Re: Problem verifying self signed certificate

["Samuel Tran" <stran@amnh.org>]

> Here's the output of a test I ran:
>
> [root@log1 openldap]# openssl s_client -connect localhost:389 -showcerts
> -state -CAfile /usr/share/ssl/certs/cacert.pem
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> 24425:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:226:
>
> For a bit more detail on the possible nature of the handshake failure,
> here is a snippet from the attempt to run a replication over TLS:
>
> TLS certificate verification: depth: 1, err: 19, subject:
> /C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=Glocalnet
> Certificate Authority/emailAddress=inoc@glocalnet.com, issuer:
> /C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=Glocalnet
> Certificate Authority/emailAddress=inoc@glocalnet.com
> TLS certificate verification: Error, self signed certificate in
> certificate chain
> tls_write: want=7, written=7
>   0000:  15 03 01 00 02 02 30                               ......0
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_err2string
> Error: ldap_start_tls failed: Connect error (-11)
> ldap_unbind
> ldap_free_connection
> ldap_send_unbind
> ber_flush: 7 bytes to sd 6
>   0000:  30 05 02 01 02 42 00                               0....B.
> ldap_write: want=7, written=7
>   0000:  30 05 02 01 02 42 00                               0....B.
> ldap_free_connection: actually freed
> fm: exiting
>

Hi James,

Please could you show the TLS configuration from your slapd.conf and also
the ldap.conf file on the client side?

Sam