# making clientkey openssl genrsa -out client.key 2048 # making certificate request openssl req -new -key client.key -out client.csr # signing openssl x509 -req -days 1024 -CA ../ssl/rootcrt.pem -CAkey ../ssl/rootkey.pem -in client.csr -out client.crt -CAserial ../ssl/root.seq
# configuring on client TLS_CACERT /usr/local/etc/openldap/ssl-client/rootcrt.pem TLS_CERT /usr/local/etc/openldap/ssl-client/client.crt and TLS_KEY /usr/local/etc/openldap/ssl-client/client.key
Trying again with slapd debug and client calling "id test"
slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 29 contents: op tag 0x77, time 1284616840 ber_get_next conn=1000 op=0 do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 11 connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=1000 connection_get(11): got connid=1000 connection_read(11): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 5 contents: op tag 0x42, time 1284616840 ber_get_next TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 11 failed errno=0 (Undefined error: 0) conn=1000 op=1 do_unbind connection_close: conn=1000 sd=11 TLS trace: SSL3 alert write:warning:close notify
All the same.
Okay. Looking at /usr/local/etc/nss_ldap.conf and I see
# Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key
So client certificate is not required?
Looking at faq about TLS http://www.openldap.org/faq/data/cache/185.html I do not see any client certificate generation and configuring.
BTW, must say, that configuring TLS_CACERT in nss_ldap.conf make no sense. Configuring tls_cacertfile directive instead TLS_CACERT works OK.
openldap version is 2.4.23
2010/9/15 Wallus, Harald Dr. Harald.Wallus@eon.com:
In ldap.conf
You must define
TLS_CACERT with the CA-Chain
and
TLS_CERT with your client cert
Harald