Greg Martin wrote:
Try adding a corres[ponding TLSCipherSuite entry to ldap.conf.
\Greg
Sorry for the late reply as I was busy in writing an article. any how I have followed the guidance as suggested
now the ldap.conf has become like ---------------------------------------------- TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLS_CACERT /etc/openldap/myca/cacert.pem TLS_CERT /etc/openldap/myca/servercert.pem TLS_KEY /etc/openldap/myca/serverkey.pem TLS_REQCERT allow ---------------------------------------------------
the slapd.conf is as before ----------------------------------------------- TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/openldap/myca/servercert.pem TLSCertificateKeyFile /etc/openldap/myca/serverkey.pem TLSCACertificateFile /etc/openldap/myca/cacert.pem TLSVerifyClient demand ----------------------------------------------------
but still I have the same problem. like *ldapsearch -x -ZZ* reports
------------------------------------------ ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure --------------------------------------------
and the log reports -------------------------------------------------------------------------------- Mar 26 12:32:35 linux slapd[7449]: conn=32 fd=15 ACCEPT from IP=127.0.0.1:33418 (IP=0.0.0.0:389) Mar 26 12:32:35 linux slapd[7449]: conn=32 op=0 STARTTLS Mar 26 12:32:35 linux slapd[7449]: conn=32 op=0 RESULT oid= err=0 text= Mar 26 12:32:35 linux slapd[7449]: conn=32 fd=15 closed (TLS negotiation failure) ----------------------------------------------------------------------------------------
*slapd -d 255* reports ------------------------------------------- TLS trace: SSL_accept:error in SSLv3 read client certificate B TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2471 connection_read(15): TLS accept failure error=-1 id=42, closing ---------------------------
so pleeeaseeee help me to solve it. thanks a lot for the great support so far...
JOYDEEP wrote:
Dear list,
Now *ldapsearch -x -ZZ* is working; but again I have a problem when demanding certificate from host. the error is
======================== ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure ======================================================================
Here is my slapd.conf section of TLS
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/openldap/myca/servercert.pem TLSCertificateKeyFile /etc/openldap/myca/serverkey.pem TLSCACertificateFile /etc/openldap/myca/cacert.pem TLSVerifyClient demand
Here is my ldap.conf
TLS_CACERT /etc/openldap/myca/cacert.pem TLS_CERT /etc/openldap/myca/servercert.pem TLS_KEY /etc/openldap/myca/serverkey.pem TLS_REQCERT allow
please note I have a self signed certificate.
Thanks