Hi, On Friday, 2. September 2005 08:35, James Wilde wrote: > I've googled on this problem and found a number of situations, none of > which has given me a lead to solving my problem. > > On our certificate server, running Openssl v0.9.7f, I have created a > self signed CA certificate which so far has worked well. > > Now I'm setting up an Openldap server as follows: It's running RedHat > Enterprice Linux v4, Openssl v0.9.7a and Openldap v2.2.13. I've had any > amount of trouble making sasl work and given up in favour of TLS. Now > I'm having problems with this and it seems to be related to the validity > of the CA certificate. > > Here's the output of a test I ran: > > [EMAIL PROTECTED] openldap]# openssl s_client -connect localhost:389 > -showcerts > -state -CAfile /usr/share/ssl/certs/cacert.pem > CONNECTED(00000003) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > 24425:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:226: > > For a bit more detail on the possible nature of the handshake failure, > here is a snippet from the attempt to run a replication over TLS: > > TLS certificate verification: depth: 1, err: 19, subject: > /C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=Glocalnet > Certificate Authority/[EMAIL PROTECTED], issuer: > /C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=Glocalnet > Certificate Authority/[EMAIL PROTECTED] > TLS certificate verification: Error, self signed certificate in > certificate chain > tls_write: want=7, written=7 > 0000: 15 03 01 00 02 02 30 ......0 > TLS trace: SSL3 alert write:fatal:unknown CA > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS trace: SSL_connect:error in SSLv3 read server certificate B > TLS: can't connect. > ldap_err2string > Error: ldap_start_tls failed: Connect error (-11) > ldap_unbind > ldap_free_connection > ldap_send_unbind > ber_flush: 7 bytes to sd 6 > 0000: 30 05 02 01 02 42 00 0....B. > ldap_write: want=7, written=7 > 0000: 30 05 02 01 02 42 00 0....B. > ldap_free_connection: actually freed > fm: exiting > > I'd very much appreciate a hint as to what might be the problem and how > to fix it.
AFAIK this is expected behaviour as you cannot use a self-signed server certificate with openLDAP. OpenLDAP expects you to use a server certificate that is different from the certificate of the issueing CA. Peter -- Peter Marschall eMail: [EMAIL PROTECTED]
