Hi Sadique, The problem is resolved now. Actually the root certificate created was not valid until 17th Oct 10.00 PM. That is why I was facing the issue. But I think, ideally the certificate created should be valid from the time of creation itself.
Regards, Monica Rana -----Original Message----- From: Sadique Puthen [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 18, 2006 12:31 PM To: Monica_Rana; [email protected] Subject: Re: FW: Problem in configuring SSL with openldap This looks like a problem in the way you created CA, Key and Certificate. Can you please explain how did you create it? That would be helpful. Regards, Sadique Monica_Rana wrote: > Hi All, > > I have successfully installed and built openLDAP and openSSL. > Now I need to configure SSL. > I have followed the link > http://www.proscrutiny.com/howtos/OpenLDAP.html#confssl-co. > > These are the settings in my "slapd.conf" > > TLSCipherSuite HIGH:MEDIUM TLSCertificateFile > /usr/local/etc/openldap/certs/newcert.pem > TLSCertificateKeyFile /usr/local/etc/openldap/certs/privkey.pem > TLSCACertificateFile /usr/local/ssl/misc/demoCA/cacert.pem > TLSCACertificatePath /usr/local/ssl/misc/demoCA #TLSRandFile > <filename> #TLSVerifyClient 0 > ---------------------------------------------------------------------- > -- > ----- > > These are the settings in my "ldap.conf" > # See ldap.conf(5) for details > # This file should be world readable but not world wr > > HOST 10.152.72.5 > BASE dc=ad,dc=infosys,dc=com > URI ldap://10.152.72.5 ldap://10.152.72.5:389 > BINDDN "cn=Manager,dc=ad,dc=infosys,dc=com" > > SIZELIMIT 12 > TIMELIMIT 25 > #DEREF never > TLS_CACERT /usr/local/ssl/misc/demoCA/cacert.pem > ~ > > When I run the command "./slapd -h 'ldap://10.152.72.5:389/ > ldaps://10.152.72.5:636/' -d 255 ", and try to connect to the SSL > port, I get the following error messages. > > TLS trace: SSL_accept:SSLv3 flush data > tls_read: want=5, got=5 > 0000: 15 03 01 00 02 ..... > tls_read: want=2, got=2 > 0000: 02 30 .0 > TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: > SSL_accept:failed in SSLv3 read client certificate A > TLS: can't accept. > TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown > ca s3_pkt.c > :1057 > connection_read(12): TLS accept failure error=-1 id=3, closing > connection_closing: readying conn=3 sd=12 for close > connection_close: conn=3 sd=12 > daemon: removing 12 > daemon: select: listen=7 active_threads=0 tvp=NULL > daemon: select: listen=8 active_threads=0 tvp=NULL > daemon: activity on 1 descriptor > daemon: waked > daemon: select: listen=7 active_threads=0 tvp=NULL > daemon: select: listen=8 active_threads=0 tvp=NULL > > Could you please suggest what is the probable reason for this. Have I > configured something incorrectly. Earlier I had tried with a different > CA. But the issue was there. That's why I created the Demo > Certification Authority(using openssl). But the issue persists. > > Regards, > Monica Rana > > > > -----Original Message----- > From: Sameer N Ingole [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 12, 2006 6:03 PM > To: Monica_Rana > Subject: Re: Problem in configuring SSL with openldap > > Hi Monica, > > Replying off list because this is more of a Solaris/OpenSSL issue. > Please ignore my last mail, it was obscure. > > If you are referring to Openssl installation, you may want to take a > look at this http://www.sunfreeware.com/openssh8.html > > Else download OpenSSL from: > ftp://ftp.sunfreeware.com/pub/freeware/sparc/8/openssl-0.9.8d-sol8-spa > rc > -local.gz > > > > If you are referring to OpenSSL source installation (downloaded from > openssl.org) then there are few things to note: > Sun does not ship include libraries (for Solaris 9, I guess) You would > want to compile shared version of libraries, it defaults to static By > default it is compiled gnu-shared so and for solaris you need to > specify solaris-shared instead of gnu-shared > > So generally you would do this: > edit Configure script - find solaris-x86-gcc or solaris-sparcv9-gcc > etc as suitable > * Change "gnu-shared" to "solaris-shared". > * add "-R/usr/local/ssl/lib " just before "-lsocket" > > So now your configure command would look something like.. > > ./Configure solaris-x86-gcc shared > > > Some of the above things might be inconsistent as last time I worked > on solaris was 11 months back. > > Regards, > > Sameer Ingole. > http://weblogic.noroot.org/gallery2/ > > Monica_Rana wrote: > >> Hi Sameer, >> >> I have followed the below mentioned steps: >> 1. $ ./config >> 2. $ make >> 3. $ make test >> 4. $ make install. >> >> All the options ran without any errors. >> Do I need to do anything extra? >> >> Regards, >> Monica Rana >> >> -----Original Message----- >> From: Sameer N Ingole [mailto:[EMAIL PROTECTED] >> Sent: Thursday, October 12, 2006 2:34 PM >> To: [email protected] >> Cc: Monica_Rana >> Subject: Re: Problem in configuring SSL with openldap >> >> Did you custom compile Openssl? >> Did you install development libraries for Openssl? >> >> I suspect absence of development libraries is causing this problem. >> Also read http://www.columbia.edu/~ariel/ssleay/rsaref.html >> >> Regards, >> >> Sameer Ingole. >> http://weblogic.noroot.org/gallery2/ >> >> > <snip> > >>> -----Original Message----- >>> From: Phillip [mailto:[EMAIL PROTECTED] >>> Sent: Thursday, October 12, 2006 1:07 PM >>> To: Monica_Rana >>> Cc: [email protected] >>> Subject: Re: Problem in configuring SSL with openldap >>> >>> Monica, >>> >>> Maybe you've take a mistake in setting "env", just try: >>> >>> env CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include - >>> I/usr/local/db4/include" LDFLAGS="-L/usr/local/ssl/lib - >>> L/usr/local/db4/lib" ./configure --with-tls --with-cyrus-sasl >>> --enable- wrappers --enable-crypt --enable-bdb >>> >>> You'd better verify the "include" and "lib" path for SSL and DB. >>> >>> Regards, >>> Phillip >>> >>> >>> >>> >>> >>> On Thu, 2006-10-12 at 12:18 +0530, Monica_Rana wrote: >>> >>> >>> >>>> Hi All, >>>> >>>> I have the following installed on solaris 8. >>>> openLDAP 2.3.27 >>>> openSSL 0.9.8b. >>>> >>>> when i try to configure using the command env >>>> CPPFLAGS="-I/usr/local/include -I/usr/local/include/ssl - >>>> I/usr/local/include/db4" >>>> LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib/db4" >>>> ./configure --with-tls --with-cyrus-sasl --enable-wrappers -- >>>> enable-crypt --enable-bdb it throws the error checking for >>>> openssl/ssl.h... yes checking for SSL_library_init in -lssl... no >>>> checking for ssl3_accept in -lssl... no checking OpenSSL library >>>> version (CRL checking capability)... yes >>>> configure: error: Could not locate TLS/SSL package. >>>> >>>> Please let me know what could be the possible reson behind. PFA the >>>> config.log file. >>>> >>>> Regards, >>>> Monica Rana >>>> >>>> > > > **************** CAUTION - Disclaimer ***************** This e-mail > contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. > ***INFOSYS******** End of Disclaimer ********INFOSYS*** > > >
