[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: fedora and openldap



On 04/13/2011 08:27 AM, Judith Flo Gaya wrote:
here it is, thanks!


# certutil -d /etc/openldap/cacerts/ -L "name cert"

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

name cert                                                  CTu,u,u

# certutil -V -u V -d /etc/openldap/cacerts/ -n "name cert"
certutil: certificate is valid
please post the output of
certutil -L -d /etc/openldap/cacerts -n "name cert"
# certutil -L -d /etc/openldap/cacerts -n "server cert"
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            00:af:0e:09:e3:b5:c0:13:3f
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "E=jflo@imppc.org,CN=server.fdqn,OU=linux,O=company,L=Ba
            dalona,ST=Barcelona,C=ES"
        Validity:
            Not Before: Tue Apr 12 15:44:55 2011
            Not After : Mon Jan 06 15:44:55 2014
        Subject: "E=jflo@imppc.org,CN=server.fdqn,OU=linux,O=company,L=B
            adalona,ST=Barcelona,C=ES"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    b8:53:e1:82:9d:af:b9:0c:33:95:a6:5f:b2:bc:9b:5c:
                    38:e9:f9:8a:64:48:fd:61:ee:93:65:f1:d0:61:9e:c7:
                    0f:b6:c5:9a:77:36:5a:c1:b9:cb:2e:bf:21:a8:bd:81:
                    68:98:fa:60:77:8a:9b:9b:73:24:2a:9b:9b:c4:53:0c:
                    cb:44:83:d4:bd:2c:8c:19:7c:e4:c8:24:e4:bf:e7:ff:
                    b6:1f:fe:71:eb:00:d7:c4:22:1a:f3:9a:30:5c:85:90:
                    08:05:c0:7d:a3:73:7c:6e:3f:60:73:ad:84:bf:82:c7:
                    fe:b9:20:66:2a:44:88:38:20:e6:50:70:cd:5f:a9:5f:
                    75:59:30:3d:c4:83:06:11:12:b3:1e:dc:5c:a9:75:f0:
                    b8:45:17:99:c9:c8:0e:94:19:a2:e4:bb:da:15:6d:77:
                    99:3a:f2:77:74:09:c1:6b:ef:5d:68:51:91:90:45:13:
                    12:51:88:11:7a:51:3d:7d:fa:1f:f4:d7:be:2e:68:9f:
                    d7:5b:d8:ee:eb:5d:b2:1a:34:3e:2f:1d:26:89:03:46:
                    fd:b7:70:c0:b5:30:81:77:c6:12:42:8d:d9:b1:86:b1:
                    eb:cd:ac:88:15:8a:c2:c5:99:a2:1d:c0:59:6b:49:81:
                    9f:7e:06:bc:b2:64:a5:ad:08:c8:8c:79:a7:7a:df:87
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Key ID
            Data:
                c4:a3:f8:6c:51:45:55:07:46:19:c5:f1:ed:12:42:c5:
                58:93:df:e3

            Name: Certificate Authority Key Identifier
            Key ID:
                c4:a3:f8:6c:51:45:55:07:46:19:c5:f1:ed:12:42:c5:
                58:93:df:e3

            Name: Certificate Basic Constraints
            Data: Is a CA with no maximum path length.

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        1d:12:4c:2a:2b:0d:8d:a3:ae:b6:88:7f:84:e8:50:d6:
        b4:92:d0:50:ea:85:9a:d8:b5:5f:c1:02:ff:16:00:e7:
        ca:bd:2c:00:a6:a1:61:d1:3f:ff:06:34:e4:0a:31:49:
        05:b4:f6:fd:2a:40:84:8a:72:f7:cc:f7:ee:23:5f:b8:
        35:18:32:25:e2:6a:3b:51:e2:08:7e:37:1b:99:4d:12:
        bc:9d:b0:fd:89:41:9e:33:31:17:e8:cf:bb:c4:f3:f2:
        5a:c9:88:f4:cb:cb:79:70:af:7d:6e:0e:59:ca:cc:7f:
        a6:4e:7d:2c:b1:04:a7:90:1a:08:7d:74:4d:5c:6b:71:
        13:ec:e7:54:e0:b8:16:2f:19:e7:d6:bf:27:30:3e:30:
        15:56:ed:08:76:cb:b5:22:78:fb:96:62:22:da:d8:67:
        ad:69:92:83:56:89:39:09:f0:a1:da:cd:70:aa:c1:f3:
        9a:9c:6a:d8:a3:72:13:2f:a2:6d:18:5f:9e:e5:82:e9:
        8a:57:1b:8f:d9:f7:6c:78:3a:3f:92:61:15:1c:df:4e:
        ae:d9:9e:62:29:00:cf:71:31:70:18:1b:05:24:4b:cf:
        9f:62:30:1d:38:9a:e6:a9:e5:0a:f3:fb:8e:5a:fc:20:
        a5:81:c9:b7:0c:a3:8c:a2:e5:31:e2:43:03:ca:a8:ba
    Fingerprint (MD5):
        93:AB:C5:56:6F:59:06:1A:49:8D:A4:71:40:25:D1:7E
    Fingerprint (SHA1):
        34:45:77:64:9F:4F:7B:90:27:23:CC:B8:0A:97:E2:BF:95:01:B6:3B

