Am Dienstag, 6. März 2007 19:08 schrieb Pierangelo Masarati:
Angela Gavazzi wrote:
I found out that the problem was double encrypting of the connection:
What does it mean "double encrypting of the connection"?
I mean that if I "force" encryption with demand on the provider and on the consumer, then I think the consumer tries to encrypt an encrypted connection. When I use allow on the consumer it works and is encryptet, I checked it with tcpdump.
It works now if I set TLSVerifyClient to max. allow on the consumer side. All stronger configurations end in: CA unknown.
This makes much more sense: your TLS configuration is broken. Are you using a self-signed certificate? Or, is your certificate signed by the CA to whom the certificate pointed by TLSCACertificateFile belongs?
The certificate is signed by the CA pointed by TLSCACertficateFile.
Angela
Thanks anyway
Angela
Here the concerning parts of the slapd.conf:
master: ...
... TLSCACertificateFile /etc/ldap/certs/cacert.pem TLSCACertificatePath /etc/ldap/certs TLSCertificateFile /etc/ldap/certs/erde.aag_cert.pem TLSCertificateKeyFile /etc/ldap/certs/erde.aag_key.pem
TLSVerifyClient demand
slave:
TLSCACertificateFile /etc/ldap/certs/cacert.pem TLSCACertificatePath /etc/ldap/certs TLSCertificateFile /etc/ldap/certs/mond.aag_cert.pem TLSCertificateKeyFile /etc/ldap/certs/mond.aag_key.pem
################## TLSVerifyClient demand ##################
This has to be set to max allow.
... to disallow certificate checking. Fine if that's what you want.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it