Goetz Babin-Ebell wrote:
> >OK, now I have run into a problem. I don't manage to convince Netscape
> >Communicator to send the client certificate when using LDAP. The same
> >certificate is sent correctly to Apache/mod_ssl. All that said,
> >everything would point at my direction, right? Well, I have been for
> >several days fighting this and I am not so sure. If I tell the Address
> >Book that my LDAP server is my Apache/mod_ssl, then it fails too for
> >the same reason:
> >
> >[error] OpenSSL: error:140890C7:SSL
> >routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> >[Hint: No CAs known to server for verification?]
>
> You must specify a list of CA certificates.
> Only if Netscape has a client certfificate signed by
> one of the certificates in the list,
> it will send a client certificate...
That is only a hint indicating the most probable cause. It is not the
only possible cause and that cause I have already ruled out. You are
not reading what I say: this is the same Apache. If it were not
sending the CA certificate it would not work with HTTPS either, would
it?
If I connect with https://whatever:443, Netscape does send the client
certificate. If, however, I try to connect to either my slapd with
OpenSSL
or the very same Apache with mod_ssl on that same 443 port from the
Address Book it does not send the client certificate.
So the server not sending the acceptable CA list is not the problem. It
is
that Netscape Address Book uses a different decision logic and something
I do on the CA/server/client certificates is good enough for HTTPS, but
not LDAPS. What can it be? If you want to test it out, it is in the
HEAD CVS branch of OpenLDAP at
http://www.openldap.org/software/repo.html.
Julio
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
