On Fri, May 12, 2023 at 1:20 PM Lemons, Terry Terry.Lemons@dell.com wrote:
Hi Jeff
Thanks for your reply.
In addition, you should add -servername, too. The option engages SNI.
openssl s_client -connect ldpdd042.hop.lab.emc.com:636 \ -servername ldpdd042.hop.lab.emc.com
Otherwise, you might get the default server at the host ldpdd042. I'm not sure how that would work in this instance. (I know how it works with web servers).
I don't see any difference in the openssl output when I use the 'servername' option:
ldpdd042:~ # openssl s_client -connect ldpdd042.hop.lab.emc.com:636 CONNECTED(00000003) write:errno=0
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 334 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
ldpdd042:~ # openssl s_client -connect ldpdd042.hop.lab.emc.com:636 -servername ldpdd042.hop.lab.emc.com CONNECTED(00000003) write:errno=0
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 334 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)
ldpdd042:~ #
TLSCACertificateFile should probably be blank. It is probably the CA certs the server would use to authenticate a client when mutual authentication is used. I.e.e, client certificates.
Okay. I commented out that parameter in /usr/local/etc/openldap/slapd.conf and restarted the daemon, with no apparent change in behavior.
TLSCertificateFile should probably be the entire chain used in path building, and not just the server's certificate. Since this is using a self-signed end-entity certificate, it would include just the end-entity certificate. No CA certificates needed.
Here is the certificate that I created for use with OpenLDAP; please let me know of any deficiencies with it.
ldpdd042:~ # openssl x509 -in /etc/ssl/private/server.cert -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 29:c5:df:63:73:c6:ae:91:95:0c:4d:7a:7e:8c:b2:25:50:43:93:15 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = MA, L = Hopkinton, O = Dell Technologies, OU = DPC Engineering, CN = ldpdd042.hop.lab.emc.com Validity Not Before: May 10 16:10:25 2023 GMT Not After : Jun 9 16:10:25 2023 GMT Subject: C = US, ST = MA, L = Hopkinton, O = Dell Technologies, OU = DPC Engineering, CN = ldpdd042.hop.lab.emc.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:cc:fd:1d:97:da:63:20:a4:04:e0:30:de:b2:1f: 85:df:3f:ff:c9:a1:e9:02:53:cd:2e:cf:14:f3:45: 20:49:9c:29:e3:1c:6b:7e:9a:a8:45:42:bb:53:e9: b2:20:c4:c7:80:05:cb:ae:ad:1f:de:2a:0e:8a:0a: ab:ff:d6:3b:a0:22:56:ef:4a:c4:f5:4f:54:82:90: 44:38:c6:2c:ac:9d:95:b8:07:f2:7f:76:74:01:47: 56:c5:7e:45:f9:f8:94:25:24:20:b6:56:36:a4:27: 20:99:51:64:12:1b:0a:ba:c3:90:bc:59:58:ad:42: 04:72:76:80:b4:8e:aa:29:1d:59:6b:04:c5:64:15: d9:3a:7d:dd:b5:b7:f4:ed:a7:da:18:f1:82:65:12: 7f:36:32:78:d1:bf:cf:06:12:41:8f:bc:d1:f5:bf: 7d:5d:d8:7b:dd:27:90:34:80:fa:44:44:a9:21:bc: d1:d4:03:d8:ac:03:d4:5b:89:25:f9:f7:da:b5:7e: b1:9e:c9:46:1b:91:e0:78:43:0f:3b:05:64:32:b7: a2:d5:c1:58:4b:ab:1b:a0:a6:77:40:32:30:ef:dc: a2:04:f6:4a:35:57:9b:be:0a:46:32:a5:bc:e1:04: 99:c7:4c:2c:d3:61:f8:f2:3f:7d:5d:4c:76:1a:bb: ba:af Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 4B:36:FE:7A:3C:A2:24:A1:35:18:A0:FA:BE:75:DA:03:6C:CC:DF:F8 X509v3 Authority Key Identifier: keyid:4B:36:FE:7A:3C:A2:24:A1:35:18:A0:FA:BE:75:DA:03:6C:CC:DF:F8
X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 1c:ab:88:54:79:8e:86:54:49:35:b7:81:3b:35:84:7e:d3:4f: 4d:12:a1:86:73:38:e1:7f:b0:d5:6f:99:f3:c2:bb:f4:8a:60: c5:75:67:10:b4:03:80:6e:bb:14:6f:3f:e6:d3:9b:a1:d4:d3: 36:82:45:14:8c:1e:e7:f1:88:91:6d:36:ea:6d:0a:07:ef:ba: 16:43:f9:0e:81:e7:77:bd:20:23:ad:45:54:6e:d4:09:e5:3e: 36:79:63:35:5f:63:57:e6:93:4a:19:5a:46:82:fd:43:aa:2d: cf:1f:9a:fe:3d:5c:d8:60:cb:f6:76:fd:fd:22:92:21:4f:0b: 76:a2:44:36:a9:26:f5:01:a0:c9:83:3f:26:e1:8b:4f:65:93: d6:c7:47:e9:af:c4:d6:37:21:e3:07:6b:20:ae:38:81:30:26: 41:68:fa:99:3a:c3:9c:df:43:4f:37:76:94:cb:88:ae:46:a8: b4:1a:12:bf:01:77:ad:0d:be:20:6b:26:8e:f5:94:91:7f:28: 5c:3c:72:7a:b9:26:b9:69:d7:10:38:60:b7:ec:74:f5:b5:ed: 00:86:9a:5a:28:95:c2:51:d5:af:ef:74:a3:1f:d2:0d:4b:53: bc:e5:b7:3d:63:40:ee:28:0c:ff:7d:bc:88:e4:ab:49:5a:b3: 82:a7:ea:0fldpdd042:~ #
CA:TRUE is wrong:
X509v3 Basic Constraints: critical CA:TRUE
This is an end-entity certificate, not a CA certificate.
In X.500, there are two types of certificates: (1) CA certificates, and (2) End-Entity certificates. CA certificates can be used to issue other certificates. End-Entity certificates are used to bind a public key to an individual or other entity.
CA certificates have basic_constraint.ca = true. End-Entity certificates have basic_constraint.ca = false. That's this line here in an openssl configuration file (https://www.cryptopp.com/wiki/X509Certificate#OpenSSL_x509):
basicConstraints = critical,CA:FALSE
Key Usage and Extended Key Usage determines what an individual or entity can do with the public key in their end-entity certificate.
Jeff