    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            User
            Trusted Client CA
        Email Flags:
            User
        Object Signing Flags:
            User


Also post the output of
openssl x509 -in /path/to/the/server-cert.pem -text
# # openssl x509 -in /etc/openldap/cacerts/curri3-cert.pem -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ES, ST=Barcelona, L=Badalona, O=company, OU=linux, CN=server.fdqn/emailAddress=jflo@imppc.org
        Validity
            Not Before: Apr 12 15:55:56 2011 GMT
            Not After : Jan  6 15:55:56 2014 GMT
Subject: C=ES, ST=Barcelona, L=Badalona, O=company, OU=linux, CN=client.fdqn/emailAddress=jflo@imppc.org
I notice that the format of the Issuer here does not match the format of the Subject, but that may be just a difference in the way moznss and openssl handle the "/emailAddress=...". You could confirm by doing openssl x509 -in /path/to/cacert.pem -text

I don't know - I don't see anything obviously wrong here.

If you think this is a problem with openldap+moznss (that is, if you can get it to work with openldap+openssl), please file a bug/its.
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cc:d8:b1:b4:fa:48:96:d8:60:8a:40:91:48:1b:
                    f8:27:8c:f0:d8:d7:6e:73:7a:6d:15:fa:75:11:24:
                    d4:a1:b7:7f:10:7e:cf:76:93:31:02:46:07:74:ab:
                    28:5b:6a:5b:87:d9:27:73:2a:9c:21:25:c9:79:df:
                    40:47:15:53:c9:b3:db:f4:b4:b6:38:34:c5:5c:f1:
                    97:7b:a4:ff:19:7d:aa:4c:f0:7e:18:0b:be:57:c6:
                    17:b5:0b:84:f6:4e:6e:98:8d:7e:39:20:b9:f7:b5:
                    2a:03:66:d7:06:25:9f:19:a6:fe:12:86:24:b6:21:
                    25:62:90:88:ea:8b:62:db:e7:41:15:93:36:01:e4:
                    09:f7:08:ea:6e:32:e2:68:79:ec:0d:ff:d0:9e:7c:
                    b1:b3:da:13:3a:c0:58:dc:6a:f2:28:d2:ca:cf:44:
                    e6:af:71:0a:57:e7:eb:39:3a:ea:70:cb:ed:86:6d:
                    06:c9:d7:78:ab:63:5f:3a:89:67:bc:39:ed:e8:f7:
                    43:6a:5e:92:78:c1:00:e3:2b:0c:7f:cb:3c:5c:b9:
                    07:ae:31:9b:ef:b2:eb:5c:70:63:f8:5c:22:6b:ed:
                    bc:69:e5:6b:19:18:51:f2:73:72:4c:9e:47:f1:f2:
                    d7:38:3b:52:18:81:ef:c9:72:50:83:08:38:38:6b:
                    ce:73
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        83:ed:11:d4:08:2a:f6:10:41:c9:01:30:b1:60:2d:ed:1f:12:
