Re: TLS configuration needs client certification (why?)

25 Aug 2007


      Frank Cornelissen wrote:
...
Hello all,
why does slapd require a peer/client certificate? I'm slapd 2.3.30 on  
debian (package 2.3.30-5 to be precise).
when connexting with ssl to slapd using
     ldapsearch -H ldaps://artemis.t310.org -b dc=t310,dc=org -x


I get the following error from slapd (started with -d 8):
     TLS: can't accept.
     TLS: error:140890C7:SSL  

routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a  
certificate s3_srvr.c:2455
When connecting to the same host but with the ldap protocol (vs  
ldaps) the search results correctly.
This error seems like somehow slapd wants to get a client certficate,  
but I did not set slapd up that way. The ldap.conf on the client  
machines only contains the CA certificate field:
     TLS_CACERT /usr/share/ca-certificates/t310/t310_pem.crt


relevant parts from slapd.conf (included in total at the end of  
message):
     TLSCertificateFile /etc/ldap/artemis-ldap-cert.pem
     TLSCertificateKeyFile /etc/ldap/artemis-ldap-key.pem
     TLSCACerticateFile /usr/share/ca-certificates/t310/t310_pem.crt
     #TLSVerifyClient never
     #TLSCRLCheck none

Uncomment the "TLSVerifyClient never" directive here to work around this problem.
-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: TLS configuration needs client certification (why?)