Dieter Kluenter schrieb:
> Hi,
> [...]
> The value of X509v3 Authority Key Identifier keyid in your
> servercert.pem is identical to the value in your cacert.pem, it is a
> proof of the correct cacert, if the value differs you have signed your
> servercert with the wrong cacert.
>
Hi,
I have done:
oracle:/etc/openldap # openssl x509 -in servercrt.pem -text > servercrt.txt
oracle:/etc/openldap # openssl x509 -in cacert.pem -text > cacert.txt
and here are parts out of this files:
oracle:/etc/openldap # grep -i keyid servercrt.txt
keyid:90:4F:E9:05:AA:38:FC:D9:21:45:B0:BD:A5:2E:B3:5B:E9:59:38:AF
oracle:/etc/openldap # grep -i keyid cacert.txt
keyid:90:4F:E9:05:AA:38:FC:D9:21:45:B0:BD:A5:2E:B3:5B:E9:59:38:AF
I assume that this keyids must be the same?
>> I've read, that I have to set the common name to my fqdn (of the server)
>> but I don't understand the reason. What means: checked and validated by
>> the clients? - must the name resolv to an ip or what means validated?
>
> A searchstring contains a hostname, i.e.
> ldpsearch -H ldap://my.host.mydomain
> in any configuration file you define a ldap host. This hostname is
> checked against the CN of a certificate, if these don't match, the
> searchstring is not valid. A good dictionary will give you more
> information on validation.
Sorry, I don't understand that. Now I tried only from
the server oracle.hhb.bonn.de with the command
ldapsearch -h oracle.hhb.bonn.de -b "dc=hhb,dc=bonn,dc=de" -D
"cn=manager,dc=hhb,dc=bonn,dc=de" -x -W -ZZ -d1
and the following entries in /etc/openldap/ldap.conf
------------#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_REQCERT allow
ssl start_tls
host oracle.hhb.bonn.de
base dc=hhb,dc=bonn,dc=de
TLS_CACERT /etc/openldap/cacert.pem
----------------------
again: no success with tls:
[...]
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I don't know where to search for hints
any ideas?
Thanks
Karsten
>
> -Dieter
>
---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
