Hi Klaus, thanks a lot. Just two minute ago I finished my two-hour-google-look up ending in the same direction :-)
A posting from Howard Chu pointed into the right direction: http://www.openldap.org/lists/openldap-software/200704/msg00129.html Than of to -> http://www.openssl.org/docs/apps/x509v3_config.html The next minutes I'll dedicated to you doing some kowtow. And some more if everything works ;-) Cheers, Götz Klaus Lemkau schrieb: > Hi, > >> X509v3 extensions: >> X509v3 Basic Constraints: >> CA:FALSE >> Netscape Cert Type: >> SSL Server > > You can use this Certificate only for Server, not for > Client-authentication. > > Netscape Cert Type: should be > SSL Client, SSL Server > > if You would use the Certificate as Client/Server > (I would prefer this) > > or > SSL Client > > if You would use the Certificate only as Client > > > Look for > nsCertType > in Your Openssl configuration file > > manpage : config and x509 > > -- Klaus Lemkau > > > Am 12.04.2010 11:58, schrieb Götz Reinicke - IT-Koordinator: >> Hi, >> >> since a couple of days I try to setup a provider and a consumer over ssl >> following the documentation in a book [1] an dusing two servers. (Red >> Hat 5.x, openssl-0.9.8e-12, openldap-2.3.43-3 ) >> >> Doing so I was confronted with a lot off different warnings/messages but >> finaly I got the replication crypted. >> >> The final step in the tutorial is to use the saslmech=external but the >> messages I do get are different from the messages I should get. >> >> I noticed and googeled some provider debug info and wanted to ask for >> some prove or clarification or work around: >> >>> From the provider log: >> >> TLS certificate verification: Error, unsupported certificate purpose >> ... >> TLS trace: SSL3 alert write:warning:bad certificate >> connection_read(13): unable to get TLS client DN, error=49 id=1 >> >>> From a posting from 2006 and the answere from Howard Chu [2] I think I >> do have the same problem: My consumer server certificate "should be" >> from the providers view a client certificate. >> >>> From the certificate: >> >> X509v3 extensions: >> X509v3 Basic Constraints: >> CA:FALSE >> Netscape Cert Type: >> SSL Server >> >> Am I wrong, right, lost, ... Is there a workaround or any step while >> creating the certificates? >> >> Thanks once more and best regards, >> >> Götz >> >> >> [1] http://www.galileocomputing.de/katalog/buecher/titel/gp/titelID-1801 >> [2] http://www.openldap.org/lists/openldap-software/200604/msg00202.html >> > > -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail [email protected] Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt
