Paul Liu <paul_...@kanetix.ca> writes:
> Hi,
>
> I'm trying to use Net::LDAP to do LDAPS authentication against my Server 2008
> Active Directory and I'm having a hard time getting server verification to
> work.
>
> So far, my (super simple) code works if I use verify => none in start_tls,
> but as soon as I set it to "require" or "optional", I get this error:
>
> SSL connect attempt failed with unknown error error:0D0C50A1:asn1 encoding
> routines:ASN1_item_verify:unknown message digest algorithm at ./ldap.pl line
> 23, line 522.
>
> When I test from the command line using Openssl s_client it works okay, so I
> don't think it's an OpenSSL problem. But I'm kind of a noob with Perl, so I'm
> not sure what else to debug next.
>
> Here's the relevant code snippet:
>
> #!/usr/bin/perl
> use Net::LDAP;
>
> $ldap = Net::LDAP->new('ho.mydomain.com',
> ) or die "LDAP error";
> $mesg = $ldap->start_tls(
> sslversion => 'tlsv1',
> verify => 'require',
> capath => '/etc/ssl/certs/',
> );
> die $mesg->error if $mesg->is_error;
>
> All the certs in the chain are signed with SHA512RSA. Also the CA Cert is
> 4096 bits and the server certs I am checking are all 2048 bits. I thought I
> might be missing a module or something, but I am pretty sure I have all the
> prerequisites installed, including Digest::SHA, Digest::HMAC and
> IO::Socket::SSL. I'm kind of stuck. Has anyone ever had this problem before?
> I'm working with Perl 5.10 on SLES 11 SP1. My OpenSSL version is 0.9.8h.
start_tls is an extended operation on port 389 and ldap uri, use port
636 and ldaps uri.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770...@sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
