Hi list!
I've an installation of OpenLDAP 2.3-19, I've a problem using TLS/SSL support:
My master server seem to be work fine, but when I try to use the command " ldapsearch -x -H ldaps://master.mydomain 'filter' " , I get the following error:
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
My slapd.conf configuration: # TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA TLSCertificateFile /etc/openldap/cacerts/master.pem TLSCertificateKeyFile /etc/openldap/cacerts/master- key.pem TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSVerifyClient demand #
My ldap.conf configuration: # Base=mydomain SIZELIMIT 0 TIMELIMIT 0
TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_CERT /etc/openldap/cacerts/master.pem TLS_KEY /etc/openldap/cacerts/master-key.pem TLS_REQCERT demand #
My .ldaprc configuration: # TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_CERT /etc/openldap/cacerts/master.pem TLS_KEY /etc/openldap/cacerts/master-key.pem TLS_REQCERT demand #
Error:
TLS trace: SSL3 alert read:fatal:unsupported certificate
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
What does mean that? Which ones are supported certificates?
I'm using the same certificate to my server and my client
I googling and found that the error probably means: "This catch-all error message can mean a variety of things which all have to do with an invalid certificate for this connection. It is most frequently triggered when the CN of the certificate doesn't match the hostname of the entity communicating. It can also be a signal that your certificate is beyond its validity period"
But my CN and validity period are ok.
My cert is an x509v3 certificate and when I "read" it with openssl I get:
So I can read it ok ============ openssl x509 -in master.pem.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 30:30:30:30:30:30:30:30:30:30:30:30:30:30:30:30:31:33:32:36 Signature Algorithm: sha1WithRSAEncryption Issuer: L=My location, ST=My state, C=My Country/postalCode=232312/streetAddress=My address, CN=Institute , OU=Unit, O=Institute /emailAddress= ca@mydomain Validity Not Before: Apr 4 00:00:00 2007 GMT Not After : Apr 3 00:00:00 2008 GMT Subject: L=My location, ST=My statte, C=My country, CN= master.mydomain, OU=Unit, O=Institute /emailAddress= ca@mydomain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c4:53:a7:53:60:2c:57:9b:b9:2a:c8:fa:f3:8e: 55:fb:a3:43:5e:9b:10:6a:2a:14:ac:0a:e3:18:2d: 86:51:5f:6e:da:da:12:39:de:96:e2:fc:39:bc:ba: b0:ff:10:68:91:88:d6:52:90:f3:c6:09:29:d1:24: 18:6c:e5:ea:82:ba:0b:f5:27:04:cd:19:df:9c:2e: 25:25:62:5c:d0:71:c8:0b:d4:aa:9c:55:b5:c7:72: 9c:83:fc:95:2a:69:e3:35:6e:85:19:db:3c:52:b0: 98:bd:48:ad:ba:b6:cb:d2:96:f4:7d:3c:43:4b:76: 45:f0:4b:64:1a:41:29:63:5f Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: OCSP - URI: http://1X.X:X:X:8082
X509v3 CRL Distribution Points: URI:http://url:getcrl
X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Key Agreement Netscape Cert Type: SSL Server Signature Algorithm: sha1WithRSAEncryption 2f:81:c3:38:3b:5b:2b:df:dd:52:10:1f:7e:fa:65:03:03:96: a3:07:9d:6b:ec:7d:7f:05:31:4d:55:81:9c:06:28:e2:21:df: b9:ae:1f:62:e0:01:d0:46:74:01:43:50:43:00:62:40:28:f9: be:b6:b2:14:25:00:b7:71:76:3c:20:54:30:8a:94:5b:29:52: af:50:ef:21:db:c7:54:6c:cd:d2:58:bc:4f:26:98:fa:b8:0d: b5:d1:1f:62:18:df:e2:02:3d:70:f1:a7:90:5a:40:74:f7:5f: c2:8f:5d:96:73:5f:4c:b4:1f:3f:b7:49:1c:7a:65:a7:90:c8: 7a:d0:dd:04:45:0b:65:31:a7:b7:18:f8:24:a2:4c:b5:2b:3d: 3e:cd:e3:f3:69:27:40:71:bb:a7:73:d9:99:c5:fa:73:d4:98: d3:46:2a:2e:d1:9a:45:50:36:f7:bb:f0:f9:86:95:52:d5:7d: cc:a7:a9:74:6c:e7:ef:56:a7:b3:f8:d7:e5:c8:81:ee:2d:3e: 01:20:e7:bb:e6:3e:20:66:55:a6:12:9d:8c:51:0b:93:d4:58: 86:57:ee:72:db:8a:f5:85:f2:73:b3:ad:6c:9d:e7:b1:3a:36: 0f:99:09:5f:31:ef:4c:3c:4d:e1:f2:ba:99:74:3e:78:be:97: de:4b:0b:0f
================
When i try ldapsearch in debug mode:
# ldapsearch -x -H ldaps://master.mydomain "uid=user" -d1
ldap_create
ldap_url_parse_ext(ldaps://master.mydomain)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP master.mydomain:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.X.X.X:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: /bla bla bla ....
TLS certificate verification: depth: 0, err: 0, subject: /bla bla bla ...
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write certificate verify A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:unsupported certificate
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
Thanks for your responses.