Re: Can't get TLS working.

["Dieter Kluenter" <dieter@dkluenter.de>]

c0re <nr1c0re@gmail.com> writes:

> Hello everyone!
[...]
> So I add to slapd.conf
>
> TLSCertificateFile    /usr/local/etc/openldap/ssl/ldap.server.ru.crt.pem
> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap.server.ru.key.pem
> TLSCACertificateFile  /usr/local/etc/openldap/ssl/rootcrt.pem
>
> In nss_ldap and ldap.conf I add folowing:
>
> ssl start_tls
> tls_cacertfile /usr/local/etc/openldap/ssl-client/rootcrt.pem
>
> I start slapd with debugging:
[...]
> And slapd debug:
>
>
> slap_listener_activate(7):
>>>> slap_listener(ldap:///)
[...]
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> connection_get(11): got connid=1000
> connection_read(11): checking for input on id=1000
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> TLS trace: SSL_accept:SSLv3 flush data
> connection_read(11): unable to get TLS client DN, error=49 id=1000
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^                                                
You probably have configured slapd to require client verification, but
the client doesn't provide a valid certificate.

[...]

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: 7770535@sipgate.de 
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6