Hi list!
I've an installation of OpenLDAP 2.3-19, I've a problem using TLS/SSL support:
My master server seem to be work fine, but when I try to use the command " ldapsearch -x -H ldaps://master.mydomain 'filter' " , I get the following error:
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14094413:SSL
routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
My slapd.conf configuration:
#
TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
TLSCertificateFile /etc/openldap/cacerts/master.pem
TLSCertificateKeyFile /etc/openldap/cacerts/master-
key.pem
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSVerifyClient demand
#
My ldap.conf configuration:
#
Base=mydomain
SIZELIMIT 0
TIMELIMIT 0
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CERT /etc/openldap/cacerts/master.pem
TLS_KEY /etc/openldap/cacerts/master-key.pem
TLS_REQCERT demand
#
My .ldaprc configuration:
#
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CERT /etc/openldap/cacerts/master.pem
TLS_KEY /etc/openldap/cacerts/master-key.pem
TLS_REQCERT demand
#
Error:
TLS trace: SSL3 alert read:fatal:unsupported certificate
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14094413:SSL
routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
What does mean that? Which ones are supported certificates?
I'm using the same certificate to my server and my client
I googling and found that the error probably means:
"This catch-all error message can mean a variety of things which all have to do with an invalid certificate for this connection. It is most frequently triggered when the CN of the certificate doesn't match the hostname of the entity communicating. It can also be a signal that your certificate is beyond its validity period"
But my CN and validity period are ok.
My cert is an x509v3 certificate and when I "read" it with openssl I
get:
So I can read it ok
============
openssl x509 -in master.pem.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
30:30:30:30:30:30:30:30:30:30:30:30:30:30:30:30:31:33:32:36
Signature Algorithm: sha1WithRSAEncryption
Issuer: L=My location, ST=My state, C=My Country/postalCode=232312/streetAddress=My address, CN=Institute , OU=Unit, O=Institute /emailAddress=
ca@mydomain
Validity
Not Before: Apr 4 00:00:00 2007 GMT
Not After : Apr 3 00:00:00 2008 GMT
Subject: L=My location, ST=My statte, C=My country, CN=master.mydomain, OU=Unit, O=Institute /emailAddress=
ca@mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:53:a7:53:60:2c:57:9b:b9:2a:c8:fa:f3:8e:
55:fb:a3:43:5e:9b:10:6a:2a:14:ac:0a:e3:18:2d:
86:51:5f:6e:da:da:12:39:de:96:e2:fc:39:bc:ba:
b0:ff:10:68:91:88:d6:52:90:f3:c6:09:29:d1:24:
18:6c:e5:ea:82:ba:0b:f5:27:04:cd:19:df:9c:2e:
25:25:62:5c:d0:71:c8:0b:d4:aa:9c:55:b5:c7:72:
9c:83:fc:95:2a:69:e3:35:6e:85:19:db:3c:52:b0:
98:bd:48:ad:ba:b6:cb:d2:96:f4:7d:3c:43:4b:76:
45:f0:4b:64:1a:41:29:63:5f
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
OCSP - URI:
http://1X.X:X:X:8082
X509v3 CRL Distribution Points:
URI:http://url:getcrl
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
Netscape Cert Type:
SSL Server
Signature Algorithm: sha1WithRSAEncryption
2f:81:c3:38:3b:5b:2b:df:dd:52:10:1f:7e:fa:65:03:03:96:
a3:07:9d:6b:ec:7d:7f:05:31:4d:55:81:9c:06:28:e2:21:df:
b9:ae:1f:62:e0:01:d0:46:74:01:43:50:43:00:62:40:28:f9:
be:b6:b2:14:25:00:b7:71:76:3c:20:54:30:8a:94:5b:29:52:
af:50:ef:21:db:c7:54:6c:cd:d2:58:bc:4f:26:98:fa:b8:0d:
b5:d1:1f:62:18:df:e2:02:3d:70:f1:a7:90:5a:40:74:f7:5f:
c2:8f:5d:96:73:5f:4c:b4:1f:3f:b7:49:1c:7a:65:a7:90:c8:
7a:d0:dd:04:45:0b:65:31:a7:b7:18:f8:24:a2:4c:b5:2b:3d:
3e:cd:e3:f3:69:27:40:71:bb:a7:73:d9:99:c5:fa:73:d4:98:
d3:46:2a:2e:d1:9a:45:50:36:f7:bb:f0:f9:86:95:52:d5:7d:
cc:a7:a9:74:6c:e7:ef:56:a7:b3:f8:d7:e5:c8:81:ee:2d:3e:
01:20:e7:bb:e6:3e:20:66:55:a6:12:9d:8c:51:0b:93:d4:58:
86:57:ee:72:db:8a:f5:85:f2:73:b3:ad:6c:9d:e7:b1:3a:36:
0f:99:09:5f:31:ef:4c:3c:4d:e1:f2:ba:99:74:3e:78:be:97:
de:4b:0b:0f
================
When i try ldapsearch in debug mode:
# ldapsearch -x -H ldaps://master.mydomain "uid=user" -d1
ldap_create
ldap_url_parse_ext(ldaps://master.mydomain)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP master.mydomain:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.X.X.X:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: /bla bla bla ....
TLS certificate verification: depth: 0, err: 0, subject: /bla bla bla ...
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write certificate verify A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:unsupported certificate
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14094413:SSL
routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
Thanks for your responses.
--
@ntonio