> -----Original Message----- > From: Kurt D. Zeilenga [mailto:[EMAIL PROTECTED] > Sent: Sunday, September 04, 2005 7:51 PM > To: Peter Marschall > Cc: James Wilde; [email protected] > Subject: Re: Problem verifying self signed certificate > > > > > Of course, it generally recommended that server certificates > should be signed by a separate CA certificate.
The server certificate is separate from the CA certificate. The only problem appears to be that the CA certificate is self signed, which, as you say, shouldn't be a problem for openldap. > > Expecting the actually configuration directives > (see ldap.conf(5)), none of this is actually specific > to OpenLDAP (as evident from the following): > > % openssl s_client -host ldap.openldap.org -port 636 > ! > openldap.cert ... verify error:num=18:self signed certificate > verify return:1 ... [CTRL-D] % openssl s_client -host > ldap.openldap.org -port 636 -CAfile openldap.cert ... > Verify return code: 0 (ok) > [CTRL-D] But: [EMAIL PROTECTED] certs]# openssl s_client -connect localhost:4433 -showcerts -state -CAfile /usr/share/ssl/certs/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=Glocalnet Certificate Authority/[EMAIL PROTECTED] verify return:1 depth=0 /C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=log1.glocalnet.net/[EMAIL PROTECTED] om verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data ... --- Server certificate subject=/C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=log1.glocalnet.net/[EMAIL PROTECTED] om issuer=/C=SE/L=Stockholm/O=Glocalnet AB/OU=Infrastructure/CN=Glocalnet Certificate Authority/[EMAIL PROTECTED] --- No client certificate CA names sent ... ...indicates that openssl is working okay and that there is no problem with either the ca certificate or the server certificate. That leaves incorrect configuration of openldap (server and/or client) on log1 - admittedly the bet that the heavy money is on - or incorrect handling of tls by openldap. So this is specific to OpenLDAP. //James
