Hi!
I’m trying to convert out rencreplc configurtation using plain authentication over TLS to external authentication using a user certificate.
It almost works, but slapd is reporting “connection_read(11): TLS accept failure error=-1 id=1002, closing” and “conn=1002 fd=11 closed (TLS negotiation failure)” while I can connect using the certificate and peer with
openssl s_client
Openssl reports:
…
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 20974 bytes and written 5070 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2400 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
…
Somehow I suspect that the certificate being a user certificate (DN mapped to a user entry) is not acceptable in syncrepl’s tls_cert; can anybody confirm?
The problem is that I’d like to trust a user certificate more than a host certificate for replication.
And if I’d use a host certificate, how could I authenticate the user being used to get the changes?
I looked a lot around using popular search engines, but could not find a useful example that is complete enough.
Let me remark at this point that the description of tls_reqsan is quite poor in {SLAPD-CONFIG(5); it was not obvious to me that i9s is about “Subject Alternate Name”.
The other thing I noticed was a capitalized “Binding” in “…to establish a TLS session before Binding to the provider.” (also in SLAPD-CONFIG(5))
Kind regards,
Ulrich Windl