        80:b9:b4:d3:98:f9:a4:ea:42:ac:89:b2:db:a1:98:77:54:82:
        86:17:fa:06:db:9d:db:41:f2:24:cf:b8:08:67:de:b5:d1:c2:
        7d:94:06:ef:74:57:9d:7a:f8:a8:62:d2:4d:71:11:e6:07:bd:
        b1:18:fa:c4:d7:3b:a6:57:42:fc:65:a5:27:e4:64:51:66:83:
        22:33:4f:6b:ee:b3:8d:9f:29:a4:af:e9:5e:e8:91:79:d6:bd:
        8f:4d:b6:d6:74:ea:96:c4:75:ea:3c:c5:71:9b:28:4d:00:93:
        2d:02:38:03:d4:84:f2:af:73:d3:fd:f7:31:2f:33:2b:d3:ac:
        47:68:9d:48:2f:5d:a0:6d:6d:8a:73:c7:c9:3e:4d:ad:5f:ef:
        07:39:20:1e:1f:46:f7:7c:4b:e1:5e:7d:3d:4d:a2:7f:6e:f0:
        c4:c2:8d:90:5d:cf:77:52:a7:33:f4:e8:97:c8:da:1b:73:ea:
        c9:50:2c:ed:6d:2f:db:1d:02:f3:0d:a8:d0:df:d1:3e:8f:15:
        db:53:4d:4d:85:5f:a4:c8:80:68:b7:ed:d2:f2:07:a0:e4:12:
        d1:95:36:8b:81:53:d3:82:9d:46:d6:6e:77:6b:6e:bb:6f:62:
        d0:ba:28:32
-----BEGIN CERTIFICATE-----
MIIDljCCAn4CAQEwDQYJKoZIhvcNAQEFBQAwgZAxCzAJBgNVBAYTAkVTMRIwEAYD
VQQIDAlCYXJjZWxvbmExETAPBgNVBAcMCEJhZGFsb25hMQ4wDAYDVQQKDAVJTVBQ
QzEOMAwGA1UECwwFbGludXgxGzAZBgNVBAMMEmN1cnJpMC5pbXBwYy5sb2NhbDEd
MBsGCSqGSIb3DQEJARYOamZsb0BpbXBwYy5vcmcwHhcNMTEwNDEyMTU1NTU2WhcN
MTQwMTA2MTU1NTU2WjCBkDELMAkGA1UEBhMCRVMxEjAQBgNVBAgMCUJhcmNlbG9u
YTERMA8GA1UEBwwIQmFkYWxvbmExDjAMBgNVBAoMBUlNUFBDMQ4wDAYDVQQLDAVs
aW51eDEbMBkGA1UEAwwSY3VycmkzLmltcHBjLmxvY2FsMR0wGwYJKoZIhvcNAQkB
Fg5qZmxvQGltcHBjLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMzYsbT6SJbYYIpAkUgb+CeM8NjXbnN6bRX6dREk1KG3fxB+z3aTMQJGB3SrKFtq
W4fZJ3MqnCElyXnfQEcVU8mz2/S0tjg0xVzxl3uk/xl9qkzwfhgLvlfGF7ULhPZO
bpiNfjkgufe1KgNm1wYlnxmm/hKGJLYhJWKQiOqLYtvnQRWTNgHkCfcI6m4y4mh5
7A3/0J58sbPaEzrAWNxq8ijSys9E5q9xClfn6zk66nDL7YZtBsnXeKtjXzqJZ7w5
7ej3Q2peknjBAOMrDH/LPFy5B64xm++y61xwY/hcImvtvGnlaxkYUfJzckyeR/Hy
1zg7UhiB78lyUIMIODhrznMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAg+0R1Agq
9hBByQEwsWAt7R8SgLm005j5pOpCrImy26GYd1SChhf6Btud20HyJM+4CGfetdHC
fZQG73RXnXr4qGLSTXER5ge9sRj6xNc7pldC/GWlJ+RkUWaDIjNPa+6zjZ8ppK/p
XuiReda9j0221nTqlsR16jzFcZsoTQCTLQI4A9SE8q9z0/33MS8zK9OsR2idSC9d
oG1tinPHyT5NrV/vBzkgHh9G93xL4V59PU2if27wxMKNkF3Pd1KnM/Tol8jaG3Pq
yVAs7W0v2x0C8w2o0N/RPo8V21NNTYVfpMiAaLft0vIHoOQS0ZU2i4FT04KdRtZu
d2tuu29i0LooMg==
-----END CERTIFICATE-----




The server just complains about the tls communication:
  (TLS negotiation failure)

Do you think it is necessary to recompile the server so that the tls
is done by moznss in both sides...
No.  That is not the problem.

Thanks for your help,
j