Re: fedora and openldap

On 04/13/2011 08:27 AM, Judith Flo Gaya wrote:

here it is, thanks!

...

...

# certutil -d /etc/openldap/cacerts/ -L "name cert"

Certificate Nickname Trust Attributes

SSL,S/MIME,JAR/XPI

name cert CTu,u,u

# certutil -V -u V -d /etc/openldap/cacerts/ -n "name cert" certutil: certificate is valid

please post the output of certutil -L -d /etc/openldap/cacerts -n "name cert"

# certutil -L -d /etc/openldap/cacerts -n "server cert" Certificate: Data: Version: 3 (0x2) Serial Number: 00:af:0e:09:e3:b5:c0:13:3f Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "E=jflo@imppc.org,CN=server.fdqn,OU=linux,O=company,L=Ba dalona,ST=Barcelona,C=ES" Validity: Not Before: Tue Apr 12 15:44:55 2011 Not After : Mon Jan 06 15:44:55 2014 Subject: "E=jflo@imppc.org,CN=server.fdqn,OU=linux,O=company,L=B adalona,ST=Barcelona,C=ES" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: b8:53:e1:82:9d:af:b9:0c:33:95:a6:5f:b2:bc:9b:5c: 38:e9:f9:8a:64:48:fd:61:ee:93:65:f1:d0:61:9e:c7: 0f:b6:c5:9a:77:36:5a:c1:b9:cb:2e:bf:21:a8:bd:81: 68:98:fa:60:77:8a:9b:9b:73:24:2a:9b:9b:c4:53:0c: cb:44:83:d4:bd:2c:8c:19:7c:e4:c8:24:e4:bf:e7:ff: b6:1f:fe:71:eb:00:d7:c4:22:1a:f3:9a:30:5c:85:90: 08:05:c0:7d:a3:73:7c:6e:3f:60:73:ad:84:bf:82:c7: fe:b9:20:66:2a:44:88:38:20:e6:50:70:cd:5f:a9:5f: 75:59:30:3d:c4:83:06:11:12:b3:1e:dc:5c:a9:75:f0: b8:45:17:99:c9:c8:0e:94:19:a2:e4:bb:da:15:6d:77: 99:3a:f2:77:74:09:c1:6b:ef:5d:68:51:91:90:45:13: 12:51:88:11:7a:51:3d:7d:fa:1f:f4:d7:be:2e:68:9f: d7:5b:d8:ee:eb:5d:b2:1a:34:3e:2f:1d:26:89:03:46: fd:b7:70:c0:b5:30:81:77:c6:12:42:8d:d9:b1:86:b1: eb:cd:ac:88:15:8a:c2:c5:99:a2:1d:c0:59:6b:49:81: 9f:7e:06:bc:b2:64:a5:ad:08:c8:8c:79:a7:7a:df:87 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Subject Key ID Data: c4:a3:f8:6c:51:45:55:07:46:19:c5:f1:ed:12:42:c5: 58:93:df:e3

        Name: Certificate Authority Key Identifier
        Key ID:
            c4:a3:f8:6c:51:45:55:07:46:19:c5:f1:ed:12:42:c5:
            58:93:df:e3

        Name: Certificate Basic Constraints
        Data: Is a CA with no maximum path length.

Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
    1d:12:4c:2a:2b:0d:8d:a3:ae:b6:88:7f:84:e8:50:d6:
    b4:92:d0:50:ea:85:9a:d8:b5:5f:c1:02:ff:16:00:e7:
    ca:bd:2c:00:a6:a1:61:d1:3f:ff:06:34:e4:0a:31:49:
    05:b4:f6:fd:2a:40:84:8a:72:f7:cc:f7:ee:23:5f:b8:
    35:18:32:25:e2:6a:3b:51:e2:08:7e:37:1b:99:4d:12:
    bc:9d:b0:fd:89:41:9e:33:31:17:e8:cf:bb:c4:f3:f2:
    5a:c9:88:f4:cb:cb:79:70:af:7d:6e:0e:59:ca:cc:7f:
    a6:4e:7d:2c:b1:04:a7:90:1a:08:7d:74:4d:5c:6b:71:
    13:ec:e7:54:e0:b8:16:2f:19:e7:d6:bf:27:30:3e:30:
    15:56:ed:08:76:cb:b5:22:78:fb:96:62:22:da:d8:67:
    ad:69:92:83:56:89:39:09:f0:a1:da:cd:70:aa:c1:f3:
    9a:9c:6a:d8:a3:72:13:2f:a2:6d:18:5f:9e:e5:82:e9:
    8a:57:1b:8f:d9:f7:6c:78:3a:3f:92:61:15:1c:df:4e:
    ae:d9:9e:62:29:00:cf:71:31:70:18:1b:05:24:4b:cf:
    9f:62:30:1d:38:9a:e6:a9:e5:0a:f3:fb:8e:5a:fc:20:
    a5:81:c9:b7:0c:a3:8c:a2:e5:31:e2:43:03:ca:a8:ba
Fingerprint (MD5):
    93:AB:C5:56:6F:59:06:1A:49:8D:A4:71:40:25:D1:7E
Fingerprint (SHA1):
    34:45:77:64:9F:4F:7B:90:27:23:CC:B8:0A:97:E2:BF:95:01:B6:3B

