Hi list!

I've an installation of OpenLDAP 2.3-19, I've a problem using TLS/SSL support:

My master server seem to be work fine, but when I try to use the command " ldapsearch -x -H ldaps://master.mydomain 'filter'   " , I get the following error:

ldap_bind: Can't contact LDAP server (-1)

        additional info: error:14094413:SSL
routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate


My slapd.conf configuration:
#
TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
TLSCertificateFile /etc/openldap/cacerts/master.pem
TLSCertificateKeyFile /etc/openldap/cacerts/master- key.pem
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSVerifyClient demand
#

My ldap.conf configuration:
#
Base=mydomain
SIZELIMIT       0
TIMELIMIT       0

TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CERT /etc/openldap/cacerts/master.pem
TLS_KEY  /etc/openldap/cacerts/master-key.pem
TLS_REQCERT demand
#

My .ldaprc configuration:
#
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CERT /etc/openldap/cacerts/master.pem
TLS_KEY  /etc/openldap/cacerts/master-key.pem
TLS_REQCERT demand
#


Error:

TLS trace: SSL3 alert read:fatal:unsupported certificate

TLS trace: SSL_connect:failed in SSLv3 read finished A

TLS: can't connect.

ldap_perror

ldap_bind: Can't contact LDAP server (-1)

        additional info: error:14094413:SSL
routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate

What does mean that? Which ones are supported certificates?

I'm using the same certificate to my server and my client

I googling and found that the error probably means:
"This catch-all error message can mean a variety of things which all have to do with an invalid certificate for this connection. It is most frequently triggered when the CN of the certificate doesn't match the hostname of the entity communicating. It can also be a signal that your certificate is beyond its validity period"

But my CN and validity period are ok.

My cert is an x509v3 certificate and when I "read" it with openssl I
get:

So I can read it ok
============
 openssl x509 -in master.pem.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            30:30:30:30:30:30:30:30:30:30:30:30:30:30:30:30:31:33:32:36
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: L=My location, ST=My state, C=My Country/postalCode=232312/streetAddress=My address, CN=Institute , OU=Unit, O=Institute /emailAddress= ca@mydomain
        Validity
            Not Before: Apr  4 00:00:00 2007 GMT
            Not After : Apr  3 00:00:00 2008 GMT
        Subject: L=My location, ST=My statte, C=My country, CN=master.mydomain, OU=Unit, O=Institute /emailAddress= ca@mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c4:53:a7:53:60:2c:57:9b:b9:2a:c8:fa:f3:8e:
                    55:fb:a3:43:5e:9b:10:6a:2a:14:ac:0a:e3:18:2d:
                    86:51:5f:6e:da:da:12:39:de:96:e2:fc:39:bc:ba:
                    b0:ff:10:68:91:88:d6:52:90:f3:c6:09:29:d1:24:
                    18:6c:e5:ea:82:ba:0b:f5:27:04:cd:19:df:9c:2e:
                    25:25:62:5c:d0:71:c8:0b:d4:aa:9c:55:b5:c7:72:
                    9c:83:fc:95:2a:69:e3:35:6e:85:19:db:3c:52:b0:
                    98:bd:48:ad:ba:b6:cb:d2:96:f4:7d:3c:43:4b:76:
                    45:f0:4b:64:1a:41:29:63:5f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access:
                OCSP - URI: http://1X.X:X:X:8082

            X509v3 CRL Distribution Points:
                URI:http://url:getcrl

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
            Netscape Cert Type:
                SSL Server
    Signature Algorithm: sha1WithRSAEncryption
        2f:81:c3:38:3b:5b:2b:df:dd:52:10:1f:7e:fa:65:03:03:96:
        a3:07:9d:6b:ec:7d:7f:05:31:4d:55:81:9c:06:28:e2:21:df:
        b9:ae:1f:62:e0:01:d0:46:74:01:43:50:43:00:62:40:28:f9:
        be:b6:b2:14:25:00:b7:71:76:3c:20:54:30:8a:94:5b:29:52:
        af:50:ef:21:db:c7:54:6c:cd:d2:58:bc:4f:26:98:fa:b8:0d:
        b5:d1:1f:62:18:df:e2:02:3d:70:f1:a7:90:5a:40:74:f7:5f:
        c2:8f:5d:96:73:5f:4c:b4:1f:3f:b7:49:1c:7a:65:a7:90:c8:
        7a:d0:dd:04:45:0b:65:31:a7:b7:18:f8:24:a2:4c:b5:2b:3d:
        3e:cd:e3:f3:69:27:40:71:bb:a7:73:d9:99:c5:fa:73:d4:98:
        d3:46:2a:2e:d1:9a:45:50:36:f7:bb:f0:f9:86:95:52:d5:7d:
        cc:a7:a9:74:6c:e7:ef:56:a7:b3:f8:d7:e5:c8:81:ee:2d:3e:
        01:20:e7:bb:e6:3e:20:66:55:a6:12:9d:8c:51:0b:93:d4:58:
        86:57:ee:72:db:8a:f5:85:f2:73:b3:ad:6c:9d:e7:b1:3a:36:
        0f:99:09:5f:31:ef:4c:3c:4d:e1:f2:ba:99:74:3e:78:be:97:
        de:4b:0b:0f


================


When i try ldapsearch in debug mode:

# ldapsearch -x -H ldaps://master.mydomain "uid=user" -d1

ldap_create

ldap_url_parse_ext(ldaps://master.mydomain)

ldap_bind

ldap_simple_bind

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP master.mydomain:636

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 10.X.X.X:636

ldap_connect_timeout: fd: 3 tm: -1 async: 0

TLS trace: SSL_connect:before/connect initialization

TLS trace: SSL_connect:SSLv2/v3 write client hello A

TLS trace: SSL_connect:SSLv3 read server hello A

TLS certificate verification: depth: 1, err: 0, subject: /bla bla bla ....

TLS certificate verification: depth: 0, err: 0, subject: /bla bla bla ...

TLS trace: SSL_connect:SSLv3 read server certificate A

TLS trace: SSL_connect:SSLv3 read server certificate request A

TLS trace: SSL_connect:SSLv3 read server done A

TLS trace: SSL_connect:SSLv3 write client certificate A

TLS trace: SSL_connect:SSLv3 write client key exchange A

TLS trace: SSL_connect:SSLv3 write certificate verify A

TLS trace: SSL_connect:SSLv3 write change cipher spec A

TLS trace: SSL_connect:SSLv3 write finished A

TLS trace: SSL_connect:SSLv3 flush data

TLS trace: SSL3 alert read:fatal:unsupported certificate

TLS trace: SSL_connect:failed in SSLv3 read finished A

TLS: can't connect.

ldap_perror

ldap_bind: Can't contact LDAP server (-1)

        additional info: error:14094413:SSL
routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate


Thanks for your responses.

--
@ntonio