs/<clientfqdn>.cert.pem
tls_key /usr/lib/ssl/private/<clientfqdn>.key.pem

ldap.conf (partially)

TLSCACertificateFile /usr/lib/ssl/certs/<ca>.chain.crt
TLSCertificateFile /usr/lib/ssl/openldap/<serverfqdn>.cert.pem
TLSCertificateKeyFile /usr/lib/ssl/openldap/private/<serverfqdn>.key.pem
TLSVerifyClient demand

What did I do wrong?

Best regards,

Hauke Coltzau