Certificate Trust Flags:
    SSL Flags:
        Valid CA
        Trusted CA
        User
        Trusted Client CA
    Email Flags:
        User
    Object Signing Flags:
        User

...

Also post the output of openssl x509 -in /path/to/the/server-cert.pem -text

# # openssl x509 -in /etc/openldap/cacerts/curri3-cert.pem -text Certificate: Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=ES, ST=Barcelona, L=Badalona, O=company, OU=linux, CN=server.fdqn/emailAddress=jflo@imppc.org Validity Not Before: Apr 12 15:55:56 2011 GMT Not After : Jan 6 15:55:56 2014 GMT Subject: C=ES, ST=Barcelona, L=Badalona, O=company, OU=linux, CN=client.fdqn/emailAddress=jflo@imppc.org

I notice that the format of the Issuer here does not match the format of the Subject, but that may be just a difference in the way moznss and openssl handle the "/emailAddress=...". You could confirm by doing openssl x509 -in /path/to/cacert.pem -text

I don't know - I don't see anything obviously wrong here.

If you think this is a problem with openldap+moznss (that is, if you can get it to work with openldap+openssl), please file a bug/its.

    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                00:cc:d8:b1:b4:fa:48:96:d8:60:8a:40:91:48:1b:
                f8:27:8c:f0:d8:d7:6e:73:7a:6d:15:fa:75:11:24:
                d4:a1:b7:7f:10:7e:cf:76:93:31:02:46:07:74:ab:
                28:5b:6a:5b:87:d9:27:73:2a:9c:21:25:c9:79:df:
                40:47:15:53:c9:b3:db:f4:b4:b6:38:34:c5:5c:f1:
                97:7b:a4:ff:19:7d:aa:4c:f0:7e:18:0b:be:57:c6:
                17:b5:0b:84:f6:4e:6e:98:8d:7e:39:20:b9:f7:b5:
                2a:03:66:d7:06:25:9f:19:a6:fe:12:86:24:b6:21:
                25:62:90:88:ea:8b:62:db:e7:41:15:93:36:01:e4:
                09:f7:08:ea:6e:32:e2:68:79:ec:0d:ff:d0:9e:7c:
                b1:b3:da:13:3a:c0:58:dc:6a:f2:28:d2:ca:cf:44:
                e6:af:71:0a:57:e7:eb:39:3a:ea:70:cb:ed:86:6d:
                06:c9:d7:78:ab:63:5f:3a:89:67:bc:39:ed:e8:f7:
                43:6a:5e:92:78:c1:00:e3:2b:0c:7f:cb:3c:5c:b9:
                07:ae:31:9b:ef:b2:eb:5c:70:63:f8:5c:22:6b:ed:
                bc:69:e5:6b:19:18:51:f2:73:72:4c:9e:47:f1:f2:
                d7:38:3b:52:18:81:ef:c9:72:50:83:08:38:38:6b:
                ce:73
            Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
    83:ed:11:d4:08:2a:f6:10:41:c9:01:30:b1:60:2d:ed:1f:12:
    80:b9:b4:d3:98:f9:a4:ea:42:ac:89:b2:db:a1:98:77:54:82:
    86:17:fa:06:db:9d:db:41:f2:24:cf:b8:08:67:de:b5:d1:c2:
    7d:94:06:ef:74:57:9d:7a:f8:a8:62:d2:4d:71:11:e6:07:bd:
    b1:18:fa:c4:d7:3b:a6:57:42:fc:65:a5:27:e4:64:51:66:83:
    22:33:4f:6b:ee:b3:8d:9f:29:a4:af:e9:5e:e8:91:79:d6:bd:
    8f:4d:b6:d6:74:ea:96:c4:75:ea:3c:c5:71:9b:28:4d:00:93:
    2d:02:38:03:d4:84:f2:af:73:d3:fd:f7:31:2f:33:2b:d3:ac:
    47:68:9d:48:2f:5d:a0:6d:6d:8a:73:c7:c9:3e:4d:ad:5f:ef:
    07:39:20:1e:1f:46:f7:7c:4b:e1:5e:7d:3d:4d:a2:7f:6e:f0:
    c4:c2:8d:90:5d:cf:77:52:a7:33:f4:e8:97:c8:da:1b:73:ea:
    c9:50:2c:ed:6d:2f:db:1d:02:f3:0d:a8:d0:df:d1:3e:8f:15:
    db:53:4d:4d:85:5f:a4:c8:80:68:b7:ed:d2:f2:07:a0:e4:12:
    d1:95:36:8b:81:53:d3:82:9d:46:d6:6e:77:6b:6e:bb:6f:62:
    d0:ba:28:32

