On Friday, 16 September 2011 09:57:14 vijay s sheelavantar wrote:
I have created the
(self-signed)
TLS certificates using following command on the server.
openssl req -newkey rsa:1024 -x509 -nodes -out \ server.pem -keyout server.pem -days 3650
and I have created the client.pem by copying CERTIFICATE portion of the server.pem.
When my client try to connect to the server I get following errors.
TLS trace: SSL3 alert read:fatal:unknown CA
This error is quite clear, surely you should know what the problem is?
[...]
#TLS Certificate section TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3:RSA TLSCACertificateFile /etc/openldap/cacerts/server.pem TLSCertificateFile /etc/openldap/cacerts/server.pem TLSCertificateKeyFile /etc/openldap/cacerts/server.pem TLSVerifyClient allow
and client side ldap.conf
base dc=samsung,dc=com uri ldaps://10.254.204.181/ TLS_CACERT /etc/openldap/cacerts/client.pem pam_password md5
1)You may want to consider keeping your /etc/ldap.conf and /etc/openldap/ldap.conf separate, otherwise you may run into problems (such as TLS_CACERT vs tls_cacertfile). Please consult 'man ldap.conf', 'man pam_ldap', and 'man nss_ldap'.
2)The client needs to have the CA certificate, since you are using a self- signed certificate (and really, you should reconsider this if you are doing anything but a single-server single-client setup), that would be the certificate 'server.pem' (you didn't say what is in client.pem, but according to the error message, either (1) is your problem, or client.pem is not the self-signed certificate you generated above.
3)Once you get past teh 'unknown CA' problem, most likely your next problem will be caused by using the IP address in uri.
Please, think about what your browser does when checking certificates presented by servers when you visit https URLs, everything that applies there applies here.
Regards, Buchan