[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS/SSL problem - unsupported certificate purpose
Hello,
I found a very similar and recent post on the Mailing List but no solution.
May be I missed something.
I migrated my openLdap server from Debian Sarge (slapd 2.2.23-8)
to Debian Etch (slapd 2.3.30-5)
On Sarge all was working fine (LDAP server with and withouth SSL)
but now SSL acces is unusable.
Using clear access (port 389) LDAP server works fine.
With SSL, I check all my certificates (Root CA and LDAP certificate) and
renew all of them, successless.
Always the same error message.
Althought all seems OK about certificates.
# openssl x509 -in LDAPserver-cert.pem -text -noout
========================
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=France, O=MYDOMAIN, CN=mydomain.net Root
CA/emailAddress=user@mydomain.net
Validity
Not Before: Apr 19 21:47:31 2007 GMT
Not After : Apr 18 21:47:31 2008 GMT
Subject: C=FR, ST=France, L=Nice, O=MYDOMAIN,
CN=fully_qualified_name_machine.mydomain.net/emailAddress=user@mydomain.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c2:20:97:ed:17:fa:d5:87:bd:c8:1e:36:4c:e5:
3e:30:25:2b:e1:35:71:89:9f:68:55:38:41:e2:00:
.........
75:5b:c4:bd:62:dc:43:df:b2:9c:9f:c9:e5:bd:fb:
9e:bb:fc:51:ba:60:3e:53:6c:e9:b3:85:56:9a:7e:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
Object Signing
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
CE:19:D6:9C:..............................
X509v3 Authority Key Identifier:
keyid:4D:58:60:..............................
Signature Algorithm: sha1WithRSAEncryption
48:f0:90:2f:93:cb:ae:93:3f:ac:c9:d8:7e:2f:95:1f:9b:86:
ca:aa:34:a7:f0:63:e4:aa:1d:47:8d:ad:6f:ed:e1:d6:58:7d:
....................................................
30:b5:37:21:c5:3e:1a:f3:f6:29:1a:17:6d:c6:fb:06:d2:44:
20:24:b4:9e
=============================
# ldapsearch -d1 -x -H ldaps://localhost:636/
gives me the following answer :
==================================
ldap_create
ldap_url_parse_ext(ldaps://localhost:636/)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 26,
subject: /C=FR/ST=France/L=Nice/O=MYDOMAIN/CN=fully_qualified_name_machine.mydomain.net
/emailAddress=user@mydomain.net,
issuer: /C=FR/ST=France/O=MYDOMAIN/CN=my domain.net
RootCA/emailAddress=user@mydomain.net
TLS certificate verification: Error, unsupported certificate purpose
TLS trace: SSL3 alert write:fatal:unsupported certificate
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
============================================
I'm just wondering what's wrong.
I've been searching for few days.
Is something wrong with ldap server 2.3.30 ?
Did I miss some evidence ?
If someone can give me any lights because I feel alone without any solutions.
--
Regards.
Jean-Claude