-----BEGIN CERTIFICATE----- MIIDljCCAn4CAQEwDQYJKoZIhvcNAQEFBQAwgZAxCzAJBgNVBAYTAkVTMRIwEAYD VQQIDAlCYXJjZWxvbmExETAPBgNVBAcMCEJhZGFsb25hMQ4wDAYDVQQKDAVJTVBQ QzEOMAwGA1UECwwFbGludXgxGzAZBgNVBAMMEmN1cnJpMC5pbXBwYy5sb2NhbDEd MBsGCSqGSIb3DQEJARYOamZsb0BpbXBwYy5vcmcwHhcNMTEwNDEyMTU1NTU2WhcN MTQwMTA2MTU1NTU2WjCBkDELMAkGA1UEBhMCRVMxEjAQBgNVBAgMCUJhcmNlbG9u YTERMA8GA1UEBwwIQmFkYWxvbmExDjAMBgNVBAoMBUlNUFBDMQ4wDAYDVQQLDAVs aW51eDEbMBkGA1UEAwwSY3VycmkzLmltcHBjLmxvY2FsMR0wGwYJKoZIhvcNAQkB Fg5qZmxvQGltcHBjLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AMzYsbT6SJbYYIpAkUgb+CeM8NjXbnN6bRX6dREk1KG3fxB+z3aTMQJGB3SrKFtq W4fZJ3MqnCElyXnfQEcVU8mz2/S0tjg0xVzxl3uk/xl9qkzwfhgLvlfGF7ULhPZO bpiNfjkgufe1KgNm1wYlnxmm/hKGJLYhJWKQiOqLYtvnQRWTNgHkCfcI6m4y4mh5 7A3/0J58sbPaEzrAWNxq8ijSys9E5q9xClfn6zk66nDL7YZtBsnXeKtjXzqJZ7w5 7ej3Q2peknjBAOMrDH/LPFy5B64xm++y61xwY/hcImvtvGnlaxkYUfJzckyeR/Hy 1zg7UhiB78lyUIMIODhrznMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAg+0R1Agq 9hBByQEwsWAt7R8SgLm005j5pOpCrImy26GYd1SChhf6Btud20HyJM+4CGfetdHC fZQG73RXnXr4qGLSTXER5ge9sRj6xNc7pldC/GWlJ+RkUWaDIjNPa+6zjZ8ppK/p XuiReda9j0221nTqlsR16jzFcZsoTQCTLQI4A9SE8q9z0/33MS8zK9OsR2idSC9d oG1tinPHyT5NrV/vBzkgHh9G93xL4V59PU2if27wxMKNkF3Pd1KnM/Tol8jaG3Pq yVAs7W0v2x0C8w2o0N/RPo8V21NNTYVfpMiAaLft0vIHoOQS0ZU2i4FT04KdRtZu d2tuu29i0LooMg== -----END CERTIFICATE-----

...

...

The server just complains about the tls communication: (TLS negotiation failure)

Do you think it is necessary to recompile the server so that the tls is done by moznss in both sides...

No. That is not the problem.

...

Thanks for your help, j