I found out that the problem was double encrypting of the connection:
It works now if I set TLSVerifyClient to max. allow on the consumer side. All stronger configurations end in: CA unknown.
Thanks anyway
Angela
Here the concerning parts of the slapd.conf: ***************************************************************** master: ...
... TLSCACertificateFile /etc/ldap/certs/cacert.pem TLSCACertificatePath /etc/ldap/certs TLSCertificateFile /etc/ldap/certs/erde.aag_cert.pem TLSCertificateKeyFile /etc/ldap/certs/erde.aag_key.pem
TLSVerifyClient demand
***************************************************************** slave:
TLSCACertificateFile /etc/ldap/certs/cacert.pem TLSCACertificatePath /etc/ldap/certs TLSCertificateFile /etc/ldap/certs/mond.aag_cert.pem TLSCertificateKeyFile /etc/ldap/certs/mond.aag_key.pem
################## TLSVerifyClient demand ##################
This has to be set to max allow.
Angela Gavazzi wrote:
I found out that the problem was double encrypting of the connection:
What does it mean "double encrypting of the connection"?
It works now if I set TLSVerifyClient to max. allow on the consumer side. All stronger configurations end in: CA unknown.
This makes much more sense: your TLS configuration is broken. Are you using a self-signed certificate? Or, is your certificate signed by the CA to whom the certificate pointed by TLSCACertificateFile belongs?
Thanks anyway
Angela
Here the concerning parts of the slapd.conf:
master: ...
... TLSCACertificateFile /etc/ldap/certs/cacert.pem TLSCACertificatePath /etc/ldap/certs TLSCertificateFile /etc/ldap/certs/erde.aag_cert.pem TLSCertificateKeyFile /etc/ldap/certs/erde.aag_key.pem
TLSVerifyClient demand
slave:
TLSCACertificateFile /etc/ldap/certs/cacert.pem TLSCACertificatePath /etc/ldap/certs TLSCertificateFile /etc/ldap/certs/mond.aag_cert.pem TLSCertificateKeyFile /etc/ldap/certs/mond.aag_key.pem
################## TLSVerifyClient demand ##################
This has to be set to max allow.
... to disallow certificate checking. Fine if that's what you want.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Am Dienstag, 6. März 2007 19:08 schrieb Pierangelo Masarati:
Angela Gavazzi wrote:
I found out that the problem was double encrypting of the connection:
What does it mean "double encrypting of the connection"?
I mean that if I "force" encryption with demand on the provider and on the consumer, then I think the consumer tries to encrypt an encrypted connection. When I use allow on the consumer it works and is encryptet, I checked it with tcpdump.
It works now if I set TLSVerifyClient to max. allow on the consumer side. All stronger configurations end in: CA unknown.
This makes much more sense: your TLS configuration is broken. Are you using a self-signed certificate? Or, is your certificate signed by the CA to whom the certificate pointed by TLSCACertificateFile belongs?
The certificate is signed by the CA pointed by TLSCACertficateFile.
Angela
Thanks anyway
Angela
Here the concerning parts of the slapd.conf:
master: ...
... TLSCACertificateFile /etc/ldap/certs/cacert.pem TLSCACertificatePath /etc/ldap/certs TLSCertificateFile /etc/ldap/certs/erde.aag_cert.pem TLSCertificateKeyFile /etc/ldap/certs/erde.aag_key.pem
TLSVerifyClient demand
slave:
TLSCACertificateFile /etc/ldap/certs/cacert.pem TLSCACertificatePath /etc/ldap/certs TLSCertificateFile /etc/ldap/certs/mond.aag_cert.pem TLSCertificateKeyFile /etc/ldap/certs/mond.aag_key.pem
################## TLSVerifyClient demand ##################
This has to be set to max allow.
... to disallow certificate checking. Fine if that's what you want.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it
Angela Gavazzi wrote:
Am Dienstag, 6. März 2007 19:08 schrieb Pierangelo Masarati:
Angela Gavazzi wrote:
I found out that the problem was double encrypting of the connection:
What does it mean "double encrypting of the connection"?
I mean that if I "force" encryption with demand on the provider and on the consumer, then I think the consumer tries to encrypt an encrypted connection. When I use allow on the consumer it works and is encryptet, I checked it with tcpdump.
It seems you haven't read the Admin Guide or the manpages. The TLSVerifyClient setting doesn't affect the encryption at all. It only controls whether the server will check for a client certificate.
It works now if I set TLSVerifyClient to max. allow on the consumer side. All stronger configurations end in: CA unknown.
This makes much more sense: your TLS configuration is broken. Are you using a self-signed certificate? Or, is your certificate signed by the CA to whom the certificate pointed by TLSCACertificateFile belongs?
The certificate is signed by the CA pointed by TLSCACertficateFile.
In OpenLDAP 2.3 and older, you must also configure TLS_CACERT in the ldap.conf (or ldaprc) file on any servers that make outbound connections. In OpenLDAP 2.4 you can configure it explicitly in the syncrepl consumer configuration.
openldap-software@openldap.org
-
Angela Gavazzi -
Howard Chu -
Pierangelo Masarati