Hi!
After "playing" significant time with certificate authentication, I managed to authenticate one user. However when I tried to authenticate a different user with a similar certificate, I see a
TLS trace: SSL3 alert read:fatal:unsupported certificate
Error. Can I can some details about the "usupportedness" of my certificate? The only thing I could think if is that uid of the newer certificate has a CN that is three characters longer than the one that worked.
A more complete trace for ldapwhoami woul look like this: ... ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS read server hello TLS trace: SSL_connect:TLSv1.3 read encrypted extensions TLS trace: SSL_connect:SSLv3/TLS read server certificate request TLS certificate verification: depth: 2, err: 0, subject: /.... Root-CA (2018), issuer: /... Root-CA (2018) TLS certificate verification: depth: 1, err: 0, subject: /... Host-CA (2018), issuer: /... Root-CA (2018) TLS certificate verification: depth: 0, err: 0, subject: /... FQHN, issuer: /... Host-CA (2018) TLS trace: SSL_connect:SSLv3/TLS read server certificate TLS trace: SSL_connect:TLSv1.3 read server certificate verify TLS trace: SSL_connect:SSLv3/TLS read finished TLS trace: SSL_connect:SSLv3/TLS write change cipher spec TLS trace: SSL_connect:SSLv3/TLS write client certificate TLS trace: SSL_connect:SSLv3/TLS write certificate verify TLS trace: SSL_connect:SSLv3/TLS write finished ldap_sasl_interactive_bind: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_int_sasl_open: host=FQHN SASL/EXTERNAL authentication started ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 26 bytes to sd 3 ldap_msgfree ldap_result ld 0x56432476ac30 msgid 2 wait4msg ld 0x56432476ac30 msgid 2 (infinite timeout) wait4msg continue ld 0x56432476ac30 msgid 2 all 1 ** ld 0x56432476ac30 Connections: * host: FQHN port: 389 (default) * from: IP=172.20.16.36:57868 refcnt: 2 status: Connected last used: Wed Mar 5 15:42:03 2025
** ld 0x56432476ac30 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x56432476ac30 request count 1 (abandoned 0) ** ld 0x56432476ac30 Response Queue: Empty ld 0x56432476ac30 response count 0 ldap_chkResponseList ld 0x56432476ac30 msgid 2 all 1 ldap_chkResponseList returns ld 0x56432476ac30 NULL ldap_int_select read1msg: ld 0x56432476ac30 msgid 2 all 1 ber_get_next TLS trace: SSL3 alert read:fatal:unsupported certificate ber_get_next failed, errno=0. ldap_err2string ldap_sasl_interactive_bind: Can't contact LDAP server (-1) ...
Kind regards, Ulrich Windl