Re: CA cert installed/imported but they are not trusted
Sander Temme wrote: On Apr 9, 2010, at 3:02 AM, Götz Reinicke - IT Koordinator wrote: [r...@ldap1 ~]# openssl s_client -connect ldap1.filmakademie.de:389 -showcerts -CAfile /etc/openldap/CA_falu/CA.pem CONNECTED(0003) 5066:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: What the hell ... hmm. What may be missing/wrong? 389 is plaintext. LDAP-over-SSL runs on 636. S. -- san...@temme.net http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/CA-cert-installed-imported-but-they-are-not-trusted-tp28179665p28737639.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CA cert installed/imported but they are not trusted
Did you check with openssll s_client ? Just try openssl s_client -connect hostname:port -showcerts -CAfile CAceritificate Regards Arava On Thu, Apr 8, 2010 at 7:25 PM, Götz Reinicke - IT Koordinator goetz.reini...@filmakademie.de wrote: Hallo and one more thing, recently I started to set up a master/slave OpenLDAP system with tls/certs. (Red Hat 5.x, openssl-0.9.8e-12, openldap-2.3.43-3 ) For that pourpose I set up a CA, generated certs, requests and keys, installed tham on the corresponding servers and my OS X client and my ldapservers communicate nearly as I expected. So dose my local ldap client (Apache Directory Studio (ADS) on mac OS X 10.6.x ). Nearly, because the servers and the ADS client both alert me, that I use invalide certificates and the cerificate can't be validated. But I have e.g. on the Mac imported my ca cert in the Macs keychain (once for sytem resp. for login) and the use for everything (ssl, IPsec, X.509, ...) is set to trust. May be I did something wrong or what may I check and how? Thanks a lot and best regards, Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CA cert installed/imported but they are not trusted
Hi, not yet. I'm still not total familier with the different checking methods. So thanks for your suggestion. ldap master - ldap slave [r...@ldap1 ~]# openssl s_client -connect ldap2.filmakademie.de:389 -showcerts -CAfile /etc/openldap/CA_falu/CA.pem CONNECTED(0003) 5063:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: ldap master - ldap master [r...@ldap1 ~]# openssl s_client -connect ldap1.filmakademie.de:389 -showcerts -CAfile /etc/openldap/CA_falu/CA.pem CONNECTED(0003) 5066:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: What the hell ... hmm. What may be missing/wrong? Regards, Götz Am 09.04.10 08:48, schrieb aravamudan ranganathan: Did you check with openssll s_client ? Just try openssl s_client -connect hostname:port -showcerts -CAfile CAceritificate Regards Arava On Thu, Apr 8, 2010 at 7:25 PM, Götz Reinicke - IT Koordinator goetz.reini...@filmakademie.de mailto:goetz.reini...@filmakademie.de wrote: Hallo and one more thing, recently I started to set up a master/slave OpenLDAP system with tls/certs. (Red Hat 5.x, openssl-0.9.8e-12, openldap-2.3.43-3 ) For that pourpose I set up a CA, generated certs, requests and keys, installed tham on the corresponding servers and my OS X client and my ldapservers communicate nearly as I expected. So dose my local ldap client (Apache Directory Studio (ADS) on mac OS X 10.6.x ). Nearly, because the servers and the ADS client both alert me, that I use invalide certificates and the cerificate can't be validated. But I have e.g. on the Mac imported my ca cert in the Macs keychain (once for sytem resp. for login) and the use for everything (ssl, IPsec, X.509, ...) is set to trust. May be I did something wrong or what may I check and how? Thanks a lot and best regards, Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CA cert installed/imported but they are not trusted
On Apr 9, 2010, at 3:02 AM, Götz Reinicke - IT Koordinator wrote: [r...@ldap1 ~]# openssl s_client -connect ldap1.filmakademie.de:389 -showcerts -CAfile /etc/openldap/CA_falu/CA.pem CONNECTED(0003) 5066:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: What the hell ... hmm. What may be missing/wrong? 389 is plaintext. LDAP-over-SSL runs on 636. S. -- san...@temme.net http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
CA cert installed/imported but they are not trusted
Hallo and one more thing, recently I started to set up a master/slave OpenLDAP system with tls/certs. (Red Hat 5.x, openssl-0.9.8e-12, openldap-2.3.43-3 ) For that pourpose I set up a CA, generated certs, requests and keys, installed tham on the corresponding servers and my OS X client and my ldapservers communicate nearly as I expected. So dose my local ldap client (Apache Directory Studio (ADS) on mac OS X 10.6.x ). Nearly, because the servers and the ADS client both alert me, that I use invalide certificates and the cerificate can't be validated. But I have e.g. on the Mac imported my ca cert in the Macs keychain (once for sytem resp. for login) and the use for everything (ssl, IPsec, X.509, ...) is set to trust. May be I did something wrong or what may I check and how? Thanks a lot and best regards, Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CA cert installed/imported but they are not trusted
On Apr 8, 2010, at 6:55 AM, Götz Reinicke - IT Koordinator wrote: So dose my local ldap client (Apache Directory Studio (ADS) on mac OS X 10.6.x ). Nearly, because the servers and the ADS client both alert me, that I use invalide certificates and the cerificate can't be validated. But I have e.g. on the Mac imported my ca cert in the Macs keychain (once for sytem resp. for login) and the use for everything (ssl, IPsec, X.509, ...) is set to trust. I have never used Apache DS but since it runs on Eclipse, I would not be surprised if it did not use the Mac Keychain. Try adding the CA cert to the Java Keystore used by the JVM. S. -- san...@temme.net http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org