Hi there guys.<br><br>Well, I'm making some progress securing my ldap server by reading the list and the oficial how-to, but I'm facing a new problem.<br>So, I've created the certificates using this link.<br><br><a href="http://www.openldap.org/faq/index.cgi?_highlightWords=self%20signed&amp;file=185">
http://www.openldap.org/faq/index.cgi?_highlightWords=self%20signed&amp;file=185</a><br><br><br>Then in my slapd.conf I've got. (server side )<br><br>#security ssf=128  update_ssf=128 simple_bind=128<br>#TLSCipherSuite HIGH:MEDIUM:+SSLv3:+SSLv2:+RSA:+TLSv1 
<br><br>security ssf=1 update_ssf=112 simple_bind=64<br>TLSCipherSuite HIGH:MEDIUM:+SSLv3<br>TLSCACertificateFile /etc/ssl/cacert.pem<br>TLSCertificateFile /etc/ssl/servercrt.pem<br>TLSCertificateKeyFile /etc/ssl/serverkey.pem 
<br>TLSVerifyClient never<br><br>ldap.conf (server side )<br><br>/etc/openldap/ldap.conf<br><br>BASE dc=netwarrior,dc=com<br>URI ldaps://linux:636<br>HOST linux:636<br><br>#BINDDN dc=netwarrior,dc=netwarrior<br><br>#SIZELIMIT 12
<br>#TIMELIMIT 15<br>#DEREF never<br><br>TLS_CACERT /etc/ssl/cacert.pem<br>TLS_REQCERT never<br><br><br>With  this configuration everything seems to work fine, but now, what I want to do is to force my clients to use a certificate to connect, 
<br> so, if I did not misundestrand it wrong, the demand options is a must.<br><br>So, when I change TLSVerifyClient never to demand. I've get the following ( alway on my server )<br><br>linux:/etc/ssl # openssl s_client -connect localhost:636 -state -showcerts -CAfile 
cacert.pem<br>CONNECTED(00000003)<br>SSL_connect:before/connect initialization<br>SSL_connect:SSLv2/v3 write client hello A<br>SSL_connect:SSLv3 read server hello A<br>depth=1 /C=AU/ST=Some State/L=City/O=Internet Widgits Pty Ltd/OU=Section/CN=localhost/emailAddress= 
<a href="mailto:test@company.com">test@company.com</a><br>verify return:1<br>depth=0 /C=AU/ST=Some Even State/L=City/O=Internet Widgits Pty Ltd/OU=Section/CN=localhost/emailAddress=<a href="mailto:test@company.com">test@company.com
</a> <br>verify return:1<br>SSL_connect:SSLv3 read server certificate A<br>SSL_connect:SSLv3 read server certificate request A<br>SSL_connect:SSLv3 read server done A<br>SSL_connect:SSLv3 write client certificate A<br>SSL_connect:SSLv3 write client key exchange A 
<br>SSL_connect:SSLv3 write change cipher spec A<br>SSL_connect:SSLv3 write finished A<br>SSL_connect:SSLv3 flush data<br>SSL3 alert read:fatal:handshake failure<br>SSL_connect:failed in SSLv3 read finished A<br>6274:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40 
<br>6274:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:<br><br><br>Making some searches in the mailing list I found a guy who had the same problem, and he was told that with the<br>demand option we force slapd to ask for a client certificate, and that the client certificate is a must. 
<br>Well, now, I do not get it, cuz I'm authenticating against myself, with teh certificates I generated before,<br>maybe ai have to generate a separate pair of certificates, do not know.<br><br>With never, and always it works as suggested by someone in the list, who said that first we need try a lower option (never, allow ) 
<br>to test if the server works ) my problem is with the demand option.<br><br><br>What am I mising here?<br>Sorry for my stupidity, I do not get it yet.<br><br>Thanks in advance and or your valuable  time.<br><br>Greets.
<br><br>