Siddharth Jain siddjain@live.com schrieb am 05.10.2020 um 21:02 in
Nachricht MWHPR08MB24009B17ED73C713BBA2180CB50C0@MWHPR08MB2400.namprd08.prod.outlook.com
we have made some progress. On Linux machine we don't get that error but get
another error instead. TLS certificate verification: Error, self signed certificate in certificate
chain
It looks like it complains about a self‑signed certificate but that certificate is that of the root CA and by definition that will be
self‑signed.
Right, but it could be that you have to explicitly trust such certificates. In recent SLES there exists a "trust anchor ..." command to add CA certificates to the system. The "Mickey Mouse" CA most likely isn't standard...
ldap_url_parse_ext(ldaps://ldap.foo.com:636) ldap_create ldap_url_parse_ext(ldaps://ldap.foo.com:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.foo.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.67.242.198:636 ldap_pvt_connect: fd: 3 tm: ‑1 async: 0 attempting to connect: connect success TLSMC: MozNSS compatibility interception begins. tlsmc_intercept_initialization: INFO: entry options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs' tlsmc_intercept_initialization: INFO: certfile = `/home/client/client_tls_cert.pem' tlsmc_intercept_initialization: INFO: keyfile = `/home/client/client_tls_key.pem' tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'. tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap/certs` prefix ``. tlsmc_open_nssdb: INFO: initialized MozNSS context. tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap‑tlsmc‑certs‑‑25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F93 91B99227E99F66E15B6'. tlsmc_convert: INFO: using the existing PEM dir. tlsmc_intercept_initialization: INFO: altered options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/tmp/openldap‑tlsmc‑certs‑‑25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F93 91B99227E99F66E15B6/cacerts' tlsmc_intercept_initialization: INFO: certfile = `/tmp/openldap‑tlsmc‑certs‑‑25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F93 91B99227E99F66E15B6/cert.pem' tlsmc_intercept_initialization: INFO: keyfile = `/tmp/openldap‑tlsmc‑certs‑‑25EC8C7E40D4FF3F7189B2C57C0F6A5C06BB35FD39F93 91B99227E99F66E15B6/key.pem' tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /C=US/ST=CA/L=San
Francisco/O=foo/OU=HR/CN=Mickey Mouse, issuer: /C=US/ST=CA/L=San Francisco/O=foo/OU=HR/CN=Mickey Mouse TLS certificate verification: Error, self signed certificate in certificate
chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in error TLS trace: SSL_connect:error in error TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed
certificate in certificate chain). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (‑1)
From: Quanah Gibson‑Mount quanah@symas.com Sent: Monday, October 5, 2020 11:10 AM To: Siddharth Jain siddjain@live.com; openldap‑technical@openldap.org <openldap‑technical@openldap.org> Subject: Re: TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
‑‑On Monday, October 5, 2020 6:48 PM +0000 Siddharth Jain siddjain@live.com wrote:
TLS: during handshake: peer cert is valid, or was ignored if verification disabled (‑9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
This message comes from Apple's TLS library. This would indicate that you're using a hacked version of OpenLDAP. We cannot offer support for a hacked version of OpenLDAP. You will need to ask Apple for help on how to correctly configure TLS within their environment.
Regards, Quanah
‑‑
Quanah Gibson‑Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com