Hi,
I am a member of the OpenLDAP core and I have been glueing together the
OpenLDAP slapd (the standalone LDAP server) with OpenSSL. It was easy
and most complications came from it being a multithreaded program that
also does non-blocking I/O, that is, a real pig.
OK, now I have run into a problem. I don't manage to convince Netscape
Communicator to send the client certificate when using LDAP. The same
certificate is sent correctly to Apache/mod_ssl. All that said,
everything would point at my direction, right? Well, I have been for
several days fighting this and I am not so sure. If I tell the Address
Book that my LDAP server is my Apache/mod_ssl, then it fails too for
the same reason:
[error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]
In the case of my slapd, I get:
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
[The above two errors are normal, it would block reading from the
socket and will retry later, remember I said it uses non-blocking
I/O]
daemon: select: listen=4 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 7r
daemon: read activity on 7
connection_get(7)
connection_get(7): got connid=9
connection_read(7): checking for input on id=9
TLS trace: SSL3 alert read:warning:no certificate
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=4 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 7r
daemon: read activity on 7
connection_get(7)
connection_get(7): got connid=9
connection_read(7): checking for input on id=9
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
[Same as above]
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not return a certificate s3_srvr.c:1531
connection_read(7): TLS accept error error=-1 id=9, closing.
If I try s_client against both Apache/mod_ssl and my slapd, it sends
the client certificate in either case. But I think Netscape is using
a different algorithm to determine whether it should send a client
certificate in HTTP and in LDAP. The certificates I created work for
HTTP and not on LDAP.
Anyone has any hint on how these two methods might differ? I can
provide more info in needed. I have tried Netscape docs but could
not find anything relevant.
Thanks in advance,
Julio
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
