Paul Liu <paul_...@kanetix.ca> writes: > Hi, thanks for the info. I still have the same error with LDAPS > instead of TLS. The behaviour is the same too, it works if I don't > require verification, but fails if I do. man s_client(1)
openssl s_client connect ldaphost:636 -CAfile <path to CA> -showcerts -Dieter > -----Original Message----- > From: Dieter Kluenter [mailto:die...@dkluenter.de] > Sent: July-13-10 2:38 AM > To: perl-ldap@perl.org > Subject: Re: Having trouble with TLS and server verification > > Paul Liu <paul_...@kanetix.ca> writes: > >> Hi, >> >> I'm trying to use Net::LDAP to do LDAPS authentication against my Server >> 2008 Active Directory and I'm having a hard time getting server verification >> to work. >> >> So far, my (super simple) code works if I use verify => none in start_tls, >> but as soon as I set it to "require" or "optional", I get this error: >> >> SSL connect attempt failed with unknown error error:0D0C50A1:asn1 encoding >> routines:ASN1_item_verify:unknown message digest algorithm at ./ldap.pl line >> 23, line 522. >> >> When I test from the command line using Openssl s_client it works okay, so I >> don't think it's an OpenSSL problem. But I'm kind of a noob with Perl, so >> I'm not sure what else to debug next. >> >> Here's the relevant code snippet: >> >> #!/usr/bin/perl >> use Net::LDAP; >> >> $ldap = Net::LDAP->new('ho.mydomain.com', >> ) or die "LDAP error"; >> $mesg = $ldap->start_tls( >> sslversion => 'tlsv1', >> verify => 'require', >> capath => '/etc/ssl/certs/', >> ); >> die $mesg->error if $mesg->is_error; >> >> All the certs in the chain are signed with SHA512RSA. Also the CA Cert is >> 4096 bits and the server certs I am checking are all 2048 bits. I thought I >> might be missing a module or something, but I am pretty sure I have all the >> prerequisites installed, including Digest::SHA, Digest::HMAC and >> IO::Socket::SSL. I'm kind of stuck. Has anyone ever had this problem before? >> I'm working with Perl 5.10 on SLES 11 SP1. My OpenSSL version is 0.9.8h. > > start_tls is an extended operation on port 389 and ldap uri, use port > 636 and ldaps uri. > > -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
