----- Original Message Follows ----- From: Hallvard B Furuseth <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: [email protected] Subject: Re: [ldap] Re: TLS negotiation failure Date: Mon, 19 Mar 2007 17:13:27 +0100
> [EMAIL PROTECTED] writes: > > Thanks Hallvard. I have started ldaps like *slapd -h > > ldaps://0.0.0.0:636/ -d 1* so ldaps on port636 > > > > here is the config.php of php-ldap-admin > > (...) > > $ldapservers->SetValue($i,'server','host','127.0.0.1'); > > $ldapservers->SetValue($i,'server','port','636'); > > (...) > > $ldapservers->SetValue($i,'server','tls',true); > > Hi, back from holiday.. If you haven't figured this out > yet: Hi Hallvard, welcome back. Thanks for your suggestions. But I have already tested with port 389 and got the error same as "TLS negotiation failure". Please note I have a self signed CA and certificates all are created by the CA.sh script comes with linux. The hostname used in the certificate is the same as that of the machine. *ldapsearch -ZZ* is working well. So do u think I am still missing any thing ? thanks a lot. > > I don't know what your PHP code means, but maybe the last > statement means to use the StartTLS LDAP request (with the > LDAP protocol) rather than using 'ldaps'. If so you > should use port 389 (or not specify the port, maybe then > you get the proper protocol's default), and listen use > slapd -h 'ldap:// ...'. > > Another possibility: > > You must connect to a hostname which is listed in the > server's certificate. So if you connect to '127.0.0.1', > the server certificate must include that in its Subject > Alt Name. Which is unusual. Does yours? > > The client need to know the server cert or the CA > certificate which signed it, so that it can verify the > server certificate. If it cannot be verified, or if the > hostname/address you connected to does not match a > hostname/addr in the cert, that might be due to an attack. > So the client should reject the connection. > > > Finally, note that the loopback device (127.0.0.1) should > be unsnoopable since a connection to it is not a network > connection, so you shouldn't need TLS in this case. > > -- > Regards, > Hallvard --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
