Hi list!

I've an installation of OpenLDAP 2.3-19, I've a problem using TLS/SSL support:

My master server seem to be work fine, but when I try to use the command " ldapsearch -x -H ldaps://master.mydomain 'filter' " , I get the following error:

ldap_bind: Can't contact LDAP server (-1)

additional info: error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate

My slapd.conf configuration: # TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA TLSCertificateFile /etc/openldap/cacerts/master.pem TLSCertificateKeyFile /etc/openldap/cacerts/master- key.pem TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSVerifyClient demand #

My ldap.conf configuration: # Base=mydomain SIZELIMIT 0 TIMELIMIT 0

TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_CERT /etc/openldap/cacerts/master.pem TLS_KEY /etc/openldap/cacerts/master-key.pem TLS_REQCERT demand #

My .ldaprc configuration: # TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_CERT /etc/openldap/cacerts/master.pem TLS_KEY /etc/openldap/cacerts/master-key.pem TLS_REQCERT demand #

Error:

TLS trace: SSL3 alert read:fatal:unsupported certificate

TLS trace: SSL_connect:failed in SSLv3 read finished A

TLS: can't connect.

ldap_perror

ldap_bind: Can't contact LDAP server (-1)

additional info: error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate

What does mean that? Which ones are supported certificates?

I'm using the same certificate to my server and my client

I googling and found that the error probably means: "This catch-all error message can mean a variety of things which all have to do with an invalid certificate for this connection. It is most frequently triggered when the CN of the certificate doesn't match the hostname of the entity communicating. It can also be a signal that your certificate is beyond its validity period"

But my CN and validity period are ok.

My cert is an x509v3 certificate and when I "read" it with openssl I get:

So I can read it ok ============ openssl x509 -in master.pem.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 30:30:30:30:30:30:30:30:30:30:30:30:30:30:30:30:31:33:32:36 Signature Algorithm: sha1WithRSAEncryption Issuer: L=My location, ST=My state, C=My Country/postalCode=232312/streetAddress=My address, CN=Institute , OU=Unit, O=Institute /emailAddress= ca@mydomain Validity Not Before: Apr 4 00:00:00 2007 GMT Not After : Apr 3 00:00:00 2008 GMT Subject: L=My location, ST=My statte, C=My country, CN= master.mydomain, OU=Unit, O=Institute /emailAddress= ca@mydomain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c4:53:a7:53:60:2c:57:9b:b9:2a:c8:fa:f3:8e: 55:fb:a3:43:5e:9b:10:6a:2a:14:ac:0a:e3:18:2d: 86:51:5f:6e:da:da:12:39:de:96:e2:fc:39:bc:ba: b0:ff:10:68:91:88:d6:52:90:f3:c6:09:29:d1:24: 18:6c:e5:ea:82:ba:0b:f5:27:04:cd:19:df:9c:2e: 25:25:62:5c:d0:71:c8:0b:d4:aa:9c:55:b5:c7:72: 9c:83:fc:95:2a:69:e3:35:6e:85:19:db:3c:52:b0: 98:bd:48:ad:ba:b6:cb:d2:96:f4:7d:3c:43:4b:76: 45:f0:4b:64:1a:41:29:63:5f Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: OCSP - URI: http://1X.X:X:X:8082

X509v3 CRL Distribution Points: URI:http://url:getcrl

X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Key Agreement Netscape Cert Type: SSL Server Signature Algorithm: sha1WithRSAEncryption 2f:81:c3:38:3b:5b:2b:df:dd:52:10:1f:7e:fa:65:03:03:96: a3:07:9d:6b:ec:7d:7f:05:31:4d:55:81:9c:06:28:e2:21:df: b9:ae:1f:62:e0:01:d0:46:74:01:43:50:43:00:62:40:28:f9: be:b6:b2:14:25:00:b7:71:76:3c:20:54:30:8a:94:5b:29:52: af:50:ef:21:db:c7:54:6c:cd:d2:58:bc:4f:26:98:fa:b8:0d: b5:d1:1f:62:18:df:e2:02:3d:70:f1:a7:90:5a:40:74:f7:5f: c2:8f:5d:96:73:5f:4c:b4:1f:3f:b7:49:1c:7a:65:a7:90:c8: 7a:d0:dd:04:45:0b:65:31:a7:b7:18:f8:24:a2:4c:b5:2b:3d: 3e:cd:e3:f3:69:27:40:71:bb:a7:73:d9:99:c5:fa:73:d4:98: d3:46:2a:2e:d1:9a:45:50:36:f7:bb:f0:f9:86:95:52:d5:7d: cc:a7:a9:74:6c:e7:ef:56:a7:b3:f8:d7:e5:c8:81:ee:2d:3e: 01:20:e7:bb:e6:3e:20:66:55:a6:12:9d:8c:51:0b:93:d4:58: 86:57:ee:72:db:8a:f5:85:f2:73:b3:ad:6c:9d:e7:b1:3a:36: 0f:99:09:5f:31:ef:4c:3c:4d:e1:f2:ba:99:74:3e:78:be:97: de:4b:0b:0f

================

When i try ldapsearch in debug mode:

# ldapsearch -x -H ldaps://master.mydomain "uid=user" -d1

ldap_create

ldap_url_parse_ext(ldaps://master.mydomain)

ldap_bind

ldap_simple_bind

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP master.mydomain:636

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 10.X.X.X:636

ldap_connect_timeout: fd: 3 tm: -1 async: 0

TLS trace: SSL_connect:before/connect initialization

TLS trace: SSL_connect:SSLv2/v3 write client hello A

TLS trace: SSL_connect:SSLv3 read server hello A

TLS certificate verification: depth: 1, err: 0, subject: /bla bla bla ....

TLS certificate verification: depth: 0, err: 0, subject: /bla bla bla ...

TLS trace: SSL_connect:SSLv3 read server certificate A

TLS trace: SSL_connect:SSLv3 read server certificate request A

TLS trace: SSL_connect:SSLv3 read server done A

TLS trace: SSL_connect:SSLv3 write client certificate A

TLS trace: SSL_connect:SSLv3 write client key exchange A

TLS trace: SSL_connect:SSLv3 write certificate verify A

TLS trace: SSL_connect:SSLv3 write change cipher spec A

TLS trace: SSL_connect:SSLv3 write finished A

TLS trace: SSL_connect:SSLv3 flush data

TLS trace: SSL3 alert read:fatal:unsupported certificate

TLS trace: SSL_connect:failed in SSLv3 read finished A

TLS: can't connect.

ldap_perror

ldap_bind: Can't contact LDAP server (-1)

additional info: error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate

Thanks for your responses.