Hello together,
I am trying to enable TLS on my ldap server. I executed: openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout /etc/openldap/ldap-key.pem -days 999999
and added: TLSCertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile /etc/openldap/ldap-key.pem TLSVerifyClient demand
to my slapd.conf. To my ldap.conf, I added: TLS_CERT /etc/ssl/ldap.pem TLS_KEY /etc/openldap/ldap-key.pem TLS_REQCERT allow
and tried ldapsearch -x -b 'cn=Manager,dc=lonely-star,dc=org' '(objectclass=*)' -ZZ to test it.
The result is: ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Any suggestions what the pronblem could be?
Thanks! nathan
Nathan Huesken wrote:
Hello together,
I am trying to enable TLS on my ldap server. I executed: openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout /etc/openldap/ldap-key.pem -days 999999
and added: TLSCertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile /etc/openldap/ldap-key.pem TLSVerifyClient demand
to my slapd.conf. To my ldap.conf, I added: TLS_CERT /etc/ssl/ldap.pem TLS_KEY /etc/openldap/ldap-key.pem TLS_REQCERT allow
Re-read ldap.conf(5).
and tried ldapsearch -x -b 'cn=Manager,dc=lonely-star,dc=org' '(objectclass=*)' -ZZ to test it.
The result is: ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Any suggestions what the pronblem could be?
On Mon, 18 Feb 2008, Nathan Huesken wrote:
I am trying to enable TLS on my ldap server. I executed: openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout /etc/openldap/ldap-key.pem -days 999999
That creates a self-signed certificate. If you really do have a need to use and issue client certificates, then you'll almost certainly want to issue them from a common CA so that they can be validated more easily. Whether a single CA or multiple levels of CAs is the best match for your needs is a question beyond the scope of this list; you should check the OpenSSL documentation and mailing lists for help on that.
and added: TLSCertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile /etc/openldap/ldap-key.pem TLSVerifyClient demand to my slapd.conf.
You should first get TLS working without requiring client certs. Once you have that working correctly and securely, then you can work through the details of getting client certs working on that stable foundation.
To my ldap.conf, I added: TLS_CERT /etc/ssl/ldap.pem TLS_KEY /etc/openldap/ldap-key.pem
To quote the ldap.conf(5) manpage: "This is a user-only option."
TLS_REQCERT allow
You want a setup where client have to present certs, but they don't need to validate the server's cert? That seems counter-productive. I would expect a TLS_CACERT option here instead. Since the server's cert is self-signed, it is its own CA: TLS_REQCERT /etc/ssl/ldap.pem
...at least until you use separate certs for the CA and server.
Philip Guenther
openldap-software@openldap.org