Hi.
Using the -cert or -key options returns the same error, this error arises only when I use the TLSClientVerify demand option as I explained before.
Any clues?
Thanks for your time.
2006/11/6, Howard Chu hyc@symas.com:
Net Warrior wrote:
With this configuration everything seems to work fine, but now, what I want to do is to force my clients to use a certificate to connect, so, if I did not misundestrand it wrong, the demand options is a must.
So, when I change TLSVerifyClient never to demand. I've get the following ( alway on my server )
linux:/etc/ssl # openssl s_client -connect localhost:636 -state -showcerts -CAfile cacert.pem
This invocation of s_client didn't provide the -cert or -key options, so no client certificate was used. Naturally the handshake fails.
Learn to use the OpenSSL tools.
CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=AU/ST=Some State/L=City/O=Internet Widgits Pty Ltd/OU=Section/CN=localhost/emailAddress= test@company.com mailto:test@company.com verify return:1 depth=0 /C=AU/ST=Some Even State/L=City/O=Internet Widgits Pty Ltd/OU=Section/CN=localhost/emailAddress=test@company.com mailto:test@company.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read finished A 6274:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40 6274:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:
Making some searches in the mailing list I found a guy who had the same problem, and he was told that with the demand option we force slapd to ask for a client certificate, and that the client certificate is a must. Well, now, I do not get it, cuz I'm authenticating against myself, with teh certificates I generated before, maybe ai have to generate a separate pair of certificates, do not know.
With never, and always it works as suggested by someone in the list, who said that first we need try a lower option (never, allow ) to test if the server works ) my problem is with the demand option.
What am I mising here? Sorry for my stupidity, I do not get it yet.
Thanks in advance and or your valuable time.
Greets.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/