[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: self signed certificate

On 11/21/2010 07:36 PM, Howard Chu wrote:
Dieter Klünter wrote:
Fri, Nov 19, 2010 at 02:58:30PM -0200, Márcio Luciano Donada wrote:
Hi list,
When using TLS, I have information that I'm using a self-signed
certificate, as shown below:

# ldapsearch -x -d5 -b 'ou=Usuarios,dc=xx,dc=com,dc=br' -H
ldaps:// '(objectclass=*)'
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject:
/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br,
-State/O=Internet Widgits Pty Ltd/CN=ldap.xx.com.br
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self
signed certificate).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

OpenLDAP is quite picky about correct certificate chains.

No, the software will accept whatever you tell it to use, if you
configure it appropriately.

Agreed. I had to put together a test setup to convince myself first, but now it makes sense to me. =)

You really should create a full certificate chain, that is, a ca, a
server certificate and a server key.

But yes, the Project always recommends that you do the right thing.

One thing I was wondering here is if his ldap is only accessible from within one location (i.e. no subnets physically separated that need to authenticate against this ldap server), self signed would not be a bad idea.

Otherwise, there is always cacert.org. That said, using the later could make it a bit simpler (at the expense of having to renew cert more often) as the ca is available and easy to deploy to other machines.